To the best of my knowledge, this is not a supported configuration. With that said….  you could try a crossed virtual ip configuration; however, without extensive testing, I'm not sure I would attempt to toss this into a production environment... On your LAN... FW1 = 192.168.0.3/24 FW2 = 192.168.0.4/24 CARPVIP1 = 192.168.0.1/24 (Active on FW1 - Skew FW1=0 / Skew FW2=100) CARPVIP2 = 192.168.0.2/24 (Active on FW2 - Skew FW1=100 / Skew FW2=0) Have DHCP on FW1 hand out .1 as Gateway, have FW2 hand out .2 as Gateway If either FW goes down, the VIP fails over to the other FW and responds for both gateway IP's..  You'll probably need to disable XMLRPC sync for the CARP VIPs and manually configure them. ...c

Great.  Thanks!

Thanks for the replies. I have installed both firewalls now, and as I went through the configuration process, it all became clear. Thanks again. :)

0/ Is the switch managed/VLAN capable? If not, go to shop. 1/ Huh? Bridging and isolation in one sentence? 2/ Where's the wireless magic thing? Cannot see any. 3/ Turn OFF the firewall on whatever you are pinging. 4/ Look at the firewall logs 5/ If you still have problems, you need to post your interfaces setup, firewall rules etc.

I got some help from the IRC pfSense channel and it seems to be working now (I tried it on my test environment). I was suggested to uncheck "System: Advanced: Miscellaneous: State Killing on Gateway Failure". It is a new feature and checked by default (although this means inactive, see description).

Using Oracle VirtualBox.

The way to monitor it: If the heartbeats stop being seen by the slave, it takes over as master. It's logged in the system log. If you want to decrease the sensitivity, increase the advbase on the VIPs. A higher base means that it will be less sensitive to a problem but it also takes longer to detect an outage.

@viragomann: VIPs must be defined as IP Alias an must hook up on a CARP interface address to function and be synchronized to backup. Not sure what you mean by this. I add VLAN interfaces to CARP clusters regularly and you don't have to do anything with IP Aliases. The procedure is roughly- Configure your switches with the new VLAN. Create the vlan on both primary and secondary. Assign the new vlan to a new interface, again on both primary and secondary. Configure the new interface on both boxes- eg: primary 10.20.30.2 secondary 10.20.30.3 From now on, you just need to configure the primary: Add a new CARP VIP (eg 10.20.30.1), configure the OB nat, firewall rules, etc.

drat, same issue here, but didn't fix it for me.  the moment I set this NAT rule I get nothing though.

@andrew4902: Do you know if that feature is planned for a future release? It should be possible on 2.2 @andrew4902: I can see valid IP's needed on the LAN side for management purposes but why are IP's even needed on the WAN side except for the 1 floating WAN IP since it will be the default path to the Internet anyways? Without valid IPs on both, the secondary will not be able to independently check for updates or install packages. There would also be no way to directly manage the secondary from a remote location. It couldn't do DNS resolution to a remote DNS server, or even sync its clock to a remote time server. So the single IP method may be valid, but still not ideal.

We tried the whole reboot it, and that's not solved it. We thought it may be a switch echo… but adding a port mirror shows that there are indeed 2 packets being transmitted. I don't know what’s going on here  ... I'm open to any suggestions. :-(

Hi Jason, Thanks for clarifying this to me, had some stuff wrong on the second box. Got that all fixed up now as you described, but still, the setup does not failover yet. There is 2 things I noticed, I don't know if it will tell you something but anyway: 1- I checked the CARP status while the first box's WAN was unplugged and the first box was still the "master". I guess that make sense in a way, since the LAN address still work fine. Do I need to add something in the CARP setting so that it checks the first box's WAN also? 2- When I go in the gateway status on the first box, the "GW_PF2 - LAN - 192.168.1.3" (If I take your example) always switch between "Online" and "Gathering data". What I mean there is that, if I keep refreshing the page, it always switch between the 2 modes. Any other idea? Thanks again for your time and your support!

I have tried this setup on two other pfsense boxes and it seems to work and passes traffic. Thank you for the help

Hello, I found my answer: ensure the clocks are synced correctly.  one had ntp turned off, and the wrong timezone set. Just like the last line in the "configuration synchronization problems" section of the 2.1 book. –jason

I looked this up long ago, so I hope my memory serves. Basically, in BSD, the packets get to the kernel and then firewall decides on out to deal with it. So basically you are blocking outgoing connections and not inbound connections. So when you put in a WAN rule, you are putting in an allow out rule to the internal network. You will need to google BSD networking/routing/firewalling to get more details.

Mm not sure if it is similar then, as I was using 2x pfSense. So not CentOS as OS….

OK, so in my test setup at home, I have to use my 192.168.1.127 for its WAN IP (instead of the public 67.x IP's that I will have at my colo when it goes into production) and I have bridged the WAN/LAN interfaces. Gateway of 192.168.1.1 is setup on the WAN interface. Now this should allow me to use 192.168.1.0 ip's within my the network behind the pfsense device. Correct? Now, with that bridge setup, how do I give the 192.168.0.0 subnet/vlan access to the internet?