Just a thought.  You could try dyndns and vpn to a domain name instead of having to look up the address.

Yes.
This is due to how NAT works.
You cannot NAT out the same interface on which packets arrive.

For normal port forwards you can alternatively use "NAT reflection", although this is kind of an ugly hack.
You "could" create on top of the 1:1 NAT forwarding, a normal NAT forwarding for the ports you need and enable NAT reflection.
But i would not recommend it since you're already doing it the proper way.

More relevant info in the FAQ:
http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F
http://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT%3F

As far as i understood you got a subnet of /29 ?
In this case you dont have to add 6x the same subnet.
With PARP you always add a range (even if the range is /32).

You missunderstand the concept.
You can only sync from a node with a lower Advertising Frequency to a node with a higher Advertising Frequency.
Just because a node is "temporarily" a master doesnt mean it syncs its stuff to the other nodes.
After all only the node with the lowest Advertising Frequency is the "real" master (even if it's offline).

Although i think if you have 3 nodes and you remove the main master, add something on the secondary master it "should" sync to the 3rd node (the only "real" slave).

Figured it out.

I followed the guide to setup CARP here:
http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm

And then did the following:

Firewall 01
1. WAN address: [external IP]
2. LAN address: 10.10.16.254/24
3. FAILOVER (OPT1) address: 10.10.16.251/24
4. DMZ (OPT2) address: 10.10.15.254/20

Firewall 02
1. WAN address: [external IP]
2. LAN address: 10.10.16.252/24
3. FAILOVER (OPT1) address: 10.10.16.250/24
4. DMZ (OPT2) address:  10.10.15.252/20

Virtual IP's
1. (cARP) 10.10.16.253 - used as LAN gateway address for internal machines
2. (cARP) 10.10.15.253 - used as DMZ gateway address for internal machines
3. (cARP) [external ip] - used for external load balancer IP. NAT'd 1:1 (using WAN interface) to internal address on DMZ

Now I get the luxury of fault tolerance with the internal gateway addresses as well as the external IP that DNS will be directed at.

You just setup a CARP VIP on the WAN, then change the AON so the outbound NAT uses the WAN CARP instead of the interface. The CARP tutorial (http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm) is a good reference for configuration.

Strange, but thanks for the info.

Hi Peter,

Did you get anywhere with this? I'm currently looking at the same issue.

Cheers,

A slightly better fix for this is possible now with 1.2.3-RC and 2.0, but it's still not ideal.

The CARP interface will now report a transition to MASTER as a "link up" event, and a transition to BACKUP as a "link down" event to the system. These can be caught with devd and used to call scripts on these events – no more need to rely on cron or a delay. This will happen instantaneously once the CARP interface on the backup takes over.

This is more meant for a full install, but I suppose it could be altered to work as the initial solution was for a livecd/embedded platform.

If you are running a recent (as of the date on this post) snapshot of 1.2.3, or 2.0, you can try this.

Edit /etc/devd.conf, and add the following:

notify 100 {         match "system"          "IFNET";         match "type"            "LINK_UP";         match "subsystem" "carp";         action "/usr/local/bin/carpup $subsystem"; }; notify 100 {         match "system"          "IFNET";         match "type"            "LINK_DOWN";         match "subsystem" "carp";         action "/usr/local/bin/carpdown $subsystem"; };

In this instance, you don't really need the $subsystem variable, but it may be useful if you want to perform other actions. It contains the name of the actual carp interface that transitioned. If you want to lock this down to just one carp interface, you could change the subsystem match to "carp0" or "carp1", whichever you like.

Restart devd (or reboot):

killall -9 devd && /sbin/devd

You can then create the scripts mentioned on the "action" line above. For this case, it would be two different scripts:

/usr/local/bin/carpup

#!/bin/sh /sbin/ifconfig bridge0 up

/usr/local/bin/carpdown

#!/bin/sh /sbin/ifconfig bridge0 down

Finally, make sure those are executable:

chmod a+x /usr/local/bin/carpup chmod a+x /usr/local/bin/carpdown

You could add anything else that you want to these scripts. Calling some sort of notification program would be useful, or whatever else is desired.

I'm trying to come up with some sort of generic detection code that would take the carp interface, and attempt to see if its parent interface is a bridge member, and if so, bring down that bridge member. A little more complex, but it is a more generic solution that should work in more, similar, scenarios.

@mgiammarco:

Two questions:

why do you want the migration of all interfaces? Why in my setup there is automatic migration of all interfaces? I need only migration of the broken interface.

Hi,
1. Because I have noticed if there isn't a total failover I'm not able to access the DMZ from the LAN when only one interface has migrated the the backup host. But that can also be that I have done something wrong in my setup??  ???

2. So I would like to know what you have done to make all interfaces migrate?

Ok I have almost solved problem two: it seems that with cisco catalyst 500 default option of igmp snooping enabled it happens that when master becomes available again the multicast packets are sent with some delay causing a problem with stake keeping.

The problem one is not solved: if I detach wan2 cable in the master pfsense wan and lan goes to backup state and wan2 goes to "init" state (what does it mean?). In the backup pfsense all wan, wan2 and lan go to master state.

The problem is that I have discovered that I "sometimes" lose a port forward on wan and I also lose the internet traffic on wan2.

What does "init" state mean?

Please reply me.

Mario

Ok I have almost solved this problem: it seems that with cisco catalyst 500 default option of igmp snooping enabled it happens that when master becomes available again the multicast packets are sent with some delay causing a problem with stake keeping.

<wan><if>fxp0</if>
        <mtu><ipaddr>192.168.1.201</ipaddr>
        <subnet>1</subnet>
  [..]

I finally found the problem. Simple little configuration mistake, see above. I apologize for the trouble caused.</mtu></wan>