I could get the manager permission to take the service down for a couple of minutes. I restarted pfSense from Diagnostics -> reboot and now everything works fine as it is expected.

One additional question about this thread..  And yes, I'm also talking about a home environment, and yes, it's only because I'm a techie and it's fun!  :-) In the docs, it says that you need a REAL WAN address for each CARP participant, and in the diagram it does show "real" addresses. On my cable modem setup, I have the ability to do DHCP to get a 10.x address from the cable modem, and I have five REAL addresses that I have setup as secondary addresses on my pfsense.  The real addresses of course have a different default gateway than the 10.x gateway on the DHCP interface… My first question is whether I lose the ability to do inbound NAT/PAT on two real addresses if I use one for each of two CARP nodes, or if use of the address for CARP wont stop me from using those addresses for inbound traffic at the same time. I am assuming that CARP will take those addresses and stop me from using them otherwise, so my second question is whether PFSense will let the CARP addresses both be DHCP 10.x addresses, so long as they can communicate together on that address and they have the same gateway?  I am allowed by Comcast to have multiple 10.x addresses via DHCP, and I'd prefer to use that for CARP if I will lose the ability to use the IPs for other than the CARP process. Thanks, and sorry for my newbie, non carp-understanding question!! -Steve

Hello voluhar, Could you explain a little bit better what do you need and what do you need to do? I can't undestand what you mean when you talk about: I have strange situation where I have to map 10.0.1.0/24 -> 192.168.1.0/24 OPT1 10.0.2.0/24 -> 192.168.1.0/24 OPT2 10.0.3.0/24 -> 192.168.1.0/24 OPT3 what is the 10.X and 192.168.X ? Best Regards   Francesco Capuano

CARP is done at the IP level.  It doesn't matter how many interfaces each system has.

Yeah, you either have to add an intermediate router or have the provider adjust. Perhaps they could route the /27 directly without the /30 transit network.

Old problem and seems that no one cares… Anyway... I've reinstalled slave router from scratch some time ago and it was working just fine for about two weeks. Now lighttpd stops working on it few seconds after restart (both, web configurator restart and system reboot). It gives error 500 when trying to access and logs are filled with entries like: Dec 23 09:02:20 lighttpd[47357]: (mod_fastcgi.c.3329) response not received, request sent: 871 on socket: unix:/tmp/php-fastcgi.socket-0 for /firewall_aliases.php?, closing connection Dec 23 09:02:20 lighttpd[47357]: (mod_fastcgi.c.2543) unexpected end-of-file (perhaps the fastcgi process died): pid: 47576 socket: unix:/tmp/php-fastcgi.socket-0 and then Dec 23 09:02:20 lighttpd[47357]: (network_openssl.c.118) SSL: 5 -1 1 Operation not permitted Dec 23 09:02:20 lighttpd[47357]: (connections.c.637) connection closed: write failed on fd 22 BTW, are there any updates to 2.1 STABLE? I'm on "built on Wed Sep 11 18:17:37 EDT 2013" and it says "You are on the latest version."

No, you cannot to failover or CARP with a /30 on any currently released version. With a /30 you only have one IP, the ISP uses the other, so there isn't even an IP for a second node to function. On 2.2 that should be possible but not ideal, but that's a long way off.

@miloman: did you reboot your esxi host after enabling promisc mode? i had reboot my esxi but I still have a high cpu load  :(

Checking my friend!!!

Wy don't you just isolate your master on a switch not connected to your production network?

I would recommend the Mikrotik RB260GS switch. Can mirror multiple ports to one sensor port and supports vlans. http://wiki.mikrotik.com/wiki/SwOS

CARP VIPs are always single host addresses. The subnet mask on a CARP VIP must match the parent subnet. So if you WAN is x.x.x.a/28, then your CARP VIP must be (for example) x.x.x.b/28 – it's still just one IP. It's not like proxy ARP where it makes a bunch of IPs if you pick a larger mask.

I believe this is where i should be looking Load balancer (hinted from here http://forum.pfsense.org/index.php/topic,68769.0.html)