Pfsense HA with 2 LAN interface


I have managed to get a working HA for my pfSense using the steps on the video you created here.

When I connect to the LAN, everyting work perfectly. However I have issue when I create a second LAN to the Network.

I Created a new Vlan on top of my LAN interface and from pfSense, I can ping the computer on the new LAN but the computer cannot ping the LAN carp IP that has been set in the outbound NAT or

When I look at the error log, I see
Default deny rule IPv4 (1000000103)
Do I need to add the new LAN Ip to the firewall virtual ip list or to the NAT rule?
On the firewall rule, I have an allow * rule for the new LAN so it allows access to the internet.

Thank you in advance

You may take a look at the following on the Netgate forum for assistance.

@rtucker I have sse that link bfore I posted but It didn’t explain what I need to add to solve my issue.
I think I need to do someting with the outbound NAT but not sure what exactly

The LAN IP addresses (or VLAN) should be CARP virtual addresses.

Hi @LTS_Tom ,
Sorry but I am not following you.
I have a LAN on a physical port and I set a static IP.

and In the LAN DHCP I set the DNS and gateway to the CARP IP

When I created the vlan, I selected the LAN as parent interface

How do I set the VLAN as the CARP IP?

Sorry if this is a stupid question.
Thank you for your help

Do I need to recreate the steps of adding new virtual IP for the VLAN? on interface pf1 on interface pf2 as CARP

Yes, I usually do as CARP on interface pf1 on interface pf2
Because most people are used to seeing .1 as the gateway.

Yes, make sense.
Do I need to create another pfsync or will the existing one do?
Also, does it mean that I need to change all my public IP from IP ‘Alias’ to CARP?

The last question, Does the CARP subnet matter?

The CARP subnet has to match. If the & are both /24 then the CARP should be as well.

Do I need to change all my public IP from IP ‘Alias’ to CARP?

Only if you want the HA to work.

I added the new CARP virtual addresses and I can see on both primary and slave firewall that the CARP status is set to ‘MASTER’ on both firewall is that normal?

I am also still unable to ping from my VM

In order to ping the outside world, do I need to add the new_lan in the NAT mapping?

I managed to fix it by adding an outbound NAT rule mapping. (thank you steve).
The CARp master issue was because I didn’t set the switch port to trunk so the 2 pfsense couldn’t see each other on vlan 200.

Hope this help someone else later