@jason0: what is the difference between binding the alias to the 'localhost' interface versus the wan carp interface?  Why would I choose one or the other? IP Alias on localhost is for binding services on IPs inside a routed subnet – that is, a subnet routed entirely to your firewall (cluster). The differences are: IP Aliases on an interface would be an IP conflict if they existed on two separate firewalls at once, which is why CARP VIPs are required. These do not sync as it would create an IP conflict. IP Aliases using an interface of an existing CARP VIP (in the same subnet as the CARP VIP) are OK, and they do sync, because only one of the nodes can use them at a time IP Aliases on localhost are only useful for binding services on the firewall to an IP address inside a routed subnet, and should not be used if the IP addresses are in your WAN or any other interface subnet. @jason0: what type of problem is resolved by being able to bind a wan ip alias to a different interface?  For instance, I COULD create an ip alias with an additional wan ip, and bind it to my LAN port: but what does that get me? Nothing useful in that example. You do not want to assign IP addresses from the same subnet to multiple interfaces. @jason0: Is the word "localhost" possibly a misnomer?  Is it more a generic word use like "any of the interfaces listed"? No, it means exactly what it says. The IP Aliases are placed on the localhost interface (lo0). If the IP addresses you're using are all inside the WAN subnet, then using CARP VIPs or Alias-on-CARP VIPs is best. In a clustered environment you cannot use Alias-on-WAN or Proxy ARP type VIPs on WAN as it will create an IP conflict. If the additional IP addresses are in a separate subnet routed to you, then you do not need any VIPs for 1:1 NAT to function. If the IP addresses you have are truly in the WAN subnet and they still work when you bind the IPs to localhost, then it's a fluke, the upstream router probably has a cached ARP entry that is pointing them to the primary firewall or CARP VIP MAC. I wouldn't expect that to keep working indefinitely.

You'd be better off on 2.1.x for the moment (2.2 is still alpha) You just need to make sure that your config.xml version is right for that version (10.1, not 10.7)

Hi craCH, @craCH: Isn't it possible to use an different user for that? Correct, it's not possible to use a different user with HA-Sync. You need to use the admin user.

@vira A now I see :) A pity then. Thought you had something I was missing for a second. But as all networks are routed to our transfer ip, I don't have to use separate gateways for them.

EScottH, Are you performing 1:1NAT for ALL ports?

When you update the Master Password - it is synchronized to the slave, but it does not update the "password" field on the password under 'Configuration Synchronization Settings (XMLRPC Sync)'.  You have to manually update this.

@cmb: @cthomas: I just cut-over to a pair of firewalls that had 24+ CARP VIPs on the WAN - as soon as the secondary fw would boot, the primary would crash, and then continue to crash after each boot as long as the secondary fw was online.  Made for a rough 24 hours. Wow, never seen or heard of that happening. You should start a thread on that if you haven't already (I couldn't find one in your post history). I suspect some kind of weird NIC or other driver bug that's specific to some very unusual edge case on your combination of hardware. cmb - I submitted a ton of crash reports - pm me for hostname details

Thank you very much for your help. Log told me some ideas. In my case, interface assignment on both devices was slightly different. After I reassigned them, it began to work. Thanks again!

