Can't access Backup router after HA/CARP enabled


  • I have two xg-7100-1u routers on the same version.

    I have configured CARP VIP's for 3 local subnets on primary and the respective x.x.x.2(primary) & x.x.x.3(backup) IP's on eth's 6, 7, 8 on both routers

    Cisco switch stack has 6 ports in access mode connected to eth's 6, 7, 8 on both routers

    I'm on one of the subnets and can access/ping the primary router via any VIP or x.x.x.2 IP no problem

    However the backup router can only be accessed via the LAN port(192.168.1.1) on eth2 which I directly connect to my PC and use to configure interfaces/rules before I enabled HA pfsync/xmlrpc

    I can't ping any of the x.x.x.3 IP's on eth's 6, 7, 8 on backup

    I have configured the IX1 interface, 192.168.3.1/30(primary) & 192.168.3.2/30(backup)

    Once I establish connection on IX1, enabled HA pfsync/xmlrpc, I can't access the backup router via LAN port on eth2 anymore, and x.x.x.3 IP's don't respond either.

    I can use the console to access the backup router.

    Perhaps I have configured the routers in the wrong order?
    Is HA/CARP going to work for my local subnets?

    On a side note, I only have one WAN IP, and I was NOT able to apply public WAN gateway IP to a private /30 subnet on WAN interface.

    Anyway, any help would be appreciated, Thanks!

    firewall02_console.PNG firewall01_primary.PNG firewall01_pfsync.PNG firewall01_interfaces.PNG firewall01_carpstatus.PNG


  • I have exactly the same problem with my two XG-7100 in HA mode.
    Some help would be really appreciated.


  • Those carp addresses should be the same subnet mask as the network they live on, ie: should be /24 if the interfaces on the master and salve firewalls are /24/


  • Today I had an idea. I disabled the firewall with pfctl -d on the second device.
    Access was possible again.

    After syncing the config from the first to the second pfsense, I enabled the firewall again with pfctl -e. You might want to reboot your device at this point.

    Now it works again.
    I must have messed up something with the firewall rules, and it was applied to the second pfsense, and then I was locked out as well as my first firewall from the gui. I have no other explanation for my situation.

    You can follow the guide from the docs (found that later): https://docs.netgate.com/pfsense/en/latest/book/config/what-to-do-when-locked-out-of-the-webgui.html#disable-the-firewall

    also check, what @jgraham5481 said in Can't access Backup router after HA/CARP enabled:

    Those carp addresses should be the same subnet mask as the network they live on, ie: should be /24 if the interfaces on the master and salve firewalls are /24/