pfSense

- Two freshly installed instances, both with identical hardware running pfSense 2.7.0
- Each with 3 interfaces assigned, (WAN, LAN and PFSYNC).
- CARP/VIPS are setup on the WAN and LAN.
- pfsync and XMLRPC Sync setup.
- NAT translation from LAN to WAN is setup.
- Two limiters, one for "up", the other for "down". The limiters are setup with what ever the default settings are (except the bandwidth).
- I have a single floating rule "matching" "out" on the "WAN" for TCP/UDP with "in" and "out" set to the up and down limiter.

In 2.7.0 this all works great. I can pull the plug(or less dramatically "Enter persistent carp maintenance mode") on the primary router while uploading/downloading. The secondary kicks in momentarily and all states are maintained as one would expect all open connections go through the secondary with little interruption. Failing back to primary also works smoothly, maintaining open connections.

With exactly the same setup on 2.7.1 or 2.7.2, and forcing a failover to the the secondary sees any live connections hang.

New connections can be made and the VIPs have failed over using CARP as expected and the states tables are syncing as expected, but live connections are now hung.

I have traced the hanging down to the "in" and "out" pipe on the floating rule as un-setting the in and out pipe on 2.7.1 or 2.7.2 allows open connections to failover correctly and not hang.