Bug #14524


Cannot select IP Alias VIP with CARP VIP parent in Virtual IP drop-down on Gateway Groups

Added by Jens Groh 11 months ago. Updated 6 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


Running version: 23.05-plus
Affected: all? (as it's probably a UI issue)


As this seems a clear UI issue/bug, we thought to file it directly here instead of going the normal route of creating a forum post. But as we see it in production on a customer system as well as in our testing lab, we proceeded to post it directly here.

For a customer we were trying to implement a failover IPsec tunnel via a DynDNS FQDN for the peer and a failover gateway group to set as "WAN" for that IPsec connection. To be able to create that failover, we have to select the specific VIP of the cluster but only the main VIP shows up as selection, as only CARP style Virtual IPs are listen in the drop down but not Aliases from those CARP VIPs. We need to be able to select one of those aliases! :)

Steps to reproduce:

  • 2x pfSense Plus 23.05 with all patches (2.7dev shows the same in testing), set up as cluster, cluster IP may be &
  • create a CARP VIP on WAN1, e.g.
  • create an Alias on the beforementioned CARP IP ( for
  • create additional Aliases like that, e.g. (to use the whole /29 space)
  • do the same for a second WAN2, e.g. to
  • head to System / Routing / Gateway Groups
  • create new gateway group
  • Check the Gateway priority. Set Tier 1 to WAN1's gateway, Tier 2 to WAN2's gateway
  • Now check the "Virtual IP" column: it only shows "Interface Address" and the primary VIP that was created with mode "CARP", but not the additional 2 VIPs, that are using Alias on CARP


  • edit one of those Alias VIPs from above to type "CARP" and set up correctly with a non-colliding VHID
  • check Status/CARP
  • Head back to System / Routing / Gateway Groups and edit the Failover Group
  • Check the dropdown, the newly modified CARP VIP shows up as expected, Alias'ed VIPs are still gone.

Could you please fix the selection/UI and make it possible for those "Alias'ed" CARP VIPs to show up? We'd badly need that to provide failover support for a IPsec VPN (on one IP) and for an inbound service behind the firewall (via a port forwarding) on another VIP for services. As we used the "default CARP VIP" for NAT (only), we can't currently proceed as we can't select the correct VIP for the service.

I hope we've provided everything to aid in checking for and correcting that bug, if there is any other intel needed, please avise.
Here are the production screen shots (blurred) from the situation. You can clearly see, that 3 VIPs are working fine, but only the CARP style VIP shows up in the dialog.

VIP config:
CARP status:
CARP status
Gateway Group creation:
failover gateway configuration

We really hope there is a simple patch that can be applied for that problem instead having to wait for a new full release.

Thanks a lot!

\jens (forum: jegr)


clipboard-202306291539-ptjky.png (24.4 KB) clipboard-202306291539-ptjky.png VIPs Jens Groh, 06/29/2023 01:39 PM
clipboard-202306291540-1kmys.png (10.4 KB) clipboard-202306291540-1kmys.png CARP status Jens Groh, 06/29/2023 01:40 PM
clipboard-202306291541-rt60w.png (120 KB) clipboard-202306291541-rt60w.png failover gateway configuration Jens Groh, 06/29/2023 01:41 PM

Also available in: Atom PDF