Unable to failover to backup pfsense

  • I have set up 2 pfsense with CARP configured.

    Master - Sync enabled, Interface - SYNC, and with selected options to be synchronize. In CARP STATUS i can see both interface WAN and LAN CARP is running as Master

    Backup - Sync enabled , Interface - SYNC , CARP STATUS - WAN and LAN CARP is running as backup

    Client default gateway is pointing to the LAN CARP interface. when i do a streaming test, website: www.abc.com, when i unplug the LAN interface in master pfsense, the streaming video hang immediately. I thought the streaming should continue when i have failover configured.
    the streaming video will continue when i plug back the LAN interface.

    1. My system is running Pfsense RC2a
    2. Will the failover unable to run properly if i have a Squid proxy running?


  • Haven't tested this with squid but are you able to reestablish the connection after it broke? Is the failover just not stateful or does it stop working completely?

    Are you sure you have firewallrules allowing traffic between the sync interfaces of both machines?

  • Failover will not work with squid.  Any active conections will be broken during the failover.

  • the failover work if is streaming from radio station but not the stream video from website. the video will hang total when disconnect from master and will resume immediately when the connection is established.  i think squid had cache the content. correct me if wrong.

    Thanks.  sullrich.

  • hello guys, and ladies

    i am having exactly the same problem but with another config and only three interfaces ;-) one pfSync, one wan, one lan… on both machines. they are connected via two switches (hp procurve 2626, dell powerConnect2224). i followed exactly the howto of setting up carp with failover. the tut is well done, by the way! and pfSense is cool, too. my supervisor wants a stoneGate or some other enterpriseSolution but i managed to give pfSense a try. so i am eager to get it up and running without a flaw.

    now, syncing worx fine and realTime. failover worx too, when shutting down / killing the masterBox. but it does not work when unplugging the lan or the wan from the masterBox. since failover did not work smoothly, i thousandChecked every setting in pfSense. it is exactly set the way it is proposed in the howto. gateway from my linuxClient is set to the vip of my lan-carp-interface
    i came up with the revolutionary idea to try the syncing on lanInterface instead of the dedicated crossOverConnection and soon set the "appropriate" settings. unfortunately, did not work.

    now a first question: is it possible that i do not understand failover the  way it is meant to be? is it just in case the masterHost's os goes down? i mean, there are many pointOfFailures in a networkEnvironment not just the hosts. what, if a switch goes down? or some noob pulls the wrong wire? failover would in that case not be as great as it sounds, though i think i just did not configure it correctly. oh and yes: when i try to ping  google it works. after pulling the lanWire packets do not get back until i replug the wire in. so i thing it has something to do with the statefulThing. but i am not sure about it. outbound nat is set, too, and as i said earlier. failover worx when the master goes down... however, it does not when other problems occur:-(

    so here a second question: what does the tutorial relate to? in my understanding, failover should be able to distinguish between lanProblems or osProblems. in either way, the backupSystem should take over operation whether it be lanRelated or something else.  oh, i forgot to mention: my setup is slightly special. i do not have a direct connection to my isp. i am having a subnet in my lan. that is, my wan interfaces ping out to the corporate's lan and after that they reach the wonderful internet. i disabled "block private lan's" on both wanInterfaces. without it, syncing would not work.
    the syncingOptions are set to nat, vip and other stuff that relates to stateful failover.

    now, do i miss something or is my knowledge of networx and firewalls not as big as i always think it is ;-) of course, it is not. there is always to learn something. but right now, i need to fill the gap of failover with pfsense. any help is greatly appreciated!

    thanks in advance and excuse my writing. i am no native man of the english language and there may be mistakes in spelling or so. peace to all

  • its me again. problem solved. i just made the host that used to be enslaved the master. exMaster is now the gimp. and gimp works fine. gimp is now encaged. and whenever master needs something from gimp, gimp may fulfill his duties. i think it was the builtin nic from some dellMachine.

    pfSense is a good product. i especially like the fact, that it is not a blackbox like some other enterPriseSolutions. well, whatever! good work it is.
    thanks a lot for this solution and think about it: if they say it is fiction, it is probably the truth.

Log in to reply