Hi Steve, JimP and CMB helped mit with the exact same problem, after our upstream provider routed an additional /29 network to our new pfSense Firewalls. As for diagnosis, the effects were almost the same as yours. Master is up: all is going well, Master is down -> Slave takes over -> all is good except die VIPs from the /29 network. As it became clear that it had nothing to do with CARP, Syncing or anything else, JimP got me the hint, to call our upstream provider and let them check the IP, where they route the /29 network to. And as expected, they answered me that they did an error and routed the whole /29 to the public IP of the Master firewall instead of the CARP VIP I told them. So question is: how is your /29 network routed to you? Did you get public IPs prior to this /29 or is that all you have? If it's all - do you have a gateway from your provider in the same /29 network? Or is the GW another transfer network? Greets Jens

I am not sure why all of a sudden its not working unless someone changed something. My problem had to do with routing to the default gateway and gateway monitor IP address.

No, three different/physical NICs.  Making the issue even stranger.

Is this a 1-1 nat? If so, use the private address, not the public. Firewall is applied post NAT.

You need to use Advanced Outbound NAT. Change the NAT Address to 1.2.3.3. You should have both boxes set to sync states and the master should have the required XMLRPC settings- rules, nat, and VIPs at a minimum.

Hi, I was able to synchronize the voucher from master database using sync ip interface, such as the port on which expose the service and the credentials of administrator of pfsense. The synchronization works, in fact on the screen of the vouchers I have written: voucher Rolls (Synchronized from 192.168.0.1) At this point, however, is another issue, if I create new voucher on the master server, the slave does not sync automatically, even waiting a while, the only way I've found is to click again on "Save" in the page configuration. Obviously doing this manually is boring and unnecessary, it is his normal behavior or do I have to do? thanks

It should work, though with CARP you will want to make sure that none of your Phase 2's have an "automatically ping" address in them. Otherwise the secondary will constantly try to bring up a tunnel even when it's in a backup state, so it may get confused about its P1 status…

It was a strange issue with my switch.

Hi, it works fine now, thanks!

The master/backup status is purely a layer 2 or lower decision. If they are both master, then the secondary is not seeing the advertisements from the primary, indicating that they are being blocked or not delivered properly. Either they aren't on the same layer 2, or something is blocking the CARP multicast heartbeats.

CARP is a network protocol and does not depend on hardware. So I think, it should also work on different hardware. Just try it out. You intend to build up pfSense on a new more powerful hardware anyway.

@jason0: what is the difference between binding the alias to the 'localhost' interface versus the wan carp interface?  Why would I choose one or the other? IP Alias on localhost is for binding services on IPs inside a routed subnet – that is, a subnet routed entirely to your firewall (cluster). The differences are: IP Aliases on an interface would be an IP conflict if they existed on two separate firewalls at once, which is why CARP VIPs are required. These do not sync as it would create an IP conflict. IP Aliases using an interface of an existing CARP VIP (in the same subnet as the CARP VIP) are OK, and they do sync, because only one of the nodes can use them at a time IP Aliases on localhost are only useful for binding services on the firewall to an IP address inside a routed subnet, and should not be used if the IP addresses are in your WAN or any other interface subnet. @jason0: what type of problem is resolved by being able to bind a wan ip alias to a different interface?  For instance, I COULD create an ip alias with an additional wan ip, and bind it to my LAN port: but what does that get me? Nothing useful in that example. You do not want to assign IP addresses from the same subnet to multiple interfaces. @jason0: Is the word "localhost" possibly a misnomer?  Is it more a generic word use like "any of the interfaces listed"? No, it means exactly what it says. The IP Aliases are placed on the localhost interface (lo0). If the IP addresses you're using are all inside the WAN subnet, then using CARP VIPs or Alias-on-CARP VIPs is best. In a clustered environment you cannot use Alias-on-WAN or Proxy ARP type VIPs on WAN as it will create an IP conflict. If the additional IP addresses are in a separate subnet routed to you, then you do not need any VIPs for 1:1 NAT to function. If the IP addresses you have are truly in the WAN subnet and they still work when you bind the IPs to localhost, then it's a fluke, the upstream router probably has a cached ARP entry that is pointing them to the primary firewall or CARP VIP MAC. I wouldn't expect that to keep working indefinitely.

You'd be better off on 2.1.x for the moment (2.2 is still alpha) You just need to make sure that your config.xml version is right for that version (10.1, not 10.7)