Hi Francesco and All, i'm exactly in the same situation, but with a physical server with two physical NICs Two NICs with CARP on the same switch/VLAN (WAN side) My ISP provide me 2 public IP subnets in the same cable. This cable is pluggel in my cisco switch in a port configured in access mode with VLAN X Other two ports on the same cisco switch are configured in access mode on the same VLAN X. In these two ports are connected two PFS WAN NICs with this configuration: WAN (wan)      -> em1        -> v4: a.a.a.a/27 WAN2 (opt9)    -> em3        -> v4: b.b.b.b/27 My filter.log is flooded by these messages: rule 38/0(match): block in on em3: (tos 0x0, ttl 255, id 37753, offset 0, flags [DF], proto VRRP (112), length 56)     a.a.a.a > 224.0.0.18: VRRPv2, Advertisement, vrid 108, prio 0, authtype none, intvl 1s, length 36, addrs(7): 77.110.34.171,61.17.65.165,90.166.164.7,254.92.249.181,89.34.91.45,24.56.193.51,49.113.148.220 00:00:00.001830 rule 38/0(match): block in on em3: (tos 0x0, ttl 255, id 64989, offset 0, flags [DF], proto VRRP (112), length 56) and rule 38/0(match): block in on em1: (tos 0x0, ttl 255, id 15937, offset 0, flags [DF], proto VRRP (112), length 56)     b.b.b.b > 224.0.0.18: VRRPv2, Advertisement, vrid 226, prio 0, authtype none, intvl 1s, length 36, addrs(7): 189.142.72.18,82.162.93.207,80.97.204.246,226.201.105.180,72.151.119.172,252.49.36.205,219.112.155.93 00:00:00.178021 rule 38/0(match): block in on em1: (tos 0x0, ttl 255, id 46149, offset 0, flags [DF], proto VRRP (112), length 56) I already checked: VIPs configuration ( all netmask OK, Base 1 and Skew 0 for all VIPs, VHID Group # dedicated for each VIP, same pwd) netmask in WAN and WAN2 conf; Is there a way to solve this? Or a way to hide these messages if they are not a serious network issue? Note: I have another couple of PFS firewall in the same switch and in the same VLAN X and a third public IP subnet (c.c.c.c) , but i don't see VRRP/CARP message in filter.log. With a tcpdump on wan interface I can see VRRP messsage but this is right. pfs 2.1-RELEASE (i386) Thank you and best regards Simone

In that situation the secondary would only process traffic if it is the carp master, not when it is the carp backup. If the primary fails, it would still pass traffic as expected, but when the primary is up it would have no external connectivity.

Check the logs. A packet capture will show if something is using CARP/VRRP on the wire and what VHIDs are in use. It seems unlikely that you would see VRRP traffic on the LAN unless you are not in control of the LAN side of your network.

this is ok now, it happens that one mac address is causing that trouble when it was deleted everything works fine

xxx.xxx.xxx.121 and 122 were accessible. After I modified the firewall rule (WAN address to WAN net), it began to work! Thank you very much!

I think you're right, I was messing with promiscuous mode on virtualbox nics and everything started working some what  fine but still wasn't working as intended. What I wanted to do was set this up on my server which is running a virtual instance of pfsense for my network at home, lately my server has been having issues and I kept breaking stuff and the internet goes down for few hours; and it becomes difficult to fix things when you don't have the resources of the internet and have to rely on a mobile data plan from your phone. But anyways what I wanted to do was, I had a physical box which use to be my old pfsense router burning 80watts 24/7 which is why I went to virtual setup. Anyways I wanted to CARP to this box so I can take down the server for maintenance and still have internet and not interrupt anybody in the home, who may be playing video games, watching netflix so on. The server runs CentOS 6.5 with KVM, and pfsense utilizes virtio drivers. I can't find anything for promiscuous mode settings for KVM, even though a web search suggest to acknowledge that a promiscuous mode setting does exist. I just have no idea how yet, although I haven't dug deep into it yet.

You can probably swap out the cables without anyone noticing.  Do the backup box first, then disable CARP on the primary and change those too. If your NICs are all built in then I'd probably go to the switch next.  You may just have to declare a maintenance window on that one.

Had same issue yesterday. I was connected via OpenVPN to pfSense. The OVPN server is bound on a WAN CARP VIP and my web GUI is reachable on LAN address only. I just hit the button to add an interface and the VPN was broken. No way to get access from remote again. That's a bad circumstance if the firewall is more than 20 km away and it's late at night!    :- My pfSense is 2.1.1 Does anybody know if this behaviour just aply to bounded services on CARP VIPs or will it be the same if I bind OVPN on an IP Alias?