In this scenario, both routers are advertising the 4.15.227.0/25 subnet, only the secondary is advertising with an artificially more distant path, this wouldn't be chosen unless the primary is down. The inside,  when using OSPF, for example, the secondary advertises the default gateway with a less favorable metric than the primary, thus on your inside switches, you end up with two default routes, but only the best one would be used. In the case that the primary pfsense goes down, then the secondary's routes become the only remaining routes on the ISP and Internally, and it keeps on working. You could also put a link between the two boxes to route traffic over it in the event that either just the inside or the outside link goes down on the primary, then the traffic would flow through the secondary on the cross-over link, or if your switches support multi chassis LAGG you could add redundancy that way too. Because pfSense is a stateful firewall, under certain circumstances, the session would drop, but for web traffic it wouldn't be noticeable for the most part.

I think I may have fixed this one! It took me a lot of experimenting to get the ARP cache on the Draytek to recognise the PFSense Carp IPs…. Finaly seems to be Port forwarding ok though. Next I will see if I can use a Carp IP as the Outgoing network IP.

You can. Check the sync box on settings tab.

I just spoke with my isp and they will route all subnets through one ip so everythig is fine. Thank you!

1. The log data wouldn't be synced – If you want to keep log data in that fashion you should be using an external syslog server to retain the logs. 2. The cron package doesn't sync, you'll have to copy those manually 3. The proxy logs don't sync, so the reports would not sync.

There is a good section in the book about bringing up a new HA member. That's what I use. It's for 2.1.5 but I've used it on 2.2.X. A key issue is to add interfaces in the same order. There is a lot to be done "just so" esp if the active unit is in production. If you have a third, identical unit you might restore a backup to it and get the new HA member configured on the work bench.

I don't use FreeRadius for anything other than authenticating customer CPE's to my Ubiquiti AirMax AP's. So no accounting at all. Just username/password passed from the CPE to the AP. AP checks and if the FreeRadius server says ok, the CPE connects and gets an IP address and internet. Basically all I need is to be sure that usernames/passwords are synced between the servers. Everything else doesn't matter.

Thanks , i could solve the problem by Enable promiscuous mode on the vSwitch on my VM ware

Couple of questions. Is the VM host using load balancing over multiple nics? If so make sure it is set to IP Hash with the switch configured accordingly. Have you created separate port groups on the virtual switch with  promiscuous mode only enabled on the group that carries the VRRP? Port groups are probably the way forward. Carp, VRRP etc are notoriously idiosyncratic on VMWare

So, thanks to everyone!! Was an issue related to the specific IP. In love with Pfsense again :)

Thanks, I really appreciate your input. It sounds like it's not a great idea. I'll raise it with our provider, but I think we're pushing the boundaries of what they offer. They're a hosting/server provider who deal in bulk rather that bespoke, so anything that deviates from their standard setup is unlikely to be possible. We may simply add a second pfsense instance to test out these extra IPs. The bulk of them are for one very specific use case which could be diverted through a separate pfsense VM without too much effort. Thanks again!

To my knowledge captive portal sessions are not synced period. You'll need to write an XML sync for CP sessions.

This problem seems to have been solved by a reinstall on both machines. Fingers crossed!

Okay, I flattened both nodes, reinstalled 2.2.6-RELEASE and then restored the config to the master, and just an XML with interfaces, gateways, CARP addresses and users to the secondary. After setting up pfsync and XMLRPC again, it seems to be alright, but I guess time will tell!

Hello, good morning! I have a pair (2.2.6) on HA under VMWARE ESXi 6 for my production environment, it is working really fine for me, apart from an issue that I can't use my WAN CARP IP for outbound traffic. This how to is simple and have everything you might need: http://blog.thedarkwinter.com/2015/03/pfsense-ha-hardwaredevice-failover.html For my sync interface I'm using a crossover cable, NIC to NIC.