Can you print out the ifconfig from em1 on pfsense box 2? If your provider is also using CARP or VRRP, you might need to reset the VHID to something else to avoid conflict. Is there anything in the logs to indicate a problem on either machine?

CARP doesn't care if it's a tagged VLAN or not.  You need good layer 2 between CARP member nodes. And, yes, if you want all the VLANs to be HA you need a CARP VIP and each member node has to have an interface IP. VLAN 10 192.168.1.1 CARP VIP 192.168.1.2 Master 192.168.1.3 Backup VLAN 11 192.168.2.1 CARP VIP 192.168.2.2 Master 192.168.2.3 Backup etc etc Naturally, you set DHCP to give the CARP VIP as the default gateway, DNS Server, etc for each segment as applicable.

I appreciate your time.  It's been very helpful.

It depends on how the IP addresses are routed to you. If you have a block of routed addresses and the upstream ISP is routing them to your WAN CARP VIP – nothing special, just add the subnet in outbound NAT If you have a set of VIPs to use instead, then make an alias of them (a host type alias) and then select that alias for use in outbound NAT.

Have a look at this thread, I think it covers a way to do what you're asking for. https://forum.pfsense.org/index.php?topic=87546.0

Turns out I needed to reboot the firewalls… Im surprised that wasn't step #1. Thanks for your help!

Thank you for the help guys! One of the instances is physical, the other is virtual. We were holding up moving to 100% virtualized because of this problem, but we're going to move forward since the interfaces will be named the same after the upgrade. Cheers!

Thanks for this, I would have never figured it out. I've kind of got there with this, the problem I currently have is that outbound traffic is still going through the dynamic IP rather than one of the statics. could anyone advise me on how to make it use the static please.

@podilarius: From my experience, if any interface with a CARP address goes down, the entire system switches over. That's CARP pre-empt at work, which is enabled by default in pfSense.

I have 3 clusters of pfSense running on a nework and they all co-exist well. You absolutely need to ensure that the VHID is different between each cluster set, and also that it does not overlap any other CARP or VRRP instances running on the same L2. If you are using IPv4 and IPv6, you also need different VHID for each protocol.

I found it's IP problem. It works well when I use a real public ip rather than a private ip (I used for test). When I use a private ip as wan ip,it's not work,even though I unchecked "Block private networks" option. Thanks again!

That's not an answer for what you're looking to accomplish. Can only sync the entirety of that portion of the config (which almost certainly won't be identical across everything), and can only do so to one other host. Some have hacked up their own solutions to accomplish parts of that, specific to their general config management usage. We'll have a solution for centralized management in the future.

@BlueKobold: I my testing I have come across and issue with the pfsense/bsd implementation of LACP. In front of the cluster or behind it, to the LAN or WAN side I mean? Do we talking about dynamic LAG over LACP and automatic set up or do we talking about static LAG manual set up? active/passive or active/active only dynamic lacp sends the fast/slow pdus, so must be dynamic.