@ironwood Ok, I found the solution, or rather, ChatGPT found the solution. Under System > Advanced > Admin Access, there is a setting called WebGUI Login Redirect. This is the description:

When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule.

The redirect is enabled for port 80 by default and was conflicting with the http to https redirect I had set up in HAproxy a long time ago. I check the box to disable it, saved, enabled my redirect and voila, it works!

I'm guessing this was either a new feature in 23.09.1 or it I had it checked before and it "unchecked" itself? Would be interested in finding if that setting exists in earlier versions if anyone hasn't upgraded.

@kiokoman said in CARP Mode Multicast / Unicast ?:

@Yathus
indeed, if you can't use multicast., peer address is the second node for primary pfsense and vice versa for secondary pfsense
forget about PFSYNC interface it is used only for configuration synchronization and pfsync state synchronization

I made a test, i create a "Virtual IP" on primary pfsense and i put IP from secondary on "peer IP" and it's working. I create only on the primary node, nothing on second node, Sync did the job.

Does nobody know or have any ideas? I am really stuck on this.

@SteveITS And that is what is strange...the rules on the primary firewall are there...and for that matter ALL the rules for all the interfaces are there and not overwritten or deleted...just the HA ones. And I don't change any of the rules on the prmary as it relates to HA.

@SteveITS the carp began to work after entering the second gateway in first High Availability option

thanks!)

@Daniel_Hyde
Yes, as the hint there is mentioning.
This setting needs only to be made on the primary.

@viragomann ,

Observed something weird where if i turn off state synchronisation in System>> High availability. Application is working. Any suggestions for this weird behaviour??

@SteveITS Thank you!
Unfortunately there does not seem to be a backup option for users and/or certificates only. So looks like i'm going to have to copy those sections of config over manually.

@jeffsmith82 said in Sync not working:

used to force you to use the admin account until a relativity recent version

Oh, good to know, thanks.

@Kajetan321 the vip just points to one of them, whoever is the master. So yeah to it the name is not correct.

What you would want to setup is alternative name..

systemadv.jpg

so if you pfsense1.home.arpa, and pfsense2.home.arpa on the 2 boxes. Here for the vip name you would want pfsense.home.arpa

This is located under system / advanced / admin access

@SteveITS Thank you very much. I appreciate immensely your input. It clarified my misunderstanding.

@jimp , thanks for the directions.

@mi8088 The firewall was sending traffic out, but the cable modem was dropping it.

There's really only two fixes I can see:

The cable modems need to change their behavior to accommodate changes in MAC addresses. pfSense's CARP IP and all associated traffic needs to use the same MAC address that doesn't change when failing over.

I ended up disabling CARP on the WAN IP and haven't had any issues with the connection going down since.

@SteveITS Solved the issue.

After reboot works on both devices.
Thanks a lot for your support!

@mi8088 said in No traffic on a WAN CARP IP from outside, working internally and for Virtual IP:

Do you mean this behaviour?

The behavior of not allowing MAC changes on the router in front of pfSense.
I don't know any device, which doesn't let you change this.

I don't know if we can get the CPE configured somehow, our provider is claiming they can't do anything with it.

This is required for CARP, however.

Is there a way to get around it with an extra switch? (Which of course introduces another point of failure...)

Not with an L2 device. You can put an L3 switch (router) in between and nat the traffic to pfSense as its best.

However, pfSense send the response packet back from the hardware MAC, not the virtual.

Can I change this somehow?

No, pfSense will use the interface MAC, when responding. You can spoof this MAC though, but you cannot spoof the CARP vMAC, and both must be different naturally.
So the only option to make CARP work is to allow this on the connected devices.