diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc
index fb8086444b..4f95e5df48 100644
--- a/src/etc/inc/captiveportal.inc
+++ b/src/etc/inc/captiveportal.inc
@@ -1020,6 +1020,7 @@ function captiveportal_passthrumac_delete_entry($macent) {
 	if ($macent['action'] == 'pass') {
 		$pipes = captiveportal_get_dn_passthru_pipes($macent['mac']);
 		if (!empty($pipes)) {
+			// passthrumac should always have 2 pipes, one each for 'ether in' and 'ether out'.
 			captiveportal_pipes_delete($pipes);
 		}
 	} else {
@@ -1088,6 +1089,14 @@ function captiveportal_ether_delete_entry($hostent, $anchor = 'allowedhosts') {
 
 	$pipes = pfSense_pf_cp_get_eth_pipes("{$cpzoneprefix}_{$anchor}/{$host}");
 	if (!empty($pipes)) {
+		// 2 pipes are reserved per entry; keep the reservation list aligned when a rule is created for a single direction.
+		if (count($pipes) == 1) {
+			if ($hostent['dir'] == 'to') {
+				$pipes[array_key_last($pipes) + 1] = $pipes[array_key_last($pipes)] + 1;
+			} elseif ($hostent['dir'] == 'from') {
+				$pipes[array_key_last($pipes) + 1] = $pipes[array_key_last($pipes)] - 1;
+			}
+		}
 		captiveportal_pipes_delete($pipes);
 	}
 	/* flush anchor rules */
@@ -2590,6 +2599,14 @@ function captiveportal_allowedhostname_cleanup() {
 		$pipes = pfSense_pf_cp_get_eth_pipes("{$cpzoneprefix}_allowedhosts/hostname_{$id}");
 		pfSense_pf_cp_flush("{$cpzoneprefix}_allowedhosts/hostname_{$id}", "ether");
 		if (!empty($pipes)) {
+			// 2 pipes are reserved per entry; keep the reservation list aligned when a rule is created for a single direction.
+			if (count($pipes) == 1) {
+				if ($hostnameent['dir'] == 'to') {
+					$pipes[array_key_last($pipes) + 1] = $pipes[array_key_last($pipes)] + 1;
+				} elseif ($hostnameent['dir'] == 'from') {
+					$pipes[array_key_last($pipes) + 1] = $pipes[array_key_last($pipes)] - 1;
+				}
+			}
 			captiveportal_pipes_delete($pipes);
 		}
 	}
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index f78531488e..d93089267d 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -3051,18 +3051,21 @@ function system_reboot_cleanup() {
 	mwexec("/usr/local/bin/beep.sh stop");
 	require_once("captiveportal.inc");
 	$cps = config_get_path('captiveportal', []);
+	$preservedb = false;
 	foreach ($cps as $cpzone=>$cp) {
 		if (!isset($cp['preservedb'])) {
 			/* send Accounting-Stop packet for all clients, termination cause 'Admin-Reboot' */
 			captiveportal_radius_stop_all(7); // Admin-Reboot
 			unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db");
 			captiveportal_free_dnrules();
+		} else {
+			$preservedb = true;
 		}
 		/* Send Accounting-Off packet to the RADIUS server */
 		captiveportal_send_server_accounting('off');
 	}
 
-	if (count($cps)> 0) {
+	if (!$preservedb) {
 		/* Remove the pipe database */
 		unlink_if_exists("{$g['vardb_path']}/captiveportaldn.rules");
 	}
diff --git a/src/etc/rc.carpmaster b/src/etc/rc.carpmaster
index fde3e22054..cf8f251f8b 100755
--- a/src/etc/rc.carpmaster
+++ b/src/etc/rc.carpmaster
@@ -149,7 +149,11 @@ if (!empty(config_get_path('captiveportal')) &&
 		}
 	}
 
-	foreach (array_keys(config_get_path('captiveportal', [])) as $cpzone) {
+	foreach (config_get_path('captiveportal', []) as $cpzone => $cpzone_config) {
+		if ($cpzone_config['interface'] != $friendly) {
+			// Ignore CARP events for unrelated interfaces.
+			continue;
+		}
 		$rpc_client = new pfsense_xmlrpc_client();
 		$rpc_client->setConnectionData(config_get_path('hasync/synchronizetoip'), $xmlrpc_port, $xmlrpc_username, config_get_path('hasync/password'));
 		$resp = $rpc_client->xmlrpc_method('captive_portal_sync', array('op' => 'get_databases', 'zone' => $cpzone));
@@ -169,7 +173,8 @@ if (!empty(config_get_path('captiveportal')) &&
 			if (!empty($unsetindexes)) {
 				captiveportal_remove_entries($unsetindexes, true); // true: prevent carp loop
 			}
-			captiveportal_free_dnrules();
+			// Make sure the passthrumac, ip, and hostname entries are added; clear the rest.
+			captiveportal_init_rules(true);
 
 			foreach ($connected_users as $user) {
 				if (!is_array($user) || empty($user)) {
diff --git a/src/usr/local/www/services_captiveportal_ip_edit.php b/src/usr/local/www/services_captiveportal_ip_edit.php
index e1de2da60e..b8ce3f88bb 100644
--- a/src/usr/local/www/services_captiveportal_ip_edit.php
+++ b/src/usr/local/www/services_captiveportal_ip_edit.php
@@ -135,15 +135,7 @@ if ($_POST['save']) {
 			$ip['bw_down'] = $_POST['bw_down'];
 		}
 
-		$oldip = array();
 		if ($this_allowedip_config) {
-			$oldip['ip'] = $this_allowedip_config['ip'];
-			if (!empty($this_allowedip_config['sn'])) {
-				$oldip['sn'] = $this_allowedip_config['sn'];
-			} else {
-				$oldip['sn'] = 32;
-			}
-
 			config_set_path("captiveportal/{$cpzone}/allowedip/{$id}", $ip);
 		} else {
 			config_set_path("captiveportal/{$cpzone}/allowedip/", $ip);
@@ -154,8 +146,8 @@ if ($_POST['save']) {
 		write_config("Captive portal allowed IPs added");
 
 		if (config_path_enabled("captiveportal/{$cpzone}")) {
-			if (!empty($oldip)) {
-				captiveportal_ether_delete_entry($oldip, 'allowedhosts');
+			if ($this_allowedip_config) {
+				captiveportal_ether_delete_entry($this_allowedip_config, 'allowedhosts');
 			}
 			captiveportal_allowedip_configure_entry($ip);
 		}