@Derelict: That is because when the secondary is CARP master it is the node that receives the traffic on the LAN CARP VIP. Again, what are you trying to prove by accessing the secondary's WAN interface from the inside when it is not CARP MASTER? Why did you X.X out the IP addresses on the WAN side in your diagram? Makes it pretty hard to communicate specifics back to you. They are RFC1918. Who cares about protecting/hiding them? Can you ping the secondary's WAN IP address from the primary? Then it's working. Can you ping the secondary's LAN address from LAN? Then it's working. Can the secondary resolve names, check for updates, and check for packages while it is NOT CARP master? Then it's working. I got it working.. On the WAN interface on the backup pfSense machine, I had to untick the "Block private networks and loopback addresses" and "Block bogon networks" options. See attachments. [image: Capture_100.PNG] [image: Capture_100.PNG_thumb] [image: Capture_200.PNG] [image: Capture_200.PNG_thumb]

I agree, Derelict. I tend to be in that camp also. What I like about the NAT solution is it allows me to interchange a single router with an HA cluster without making changes to the rest of my network. Thank you for the answer on NAT.

You would need at least 3 public IP addresses on each WAN to do it right. There is not much difference where Multi-WAN is concerned when you go to HA. Discussed in some detail (gold or book required) here: https://portal.pfsense.org/docs/book/highavailability/multi-wan-with-ha.html

That sort of documentation would be from FreeBSD - The OS/interfaces/routing behavior at that level is all determined by how FreeBSD handles it. That behavior isn't special or unique to LAN. All interface addresses behave that way.

An IP Alias VIP will not sync unless it is riding on a CARP VIP because the same IP Alias active on both nodes at the same time will create an IP address conflict.

I finally found it ! It's a bit weird though.. It turns out that on both master/slave,  of Shaper's –> System -> Routing - Gateways list, I still have the bastion firewall's IP when it was still a standalone pfsense, but it's already in DISABLED state ! and i have the new Bastion Firewall's Floating IP as HA enabled. Pure luck ? I was out of idea then just delete the hell out of that old ( and disabled ) IP... voila ! Thank you so much for you patience !!

I think I found this bug on the roadmap for version 2.4 (https://redmine.pfsense.org/issues/4310)

Solved by changing firewall rule from allowing dns to " lan address", to allowing dns to "lan net". Don't want to use "This Firewall" as I don't want to allow traffic to other interfaces.

+1

Hi I have find the problem I contact the ovh support. when I configure the ip on ovh manager I have a mac adress define for this ip (before I use this ip for a virtual machine) . and if and mac adress is define I can't use it to connect directly from a physical server. when I delete the mac adress I can ping it with no problem  :) Lolo

SYNC has nothing to do with VIPs either. You could use a VLAN interface as a pfsync/xmlrpc sync interface. Not sure you should, but you could. It won't care either. Just has to be tagged through the switch properly to both nodes. On a busy site you do not want pfsync to get backlogged. A rule of thumb is pfsync requires about 10% of the bandwidth represented by the states that are being synced. Why not just use a dedicated interface? If it's worth HA it's worth doing right. But i can only get the sync from a VLAN to work on the same interface as the vlan. No idea what you're saying here either.

To get rid of that split error, just get rid of that line in the Secondary config file. It works for me ;D ;)

"Needed to add a second subnet to the LAN" As a vlan??  Or you wanting to run multiple layer 3 on the same layer 2??  If so that is BORKED - rethink what your doing.  And when you come up with vlans as your answer to running multiple networks on the same physical interface you have gotten to the correct answer ;)

I too would like to know the answer to this.  I also have a similar MLPPP configuration and would like to know if CARP Failover will work.

Now it is working. I've had to choose for the OpenVPN server the CARP VIP as an interface. Thank you!

Hmm, ping and RDP started working when I checked the "Default gateway" box on the Fiber Link. Not sure I understand why that is….

Thanks, that fixed the issue.

It's disabled when the configuration format is different between them, as marked by the "<version>XX.Y</version>" in config.xml If the configuration version is different, they cannot sync because it could push incorrect data. That said, synchronizing between different versions has never been officially supported, nor recommended. It may have worked by chance before, but we never recommend running different versions for any measurable amount of time. Just long enough to make sure the updated node is functional/tested, which shouldn't involve any configuration changes.