Your saying stuff behind pfsense doesn't have internet.. Just at a loss to why your vip would be .6? Whenever you setup a carp or hsrp or anything where there is a vip that is moved between 2 devices.. It is almost always in sequence with the actual physical IPs

.1
.2
.3 would normally be the vip..

.252
.253
.254 would be the vip

etc..

Where did you come up with .6????

and .1 and 3 for your physical???

So if your traffic comes in from some other path and not through the cluster, and your trying to use the cluster as your gateway for the webserver - then again NO shit its not going to work..

What I would suggest you do is get 1 pfsense working... Then graduate to a HA setup.. If your going to use some other path to and from internet or other networks, then this path needs to be connected via a transit network off your pfsense box..

Again I suggest you DRAW!!! your network so we are all clear how you have everything connected..

You understand for port forwards to work you would need them to point to the wan carp VIP!! this looks like you have your pf1 and 2 in line with each other? Traffic hits your wan carp vip, and would be forwarded to your webserver IP.

dns load balancer >> pf1 - pf2 >> webservers