I'm not sure if I am following you correctly, but the WAN CARP IP has to be the same on both routers. So router1 has a WAN of a.a.a.a and CARP of a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b. Same thing with the LAN IPs.
-- Steve Yates ITS, Inc. -----Original Message----- > If I had to guess: Are you using a CARP address for outbound NAT? If > not then the connections *will* break on failover. Thanks for your reply, Jon :) Yes, I'm using CARP addresses from each WAN for outbound NAT: - WLAN1 CARP, for WLAN1 - WLAN2 CARP, for WLAN2 In addition, when the *new* master unit routes the established traffic, it continues doing the previous NAT according to the state synchronised from the previous master. So it continues doing outbound NAT with the WLAN2 CARP address, but trying to route through WLAN1. This proves that the new master unit has the synchronised states, but it try to route the established connections according to routing table and not to firewall rules. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
