You likely need to enable MAC address spoofing on the two VMs.

Welp, as it turns out, the Motorola/Arris box that they gave me doesn't require sticky statics - It's strictly optional.  So I can continue using PFSense as a filtered bridge without any worries. :)

This patch to rc.carpmaster and rc.carpbackup is still necessary on 2.1.4 to stop/start quagga on carp role change right? It looks like some logic was added to determine whether or not to start quagga based on role at startup, but the patch is still required for failover.

Do you have your interfaces assigned in the same order on both pfSense in Interfaces > assign? This is essential for syncing correctly.

For the record, I've reproduced this on the firewalls in the office here; the patch appears to solve it. However I'm still totally confused as to how it's working at all When the bug is present the IP address of the Alias (lets say .21) isn't assigned to any of the interfaces at all. Yet if I do curl https://x.x.x.21 then I can get through the NAT and the firewall to the webserver underneath. Why is PFSense responding on an IP it doesn't own!?

Yes, if you want to fail-over you need to make a CARP address on every network/vlan. With the openVPN, bind the server to the CARP address, that way it'll work when  the secondary has taken-over

yeah it is working well, this is my bad, could have check the switch port . TIA

Viragomann - I appreciate your quick response.  "…Add all other network as IP Alias with their real /24 mask..." did the trick.  I was trying to add them with a /32 mask which was not working.  Again - Thanks.

That isn't currently possible. We've had some people try this with multiple NICs and they've had mixed success. Eventually it may be possible via netgraph virtual interfaces but that's a long way off yet.

Hi ! problem is solved : it was a bonding issue, but not regarding pfSense. The pfSense CARP cluster is linked to a couple of Juniper Virtual Chassis switches without any bonding. But  a cluster of Juniper SRX routers is also linked to the same Virtual Chassis using "Chassis Cluster Redundant Ethernet Interface Link Aggregation Groups". And my mistake was I forgot to configure LAGs on the Virtual Chassis Interfaces linked to the SRX cluster reth LAG. http://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/chassis-cluster-redundant-ethernet-interface-link-aggregation-group-configuring-cli.html : "For aggregation to take place, the switch used to connect the nodes in the cluster must enable IEEE 802.3ad link aggregation for the redundant Ethernet interface physical child links on each node." Romain

Argh!  As usual, as soon as I added this thread I was able to fix the problem. On the standby firewall, I edited /config/config.xml and replaced "opt1" with "opt2" for the DMZ interface.  I then removed the /tmp/config.cache and /tmp/config.lock files then rebooted the standby.  Now, CARP status shows all interfaces in Backup mode as expected. Sorry for the noise…

Hi, This last one solved it for me, but it looked like the previous one had potential… --jason

@jacobedwards: So I'm planning on upgrading from 2.0.1 to 2.1.4. Anything I should know beforehand? I have backed up configuration files just incase. Will any problems occur that anybody knows off? Should I do anything before I perform the upgrade, I.E. Remove packages etc? You might have better luck if you post this in the forum for "Installation and upgrades", or maybe a mod can split your post out in a new thread.

Thanks for your support. I'm glad that my provider agreed on giving us a /29 subnet for the WAN-side. Therefore I'm ready to try it the easy way ;-)

Hi BigTy, If I understood your post correctly, CARP is not what you need. Have a look at multi-WAN and policy-based routing. https://doc.pfsense.org/index.php/Multi-WAN_2.0

At the same time these two firewalls are up and down as a result of them crashing .. I started getting reports that folks couldn't access a website that uses a Windows NLB and resides on vlan230.  There were three separate incidents where I happened to have these firewalls up and running with active CARPs and this website became inaccessible. I don't understand it, because I added a CARP VIP to lagg0_vlan3, and lagg1_vlan229.  But I definitely think that the two bouncing firewalls caused the issue.  During the last incident, I immediately powered off the two firewalls, and the issue went away. The resource(s) sitting behind the Barracuda NLBs on the same vlan, do not appear to have been affected. -ct

If I attempted this..  I'd download the config from the backup and manually modify the XML file, then re-upload it.  Off the top of my head, you need to update the following; hostname IP Address of all Interfaces - i.e., change from .3 to .2 Skew for all CARP VIPs - i.e, change skew from 100 to 0 Failover Peer IP for DHCP - i.e., change peer from .2 to .3 Once you get your second instance of pfSense up, you'll just need to configure pfSync and XMLRPC Sync. -ct

You can use a single WAN IP with CARP if you expand your WAN Subnetmask (Nasty Trick ;-) ). Tested with pfsense 2.1.4 Example: WAN: IP 20.20.20.1 /30 ISP Router     20.20.20.2 /30 Your Router Pfsense Config:     20.20.20.1 /30 ISP Router (Your ISP don't change the Router mask)     20.20.20.2 /29 CARP IP   20.20.20.3 Don't use this broadcast IP     20.20.20.4 /29 Pfsense 1 - WAN Interface (also set upstream gateway 20.20.20.1 in the wan interface)     20.20.20.5 /29 Pfsense 2 - WAN Interface (also set upstream gateway 20.20.20.1 in the wan interface) Now you mus add a static ARP Entry for the ISP Router under Service -> DHCP Server -> Bottom (Because of ARP request from .4. und 5. that don't work). I have set up a manual outbound NAT  rule for source: any any and NAT Address: CARP Interface 20.20.20.2. If Pfsense 1 is active Pfsense 2 has no internet connection for DNS and NTP. Set up pfsense 2 to this  DNS 1. 192.168.5.1 (internal pfsync inteface for pfsync 1) 2. 8.8.8.8 Set up pfsense 2 to this  NTP 1. 192.168.5.1 (internal pfsync inteface for pfsync 1) 2. external NTP Server IP I dont use the arping tricks from other threads. I dont use gateway groups. Gateway Monitoring is active, with no special "monitor ip".

Please start your own thread for that issue, it's unrelated to this topic.