Thanks for the response. I did figure out how to set the time manually. Times are now within a few seconds of each other. This seems to have cleared up the time offset issue but I am seeing some strange behavior. From the system Logs on the master: Oct 9 10:53:52 dhcpd: uid lease 10.5.4.234 for client 64:20:0c:90:1e:70 is duplicate on 10.5.0.0/21 Oct 9 10:53:44 dhcpd: uid lease 10.5.3.9 for client 64:20:0c:96:19:bf is duplicate on 10.5.0.0/21 Oct 9 10:53:31 dhcpd: uid lease 10.5.6.45 for client bc:67:78:12:04:c3 is duplicate on 10.5.0.0/21 Oct 9 10:53:19 dhcpd: uid lease 10.5.7.208 for client 64:20:0c:7d:c2:2c is duplicate on 10.5.0.0/21 Oct 9 10:53:15 dhcpd: uid lease 10.5.3.91 for client d4:20:6d:da:8c:ab is duplicate on 10.5.0.0/21 Oct 9 10:53:09 dhcpd: uid lease 10.5.4.164 for client 74:e2:f5:91:a5:bb is duplicate on 10.5.0.0/21 Even though I had disabled the DHCP services on the slave, I was seeing stuff like the following in the DCHP logs on the master: Oct 9 10:59:22 dhcpd: DHCPREQUEST for 10.5.3.254 (10.5.1.3) from b0:65:bd:ec:32:12 (iPad) via em1_vlan2 10.5.1.3 is the slave… Also, if DHCP is enabled on the Slave, I will see lines like the following in the DHCP logs: dhcpd: DHCPREQUEST for 10.5.4.183 from 88:c6:63:23:e7:86 via em1_vlan2: lease owned by peer

After looking at it some more, it seems like the CARP_WAN is also not setting the master/slave correctly.  I am seeing both machine as the Master for the VIP CARP XXX.XXX.XXX.250 and YYY.YYY.YYY.250  :'(

Ok, Done Thank you very much. As from now I understand much better how I can mould the pfsense box to our needs. Thanks again, Fons

Yeah, WAN is set to DHCP and gets the same IP everytime (212.o.o.9) But every now and then (5-15 days) rc.newwanip detects a VIP as its normal IP and doesn't respond with the 212.o.o.9. Additionally it's blocking access to a random server as it takes one of those IP addresses.

I'd file that as a bug with Draytek, that's not proper behavior. I've never heard of anything else that behaves that way. It's not just CARP that does that, other routing redundancy protocols are no different.

The only option for doing CARP with a PPPoE WAN is to do the PPPoE on the modem, and then pass through the real public IP to a private CARP IP (exactly how is best depends on the capabilities of your modem).

But shouldn't pfSense kill states on a certain gateway when it goes down?

Issues with HA are very different from protocols like OSPF or BGP. I repeat my previous question: how would you do state synchronization ? Unless you're only trying to do HA for a pair of pure IP routers (very rare scenario), in every other case you'd need to do state synchronization, which allows a firewall to copy its connection table to other backup firewall(s), so that connections will not be lost if a failover occurs.

By far no expert here, but maybe also check if the IP adresses assigned to the pfSync interfaces have the right subnet mask /24 or something and are different from the WAN and LAN ? And check firewall rules, see if anything gets blocked in the "status\system logs\firewall". If really paranoid go to the console/putty and run a "tcpdump -en ICMP" check the ping is leaving through the right interface.

Then you can add Proxy ARP addresses and then you can select them when creating a NAT rule (Firewall: NAT: Port Forward) under "Destination Address"

If you don't want to open an extra port on the outside, you can do an SSH tunnel like so in PuTTY: Under Connection:SSH:Tunnels: Souce port: 6666 Destination: secondary_ip:443 x Remote x IPv4 Click add open ssh log in and then in your browser, go to https://localhost:5000

That took care of it. Thanks!

locking this duplicate post, don't post the same thing twice.

In 2.0.1 and 2.1, if you have interfaces setup with a manual address, then pfsense will create a manual rule for them when switching from auto, the first time you do it. From then on you have to create your own rules. If you are running clustered firewalls, then you most definitely want it using the CARP addresses. Nothing should be using the physical address except for the localhost (127.0.0.1).

You can, yes. Definitely not recommended (mostly for security reasons). Forced to choose, LAN, never WAN.

I'll have a look this weekend how severe such a change would be and if with my PHP skills I consider it practial, I'll do it.

Found the problem.  The switch did not have the vlan created, even though it was listed in the Port Channel.

Ideally? You would want 2 ports 2 different (redundant/stacked) switches, so that if one of those goes down, it doesn't take down your WAN. If you "throw one switch in front of the two boxes" your creating another SPOF…

Yep