CARP/HA Issue with connection

  • Hello All,

    I have two pfSense servers connected with CARP/HA with a simple crossover cable. My LAN and WAN are both VIPs. This setup works well with one exception. The backup box cant seem to connect to the internet. This is problematic for installing packages. It DOES work correctly when it is failed over and primary.

    Is this expected behavior, or a setting I do not have configured properly.


  • If both boxes have a public IP, then both should be able to connect to the Internet. If you have a single public IP that the firewalls are sharing, and private IPs on the WAN, then that is the expected behavior.

  • @dotdash said in CARP/HA Issue with connection:

    private IPs on the WAN

    One exception to this is if the pfSense is behind another router providing NAT...then both routers should be able to get out. It's a long story but we do actually have one configured that way.

    @briansnyder00 , are the WAN gateways correct on both? It should work, since for example one normally upgrades the backup router first.

  • Thank you for the replies. Our situation is somewhat unique. We are behind the router of our ITC. Our users NAT to a single IP (The WAN VIP) on our box which is a private IP. That IP is natted upstream to a public IP. As I said everything seems to work properly with the exception of the backup box it's self. Upgrading is exactly how I noticed the issues. The backup box can't find any updates. The primary has no problem.

    The WAN gateways are the same on both boxes as are all other settings with the exception of the actual LAN and WAN IP addresses.

  • Is the netmask right? DNS? Have you tried pinging or traceroute from the web GUI (Diagnostics)?

    Our client with this setup has the router WAN IP at, gateway Backup is the same but with

    (they have 3 WAN VIPs and one LAN VIP at

  • I think I may have found the issue. Both device their selves were in the NAT range tied to the single VIP. I believe the secondary box was communicating out, but any reply went back to the primary box. I found a NAT setting to map "This Firewall" to it's WAN interface address and not the VIP. That seems to have worked on both devices.

    I did have our upstream provider NAT all to the same public IP:
    VIP x.x.x.1
    Device 1 x.x.x.2
    Device 2 x.x.x.3

    Thank you all for the help!

Log in to reply