Thanks GruensFroeschli! I think I'm ready to start playing.

Got it. Many thanks! :)

I was at the datacenter this morning and setup the firewalls with 1 WAN connection each and CARP. Everything works great. If I unplug the WAN from the primary firewall (PF1) it fails over to PF2, same thing is I unplug the LAN. It also falls back to PF1 when the connection comes back up. Sweet! Jon

Just add them as Virtual IPs and configure outbound NAT as desired.

I ordered the pfsense book, uninstalled everything and started fresh. It worked without doing anything special. I must have selected some setting I didn't know. Thanks for your help everyone!

My setup requires opt1 & opt2 to be load-balanced. How can I restart apinger manually?

I could think of a way or two, how to do something like this, but….. Do yourself a favor and reconfigure it to use different subnet. You will have way less problems and save yourself a lot of headaches ;)

It's normal, your existing states are not killed when a WAN goes offline (they are in 2.0).

Wow, it's fixed….it was a rule on the LAN....... I have a rule that specifies the gateway to WAN1 for a few users. That rule was above the DMZ rule pictured above. I moved it directly below and it works now..... So firewall rules override static routes. good to know.

First set them up as Virtual IPs. You should then be able to define the rules and NAT.

Your problem is the touch /tmp/filter_dirty error. There are newer snapshots of the 1_2 branch that have that fixed. http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/i386/pfSense_RELENG_1_2/updates/ Note: I would not recommend those for anyone else to use.

pfSense can do 1:1 (Firewall > NAT, 1:1 tab) and depending on what you mean by static NAT, that can probably be done also. If you meant 1:1, as I said that is possible. If you meant static port, you can do that too, under Firewall > NAT, Outbound tab. You can switch to manual outbound NAT and define rules to use static port so outgoing traffic matching those rules won't have its ports altered.

Well in 2.0 this would be doable but is not yet exported to the GUI :(

Anyone have advice yet?  Here's the current setup: WAN: 5.5.5.2/24 gw: 5.5.5.1 OPT1: bridge with WAN OPT2: 5.5.6.2/24 gw: 5.5.5.1 Other ip's in 5.5.5.0/24 network don't work reliably.  If I restart the firewall I can ping 5.5.5.2.  As soon as I restart the server it breaks again although I don't see any traffic being blocked on firewall.  Which leads me to believe something gets messed up in the firewall's routing tables or something and it gets reset when I restart the firewall.  the 5.5.6.0/24 network works fine. It has to be a common configuration where you have a large block of IPs and you want the first ip to be the firewall and the rest to be filtered through the firewall.  The only sollution I can think of now is to have ISP give me another /30 ip so I have a different external ip from the two class c's but there has to be a way to get it to work.