CARP clustered pfSense: Clients do not open some sites after failover
Hello to all,
I have setup a CARP clustered pfSense. Two physicals boxes, 8 cores, 8GB RAM, same models, same firmware, enterprise class. Everything looks goods, NAT, VIPs, rules all syncronize correctly. When I shutdown the master node of the cluster, the backup node becomes master correctly.
The problem is that some connections fail for some time. For example, when it failovers, google.com opens fine, cnn.com does not; after an hour or so, everything works as normal. When I turn the first node on, it becomes master as it should, but for an hour or so, I still cannot access certain sites. I suspect it could a switching / ARP problem, but I don't have a clue. My switches are unmanaged, I suppose they act as plain hubs.
This happens when manual outgoing NAT is enabled with certain mapping. I can disable that and outgoing traffic goes fine. But the problem also appears on incoming traffic, on NATed servers, which I cannot avoid, in order to publish them to the Internet.
I got some help from the IRC pfSense channel and it seems to be working now (I tried it on my test environment).
I was suggested to uncheck "System: Advanced: Miscellaneous: State Killing on Gateway Failure". It is a new feature and checked by default (although this means inactive, see description).