Additional: without NAT, how do I attach OpenVPN to the CARP IP, doesn't it also have to be mapped/rewritten to the CARP IP?

I try to set up a CARP cluster and have issues assigning fw rules etc, because I don't see the CARP IP in the Destination dropdown.

My problem is solved. I bought support and we resolved my problem very quickly.

The most important rule was: VIP Address should have the lowest IP.
Both nodes have the same count of physical interfaces.

Example: we have a 10.0.0.0/29 net from ISP for redundant uplinks.

10.0.0.1 = Upstream Gateway from ISP (regular the lowest IP)
10.0.0.2 = WAN VIP1
10.0.0.3 = pfSense Node1
10.0.0.4 = pfSense Node2

Second Net: 10.0.1.0/29
10.0.1.1 = ROUTED VIP2
10.0.1.2 = pfSense Node1
10.0.1.3 = pfSense Node2
10.0.1.4 = first possible Computer/Server

Turn Off NAT.
Set NAT -> Outbound to Manual Outbound NAT and delete all rules you don't need for the routing interfaces.

On the Computer you have to set the gateway to 10.0.1.1 and you can set DNS to this too if DNS Forwarder is used.
Important is that on the router of the ISP for next hop for the routed 10.0.1.0/29 net is: 10.0.0.2
All other routes and stuff makes the kernel by itself.

So the routing with CARP should work.

Hope this helps someone.

CAT

@cat1510:

There is no way to define a upstream Gateway because u cannot select the VIP1 interface.

A VIP isn't an interface but a virtual IP address which is assigned to an interface.

When adding the gateway just select the WAN interface or whatever it is connected to and check "Default Gateway".

XML Sync is working fine on both nodes.

System > Routing > Gateways

Of course I know how to set up a route / gateway / interface.
There is no way to define a upstream Gateway because u cannot select the VIP1 interface.

I subscribed in the meantime to pfSense Gold Membership.
They exactly describe my topology but there is no example of the rules / gateways etc.
ALL other guides / howtos / tutorials only use CARP with NAT.

It is Chapter: Providing Redundancy Without NAT in the pfSense Book.

Maybe someone has a suggestion how to go on?

Thank you.

CAT

Do I need VIP1 in my drawing? I want failover and I got a /29 net with static IPs.

Yes, VIP1 is the shared WAN IP. In a CARP setup any interface of the master box shares an IP address with the backup.
The VIP1 is your default WAN address. You should also use this IP for outbound NAT translations. This has to be set manually in Firewall > NAT > Outbound.

@cat1510:

How can I setup a upstream gateway for VIP1?

System > Routing > Gateways

@cat1510:

How can I setup a route from VIP2 to VIP1 or any client behind this?

There is no route needed, since you have set the upstream gateway. The gateway is the default route on pfSense.
Your hosts default routes have to point to VIP2, so traffic is directed to pfSense and there it is forwarded to the upstream gateway.

@cat1510:

I want a routing between the subnets not NAT.

So the subnet 93.12.17.32/27 has to be routed to VIP1 by the ISP or any other address which hooks up on it.
Okay, so you don't need the outbound NAT as mentioned above.

Here are some more details:
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

Your drawing shows two ISP uplinks, but the IPs are in the same subnet. So it want just be one uplink split by a switch.