The only option for doing CARP with a PPPoE WAN is to do the PPPoE on the modem, and then pass through the real public IP to a private CARP IP (exactly how is best depends on the capabilities of your modem).

But shouldn't pfSense kill states on a certain gateway when it goes down?

Issues with HA are very different from protocols like OSPF or BGP.

I repeat my previous question: how would you do state synchronization ?

Unless you're only trying to do HA for a pair of pure IP routers (very rare scenario), in every other case you'd need to do state synchronization, which allows a firewall to copy its connection table to other backup firewall(s), so that connections will not be lost if a failover occurs.

By far no expert here, but maybe also check if the IP adresses assigned to the pfSync interfaces have the right subnet mask /24 or something and are different from the WAN and LAN ?
And check firewall rules, see if anything gets blocked in the "status\system logs\firewall". If really paranoid go to the console/putty and run a "tcpdump -en ICMP" check the ping is leaving through the right interface.

Then you can add Proxy ARP addresses and then you can select them when creating a NAT rule (Firewall: NAT: Port Forward) under "Destination Address"

If you don't want to open an extra port on the outside, you can do an SSH tunnel like so in PuTTY:

Under Connection:SSH:Tunnels:
Souce port: 6666
Destination: secondary_ip:443
x Remote
x IPv4

Click add
open ssh
log in

and then in your browser, go to https://localhost:5000

That took care of it. Thanks!

locking this duplicate post, don't post the same thing twice.

In 2.0.1 and 2.1, if you have interfaces setup with a manual address, then pfsense will create a manual rule for them when switching from auto, the first time you do it. From then on you have to create your own rules.

If you are running clustered firewalls, then you most definitely want it using the CARP addresses. Nothing should be using the physical address except for the localhost (127.0.0.1).

You can, yes. Definitely not recommended (mostly for security reasons). Forced to choose, LAN, never WAN.

I'll have a look this weekend how severe such a change would be and if with my PHP skills I consider it practial, I'll do it.

Found the problem.  The switch did not have the vlan created, even though it was listed in the Port Channel.

Ideally? You would want 2 ports 2 different (redundant/stacked) switches, so that if one of those goes down, it doesn't take down your WAN.

If you "throw one switch in front of the two boxes" your creating another SPOF…

Yep

Hey Jim,

That appears to have worked great!  Everything ran fine through my tests, both Master and Backup.  Thanks very much for your help.  Much appreciated.

Aaron

Hi jimp,

Wouldn't it be prudent for pfsense to have a CARPaware IGMP client? So it can correctly register its multicast membership with the local switch? This would allow CARP on pfsense to become compatible with IGMP Snooping. It might also lift the requirement on ESXi to set the VDS port group in promiscuous mode. I know Windows 2k8 R2 NLB (Network Load Balancer) uses multicast together with an IGMP client, and that runs just fine without compromising security in promiscuous mode.
Maybe a feature request?

Thanks for sharing your thoughts!
Jori Huisman

Yes it does support and use search. you'll find a lot of discussion.

Excellent; I should have known.  Ya'll are all over everything else. ;D

Sadly I would have to switch to one of my ISPs business offers. That would cost more than the double and deliver some telephony service I'd have to pay but would not use. Anyway, as I found no clean way doing this with pfSense, I tried to verify that setup with OpenBSD and I'll stick with that for now. Using ifstated together with CARP you can simply ifconfig down the external interface automatically so it will not interfere with anything on the outside.
It's a pity I'm not really good at anything related to programming but a shell little scripting, otherwise I would try to implement some system triggers (i.E. Disable Interface X) in case of CARP failover for pfSense. I really like pfSense, it's the best Open Source Firewall distribution there is. Maybe someone else likes the idea and does implement it ;)