Yup…

Manually input DNS as you did, and upgrade to 2.2.6. There were CARP issues with captive portal in 2.2.2 fixed in newer versions.

I know this is an old topic but it has just taken me 4 hours but I had this same problem and have resolved it so if it helps someone else i thought it would be worth it!

You have to enable Mac spoofing on the advanced settings of the NICs in Hyper-V & also set a static MAC address on the adapters.

simple as that but frustrating if you didn't know & I spent hours searching!

@KenBeanNet:

I added the virtual IPs under WAN

I'm curious what VIP type you chose for this- are you using "Other" or Proxy ARP?

@Atlantisman:

Nevermind, i think i figured it out. I just setup an outbound NAT rule that applies to the firewall (self) and NATs it to each of the CARP VIPs (1 rule for each WAN interface)

Mind sharing the details of your OB NAT rule?
I've tried this in the past with something like WAN, This firewall, ,,,CARP VIP,,NO
And my gateway still shows as down…

EDIT- Nevermind...
It does work, you just have to start and stop apinger after adding the NAT rule.

Actually Wireshark undersands CARP just fine, the problem stems from the fact that both VRRP and CARP use IP Protocol number 112.
That means you have to TELL Wireshark, tcpdump, etc, that you want to decode IP Protocol as CARP, not VRRP.

In wireshark, select the packet, right click and select Decode As…  Then choose CARP in the list.

If you are using tcpdump from command line pfSense, add -T carp flag.

Not CARP, pfsync. Disable pfsync under System>HA Sync on both systems and you'll be fine. CARP can still work fine, just won't have states synced.

See this thread: https://forum.pfsense.org/index.php?topic=102740.0

Great! (& tnx!) I would have done it otherwise, but credits go to you…

You can submit it as a pull request on Github, and/or open an entry on https://redmine.pfsense.org/ stating that the input validation needs corrected.

Ok, it a reset packet, but what's the context.  So far you've not given any information that can help troubleshoot your problem.
Screenshots and/or diagram required.

The source IP on the auth requests would change after switching to CARP since they'll come from the new LAN IP (absent configuring source NAT otherwise), that's probably why.

Can you print out the ifconfig from em1 on pfsense box 2?
If your provider is also using CARP or VRRP, you might need to reset the VHID to something else to avoid conflict.
Is there anything in the logs to indicate a problem on either machine?

CARP doesn't care if it's a tagged VLAN or not.  You need good layer 2 between CARP member nodes.

And, yes, if you want all the VLANs to be HA you need a CARP VIP and each member node has to have an interface IP.

VLAN 10
192.168.1.1 CARP VIP
192.168.1.2 Master
192.168.1.3 Backup

VLAN 11
192.168.2.1 CARP VIP
192.168.2.2 Master
192.168.2.3 Backup

etc
etc

Naturally, you set DHCP to give the CARP VIP as the default gateway, DNS Server, etc for each segment as applicable.

I appreciate your time.  It's been very helpful.

It depends on how the IP addresses are routed to you.

If you have a block of routed addresses and the upstream ISP is routing them to your WAN CARP VIP – nothing special, just add the subnet in outbound NAT

If you have a set of VIPs to use instead, then make an alias of them (a host type alias) and then select that alias for use in outbound NAT.