    I have two pfsense firewalls configured in HA. Each firewall has two WAN interfaces and a floating IP using CARP. Each firewall has a LAN interface and a floating IP using CARP.

    My problem - if the master firewall fails, the CARP address does appear on the slave however, no traffic is passing. If i do a traceroute from a PC on the LAN side, its first hop is the CARP address but then the second hop wants to go to the master's LAN interface and not the slave's LAN interface. If i change the slaves LAN interface to the master's LAN interface IP address, all then works.

    Does anyone know why when the slave has taken over, it is trying to route to the Master's LAN IP address after it has hit the CARP floating address ? All settings look right, compared against several documents.

    Everything must be pointed at the CARP VIPs. Default gateways, DNS, etc.

  • Thank you for replying Derelict, yes, everything is pointing to the CARP VIP address. If i perform a traceroute to the internet, first hope is the CARP VIP address, but it then goes to the physical LAN's IP address.

    Outbound NAT must also be set to use the CARP VIPs.

    It is perfectly normal for a traceroute response to appear to come from the interface address not the CARP VIP.

    You'll probably need to perform troubleshooting steps to determine what is actually failing and we can go from there.

