  • Hey Guys!

    my setup:
    from my ISP i got a /29 Subnet over a single Ethernet cable -> split up with a small switch -> 2 FW with the same Version of pfSense.
    each FW has a public IP for WAN, one public IP ist used for VIP.
    SYNC over a network Cable.

    I configured carp according the how to from the docs.
    pfsync works, after i unplug WAN on Master FW, the backup FW start working. LAN User can access Internet without any problems.

    Sad but true there is a problem:
    As long as my Master is running i can use VIP (translated to http server) or just a ping to a server over an VIP.
    When i unplug WAN on Master, Slave start to work, but i can't see website or get a successful ping over the VIP.
    If i plug back WAN on Master, everything is fine.

    As i understood carp and pfsync, everything is synchronized between both F, if i can see the same entries and configurations on both FW.
    Is it possible that my ISP cached something or so?

    thanks in advanced


  • LAYER 8 Moderator

    Hi Steve,

    JimP and CMB helped mit with the exact same problem, after our upstream provider routed an additional /29 network to our new pfSense Firewalls. As for diagnosis, the effects were almost the same as yours. Master is up: all is going well, Master is down -> Slave takes over -> all is good except die VIPs from the /29 network.

    As it became clear that it had nothing to do with CARP, Syncing or anything else, JimP got me the hint, to call our upstream provider and let them check the IP, where they route the /29 network to. And as expected, they answered me that they did an error and routed the whole /29 to the public IP of the Master firewall instead of the CARP VIP I told them.

    • So question is: how is your /29 network routed to you? Did you get public IPs prior to this /29 or is that all you have?
    • If it's all - do you have a gateway from your provider in the same /29 network? Or is the GW another transfer network?


