At the same time these two firewalls are up and down as a result of them crashing .. I started getting reports that folks couldn't access a website that uses a Windows NLB and resides on vlan230.  There were three separate incidents where I happened to have these firewalls up and running with active CARPs and this website became inaccessible. I don't understand it, because I added a CARP VIP to lagg0_vlan3, and lagg1_vlan229.  But I definitely think that the two bouncing firewalls caused the issue.  During the last incident, I immediately powered off the two firewalls, and the issue went away. The resource(s) sitting behind the Barracuda NLBs on the same vlan, do not appear to have been affected. -ct

If I attempted this..  I'd download the config from the backup and manually modify the XML file, then re-upload it.  Off the top of my head, you need to update the following; hostname IP Address of all Interfaces - i.e., change from .3 to .2 Skew for all CARP VIPs - i.e, change skew from 100 to 0 Failover Peer IP for DHCP - i.e., change peer from .2 to .3 Once you get your second instance of pfSense up, you'll just need to configure pfSync and XMLRPC Sync. -ct

You can use a single WAN IP with CARP if you expand your WAN Subnetmask (Nasty Trick ;-) ). Tested with pfsense 2.1.4 Example: WAN: IP 20.20.20.1 /30 ISP Router     20.20.20.2 /30 Your Router Pfsense Config:     20.20.20.1 /30 ISP Router (Your ISP don't change the Router mask)     20.20.20.2 /29 CARP IP   20.20.20.3 Don't use this broadcast IP     20.20.20.4 /29 Pfsense 1 - WAN Interface (also set upstream gateway 20.20.20.1 in the wan interface)     20.20.20.5 /29 Pfsense 2 - WAN Interface (also set upstream gateway 20.20.20.1 in the wan interface) Now you mus add a static ARP Entry for the ISP Router under Service -> DHCP Server -> Bottom (Because of ARP request from .4. und 5. that don't work). I have set up a manual outbound NAT  rule for source: any any and NAT Address: CARP Interface 20.20.20.2. If Pfsense 1 is active Pfsense 2 has no internet connection for DNS and NTP. Set up pfsense 2 to this  DNS 1. 192.168.5.1 (internal pfsync inteface for pfsync 1) 2. 8.8.8.8 Set up pfsense 2 to this  NTP 1. 192.168.5.1 (internal pfsync inteface for pfsync 1) 2. external NTP Server IP I dont use the arping tricks from other threads. I dont use gateway groups. Gateway Monitoring is active, with no special "monitor ip".

Please start your own thread for that issue, it's unrelated to this topic.

Hi Steve, JimP and CMB helped mit with the exact same problem, after our upstream provider routed an additional /29 network to our new pfSense Firewalls. As for diagnosis, the effects were almost the same as yours. Master is up: all is going well, Master is down -> Slave takes over -> all is good except die VIPs from the /29 network. As it became clear that it had nothing to do with CARP, Syncing or anything else, JimP got me the hint, to call our upstream provider and let them check the IP, where they route the /29 network to. And as expected, they answered me that they did an error and routed the whole /29 to the public IP of the Master firewall instead of the CARP VIP I told them. So question is: how is your /29 network routed to you? Did you get public IPs prior to this /29 or is that all you have? If it's all - do you have a gateway from your provider in the same /29 network? Or is the GW another transfer network? Greets Jens

I am not sure why all of a sudden its not working unless someone changed something. My problem had to do with routing to the default gateway and gateway monitor IP address.

No, three different/physical NICs.  Making the issue even stranger.

Is this a 1-1 nat? If so, use the private address, not the public. Firewall is applied post NAT.

You need to use Advanced Outbound NAT. Change the NAT Address to 1.2.3.3. You should have both boxes set to sync states and the master should have the required XMLRPC settings- rules, nat, and VIPs at a minimum.

Hi, I was able to synchronize the voucher from master database using sync ip interface, such as the port on which expose the service and the credentials of administrator of pfsense. The synchronization works, in fact on the screen of the vouchers I have written: voucher Rolls (Synchronized from 192.168.0.1) At this point, however, is another issue, if I create new voucher on the master server, the slave does not sync automatically, even waiting a while, the only way I've found is to click again on "Save" in the page configuration. Obviously doing this manually is boring and unnecessary, it is his normal behavior or do I have to do? thanks

It should work, though with CARP you will want to make sure that none of your Phase 2's have an "automatically ping" address in them. Otherwise the secondary will constantly try to bring up a tunnel even when it's in a backup state, so it may get confused about its P1 status…

It was a strange issue with my switch.

Hi, it works fine now, thanks!

The master/backup status is purely a layer 2 or lower decision. If they are both master, then the secondary is not seeing the advertisements from the primary, indicating that they are being blocked or not delivered properly. Either they aren't on the same layer 2, or something is blocking the CARP multicast heartbeats.

CARP is a network protocol and does not depend on hardware. So I think, it should also work on different hardware. Just try it out. You intend to build up pfSense on a new more powerful hardware anyway.