Yes, they are both in the same switch.
That's what i was afraid of, even if i block all all the traffic between those networks they'll still be able to reach directly…....
Well thank you for the response VLANs it will be :)

@salmonbaytech:

On both routers I have all my networking configured in a LAGG with vlans on top.  Router 1 is plugged into port 21 on both switches and Router two is plugged into port 22 on both switches.

Are you sure the Netgear switches do LACP across the two switches (As in you can plug a cable into each switch and correctly bring up the trunk to PFSense)? Generally when you are doing LACP, it needs to be the same layer devices on the ends. HP has a few switches that will do it –- I believe they call it distributive trunking.

A /28 has 16 total IPs in it.

Your network addresses would fall on .0 and .16
Broadcasts would be on .15 and .31

50.0.1.10/28 is a usable address.

Solved this on my own I think.

Wasn't spanning tree.  It was the vrrp we also enabled between the two switches.

I thought using the VLAN tag as the VHID was a nice way of keeping things lined up but since the switch uses the same for it's vrrp tag apparently that's where everything broke.

Simply incrementing my VHID on the pfsense pair by 1 has everything working again.

Never mind, I guess.  Went to lunch and they were all synced when I got back.  Seems to be syncing changes as expected again.

It seems, that one provider had failed and it is working now.
Unfotunately some users have "blackouts" from time to time for about ~5 minutes.
Do you think it could be problem with outbound NAT or where should I look?

Problem solved. Thanks everyone. NAT problem was found for ISP#2.

Well, you can disable CARP on the master in Status > CARP (failover)

I think there are a couple new widgets in 2.2.1 that deal with resetting the demotion score or something.  I haven't looked at it yet.

Yeah: https://doc.pfsense.org/index.php?title=2.2.1_New_Features_and_Changes#VIP.2FCARP

Please start a new thread as that is a completely different issue.

To add closure to this issue, the problem went away by resetting sysctl net.inet.carp.demotion from 240 to 0 with:

sysctl net.inet.carp.demotion=-240

sysctl net.inet.carp.demotion is essentially a penalty against the advskew settings. Returning this to 0 made the VIPs stable and removed the warning from the CARP status page, though it would recur following a reboot.

According to https://forum.pfsense.org/index.php?topic=89132.msg496865#msg496865 the problem is caused when using CARP on a LAGG. When the LAGG is initialised it loses some CARP advertisements and causes net.inet.carp.demotion to be increased by the value of net.inet.carp.senderr_demotion_factor (240).

Setting:

net.inet.carp.senderr_demotion_factor=0

means that this issue no longer occurs when at boot time and is therefore resolved permanently.

If the settings were truly identical, it would have worked. Something must not have matched.

There are many CARP+LAGG systems working OK on pfSense 2.2 (and 2.1).

Dear Christopher,

Thank you very much!! Adding the tunable did solve the problem. I rebooted eight times and I experienced no more split brain situations. As with 2.1.5, the machine designated as CARP master was master for all networks after all reboots as long it was on. Before adding the tunable, I needed to reboot about eight times to end up without a split brain situation.

I did make two more observations which may be relevant:

One of my pair of firewalls is connected to a stacked switch. Of the LAGG with three members, two cables are connected to one switch in the stack and one to the other switch. In that setting, CARP issues did occur more frequently without the tunable. Maybe, the switch interfaces are coming up and down slightly slower due to stack coordination. At the other pair of my firewalls, all three LAGG member cables go to the same switch, as there is only one due to rack space limitations. There, split brain situations did occur without the tunable, but less frequently. After adding the tunable, starting quagga did not work on the backup switch one time, but without practical consequences. Other than that, also starting and stopping quagga does work again after adding the tunable.

In general, I feel that a human readable text about CARP changes in 2.2 similar to the examples in the draft 2.1 book would be very helpful. For example, I am still banging my head to get captive portal running on a CARP / LAGG interface again after upgrading to 2.2 (https://forum.pfsense.org/index.php?topic=87991.msg495896#msg495896). Without understanding the changes, that is hard to do.

Regards,

Michael

and now, the states table for the server :

WAN tcp 192.168.1.131:8622 <- 94.23.250.17:35042 SYN_SENT:ESTABLISHED
LAN         tcp 94.23.250.17:35042 -> 192.168.1.131:8622 ESTABLISHED:SYN_SENT

I do not understand the second line. Why LAN intf and arrow indicating connection from a wan address to the server's address ?

But indeed, arrow from server to wan is nowhere to be seen

Issue Resolved,

Reinstalled Both firewalls and now everythings working fine.

I'm sorry.  I see CARP and I think CARP.  Now I get it.