Do pfSense CE HA nodes with CARP VIP work with pfBlocker-ng?

I currently have two ISP-facing pfSense instances, both pulling an different public IP via PPPoE through the same modem connected my (single) ISP. Gurrently I am using a GW-group on the next pfSense instance to route by default through the VM instance (the other instance is on bare metal) to the Internet.
Both pfSense instances are running pfBlocker-ng and updating the rules every few hours. I am only using IP-based feeds, I am not using the DNS blocking capability of pfBlocker-ng. I have separate pi-hole VM instances for DNS blocking, sitting in the transit network connected to these pfSense instances.

Of course there is no real fail-over / HA capability because the machines directly connected to the transit network between the inner pfSense and the two ISP-facing pfSense instances are using static routes.

So I would like to use CARP VIP on the LAN interfaces of the ISP-facing pfSense instances and sync state between the HA nodes.

Will pfBlocker-ng play nice with the HA node state sync? Do we have people here running working instances of this?

That sounds like a hairy situation that your other node is a VM.

What I can say is I too only use the IP lists and I use the XMLRPC sync that is built into pfblockerng and it works just fine. I currently do this for a business I setup.

ok. what is the issue with sync between VM and metal?

There wouldn’t be any sync issue. But in terms of failover, I personally wouldn’t want my backup to be a VM.

The physical device is the backup for the VM.

It’s your environment. I’m saying I probably wouldn’t use a VM at all for my router. Do whatever fits you!

Sure. VMs have the better latency. As long as there is a hardware to take over when the VM has problems, it is fine for me.