Its now working! Forgot to add 51.148.46.xx/29 to the Cisco router and set the interface. (WHAT A NOOB) On pfSense all what is needed is to add the IP's to "Virtual IP Addresses" and set them up on "Firewall: NAT: 1:1" I deleted Gateway51 from the gateway list as its not needed

Found the issue, PEBKAC. The LAN interfaces had inconsistent IPv6 settings (one was set to DHCP6 and the other to None). After setting them both to None the CARP failover works as expected.

Hi, it's work, set rule for firewall, thank.

On your LAN side, if you have, say, a LAN and DMZ, you need rules to pass from LAN to DMZ without a gateway set. Under that, you can have a rule from LAN to any with a gateway set for whatever Multi-WAN scenario you setup (LB, failover, etc).

Hi, I managed to resolve the issue for our case in the end. The two servers we're using as our pfSense boxes are Dell PowerEdge R210II servers, each came loaded with 2 on board Gigabit Ethernet ports (one being used as the WAN interface and the other for the LAN interface). In the first instance I had setup the pfSync to use the LAN interface, which I'm led to believe is a big no no, so I then set up a separate VLAN for the pfSync to use, but as this was still using the physical adaptor shared by the LAN interface, it made no difference. In the end I bought and fitted an additional PCIe Gigabit Ethernet card in each of the servers, set up a VLAN to use the new physical adaptor (not being used by anything else) and set the pfSync to use the new VLAN and since then I have seen no issues with the sync slowing down or the Backup box becoming unresponsive whilst adding users. I have now put the new pair into production and we've seen no problems. Thanks everyone for their help and suggestions. Hopefully this will help somebody else encountering similar issues. Cheers, Jan

Hi, I managed to resolve the issue for our case. The two servers we're using as our pfSense boxes are Dell PowerEdge R210II servers, each came loaded with 2 on board Gigabit Ethernet ports (one being used as the WAN interface and the other for the LAN interface). In the first instance I had setup the pfSync to use the LAN interface, which I'm led to believe is a big no no, so I then set up a separate VLAN for the pfSync to use, but as this was still using the physical adaptor shared by the LAN interface, it made no difference. In the end I bought and fitted an additional PCIe Gigabit Ethernet card in each of the servers, set up a VLAN to use the new physical adaptor (not being used by anything else) and set the pfSync to use the new VLAN and since then I have seen no issues with the sync slowing down or the Backup box becoming unresponsive. Hope this helps. Cheers, Jan

The firewall sends out traffic from the interface MAC. It can receive traffic using the CARP MAC. It won't satisfy all of the requirements for this ISP if it requires both.

Thanks for your reply, this one is my secondary. PFsense infos 2.3.3-RELEASE-p1 (amd64) built on Thu Mar 09 07:17:41 CST 2017 FreeBSD 10.3-RELEASE-p17 When i activated the back up feature it started it and never finished, as shown in the image posted, it's been backing up for a month now. Going to get the full support and tell them qhat i think. :) T.

Problem Solved, I used "haproxy" package of pfsense and it works as needed !

I tested same VHID on different VLANs and it works so my assumption is correct - you can have same VHID on different L2 networks. But I still don't know about the password. How does password work? Is it good idea to use long 64 characters string or is it better to use something shorter? Thank you

@Derelict: That is because when the secondary is CARP master it is the node that receives the traffic on the LAN CARP VIP. Again, what are you trying to prove by accessing the secondary's WAN interface from the inside when it is not CARP MASTER? Why did you X.X out the IP addresses on the WAN side in your diagram? Makes it pretty hard to communicate specifics back to you. They are RFC1918. Who cares about protecting/hiding them? Can you ping the secondary's WAN IP address from the primary? Then it's working. Can you ping the secondary's LAN address from LAN? Then it's working. Can the secondary resolve names, check for updates, and check for packages while it is NOT CARP master? Then it's working. I got it working.. On the WAN interface on the backup pfSense machine, I had to untick the "Block private networks and loopback addresses" and "Block bogon networks" options. See attachments. [image: Capture_100.PNG] [image: Capture_100.PNG_thumb] [image: Capture_200.PNG] [image: Capture_200.PNG_thumb]

I agree, Derelict. I tend to be in that camp also. What I like about the NAT solution is it allows me to interchange a single router with an HA cluster without making changes to the rest of my network. Thank you for the answer on NAT.

You would need at least 3 public IP addresses on each WAN to do it right. There is not much difference where Multi-WAN is concerned when you go to HA. Discussed in some detail (gold or book required) here: https://portal.pfsense.org/docs/book/highavailability/multi-wan-with-ha.html

That sort of documentation would be from FreeBSD - The OS/interfaces/routing behavior at that level is all determined by how FreeBSD handles it. That behavior isn't special or unique to LAN. All interface addresses behave that way.

An IP Alias VIP will not sync unless it is riding on a CARP VIP because the same IP Alias active on both nodes at the same time will create an IP address conflict.

I finally found it ! It's a bit weird though.. It turns out that on both master/slave,  of Shaper's –> System -> Routing - Gateways list, I still have the bastion firewall's IP when it was still a standalone pfsense, but it's already in DISABLED state ! and i have the new Bastion Firewall's Floating IP as HA enabled. Pure luck ? I was out of idea then just delete the hell out of that old ( and disabled ) IP... voila ! Thank you so much for you patience !!

I think I found this bug on the roadmap for version 2.4 (https://redmine.pfsense.org/issues/4310)

Solved by changing firewall rule from allowing dns to " lan address", to allowing dns to "lan net". Don't want to use "This Firewall" as I don't want to allow traffic to other interfaces.