The problem (question) is I can't see this automatically added rule but CARP works.

# pfctl -sr | grep vlan16 block drop in on ! vlan16 inet from 10.29.252.0/24 to any block drop in on vlan16 inet6 from fe80::211:aff:fe53:4460 to any pass out quick on vlan16 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on vlan16 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself" pass out quick on vlan16 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself" ... user rules ... pass in quick on vlan16 inet proto tcp from any to 127.0.0.1 port = 8039 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on vlan16 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"

I didn't do anything and it works today.
OK i to be exactly truthful i did hard reboot yesterday before i went home. :-)

Is there any solution for this problem ? or any work around ,
i want to test my settings before moving to production .
should i expect save behavior from VMware as well ?

It's a non-issue on 2.0, where IP aliases are handled in the GUI as a type of Virtual IP.

Hi Jimp,

Thanks for the advice, I will schedule a window for next week, in the mean time I will try removing the affected addresses and re adding them.

Have a good day,

Great, thanks again for the help.

If you are not using CARP type VIPs, then the IPs will not be pingable.
Look at the wiki-page to VIPs for more information.

You dont need to do anything (like creating a 1:1 forward) for the VIP to function.
The VIP will bind to the interface on which you create it –> Not necessarily on WAN.

You set the subnet on the same page on which you create the VIP.

You can use CARP-VIPs even if you dont need CARP functionality.

If you set up a VIP (any type) and forward stuff from it  (and allow it with firewall rules) to a server behind it should just work.
I'm not sure i understood what your problem was.
Did you test from the outside? Did you try to access it from within your LAN?
Did you look at the pfSense wiki ( http://doc.pfsense.org )?
There are quite a few howtos.

They were definitely both using HTTPS on port 443 with identical passwords.

The weird thing is that there were no errors indicating success or failure in the System Log.  If it claimed bad password or can't connect, then I would have something to work with.

Instead, I'd make a change and nothing would happen.

Also strange was that it would work for a while after a reboot, so it wasn't completely non-functional, it just stopped working after a while? shrug

I believe so, what I do know is they have HSRP configured on their end, which from what I understand is just VRRP, but Cisco's rendition.
Thanks for your help JimP, you are a good man.

Doh!  I read that you're not supposed to define sync settings on the backup so I didn't try that.  It must have meant to not define the other settings near the bottom.:(

Thanks a million, everything works great now.

we basically couldnt get any configuration to work with the opt1 output. so we gave up on that.

currently we have it configured back to the cable modem smc 8014. that has 1 cable go to the pfsense. and 1 cable go to a switch with the xbox's on it. using static ip's.
this way has intermittent issues with allowing the xbox's to stay connected. they always have to retry connection to get it to work.

so now i had an oceanic tech replace the modem. but it is still having the same problem. where it does not always pull the static ip's correctly. they tell me anything after the modem is not their problem. even though all im doing is adding a switch to the modem to allow more ip's to be pulled.

basically i want them to put it in s pseudo bridge mode with statics. this disables everything on the modem/router to allow my devices to pull everything how they want. but oceanic does not support this mode and will not allow the user to put it into this mode. so im at a loss of what to do.

so the tech was cool, and we actually are neighbors. so maybe he will find the right level 3 tech that can help me with my problem

Firewall –> Virtual IPs --> CARP Settings
Is what gets synced.

Read the text by 'subnet mask' carefully. I doubt your WAN is a /32…

Sorry all, got it fixed myself.  Did two things - changed the PARP IP's to single ip's, but each one with a mask of /29 and also refreshed my webserver arp cache so that it wasn't still trying to use the old router as its gateway.

Knew that I'd get there in the end !!

Jake

@Eugene:

Let me give you one advice. Make your life simpler: set up your mail server behind pfSense and that is it.
Mail server[local IP]–----[local IP]pfSense[public IP]–--Provider
Don't waste your time creating messy and hard to troubleshoot set up.

You're right. I kindly asked ISP for more IP addresses, now I'll have /29. Let's say I put the mailserver on separate DMZ, then:

1. configure WAN as x.x.x.6/29, gateway x.x.x.1
2. add CARP address x.x.x.5/29
3. add NAT 1:1 from x.x.x.5/29 to internal server IP on DMZ

Right?

Not sure I understand why you need pfSense to do this.  Sounds like you just need a server running haproxy on your LAN with a VIP.  Why do you need pfSense?  Do you really need to route from one network (LAN) to another (WAN)?

This has been covered many times before, and I believe there is some info in a sticky on one of the boards here.

Also, it's in the doc wiki:

http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

And of course in the book :)

Thanks for the suggestion.  I looked into LAGG but it didn't seem like it was supported in any meaningful way in 1.2.x, and since it's a production environment I couldn't risk running 2.x where it does seem to be supported.

If anyone cares, I did test using CARP/pfsync for switch redundancy and it does work, just as jimp indicated.