@cmb:

You can't. Your interconnect with your ISP must be a /29. They should be willing to switch you over to that, it's not an uncommon request since basically every router/firewall redundancy protocol requires it.

Ok, thats what I thought.
I'll see about getting that changed.

link light blinking rapidly wouldn't be indicating traffic (if it actually is the link light, should have a different light for activity if it has one at all), that's more likely to indicate link cycling on the NIC. I have seen NICs not play nicely when directly connected, does it behave better if you throw a small switch between? That'd at least confirm or deny that suspicion.

To use carp you will need one real ip for each pfsense plus all others using carp.

I suggest you to use one of your 4 ethernet ports to sync between boxes.
A new feature on 2.x that will help on vip assigns is in this post from jimp
http://forum.pfsense.org/index.php/topic,45209.msg240909.html#msg240909

After sync and carp, just create your 1:1 nat on firewall -> nat and then change your outbound nat to manual to create your specific outgouing nat translation rules.

By default, all interfaces but lan has no access to anywhere. You will need to change this default rule to deny access from lan to dmz.
All other rules you can create on interface that traffic starts. If you want to allow internet access from a host on dmz, the rule will be on dmz. If you want to allow that everyone can reach your web server, then rule will be assigned on wan.

I gave this a second thought, and realized this just can't be possible!
So down to the cellar again, testing a third cable and another port on the switch - now it works!

Nothing wrong with config, most likely the switch "remembering" where that host is. (Sometimes I miss those good ol' hubs!  ;) )

In the docs are a Description of the diferent VIP types:  http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

I know this thread is old,  but I just wanted to comment that I ran into this issue also and noticed that on the the 2.0 version there is a setting under  on primary node goto Firewall –> Virtual IP's --> Carp --> scroll down to "remote system password" here you can enter the new system password.

Thanks Perry

Have switched better all mine PC and VoIP to LAN Subnet 192.168.2.0/2 and use LAN Gateway 192.168.2.101 from HP pfSense.
Works excellently. Now must I more learn about pfSense.

No PPPoE, no DHCP, all statically.

Have in

/etc/rc.conf

ifconfig_msk0="inet 192.168.2.3 netmask 255.255.255.0"

defaultrouter="192.168.2.101"

#defaultrouter="192.168.1.110"

Cool thanks I can confirm this working.

When enabled, everything That pass through firewall will be nated using interface address. Just like the rule created to wan when you selecet outbound.

It's done on pf level, not in gui.

I got a chance to power cycle the Master today.  That did not help.  Since this problem started occurring after upgrading to 2.0.1, I'm tempted to open a bug report.  The issue seem to relate to the number of states we are running.  We had been setup (by default I think) for 388K states.  As we were running as much as 350K states I changed the systems to support 800K states - that seems to have made the problem a little worse.  I cannot see a way to configure my way out of this issue, I believe the hardware and physical layer are working properly (can't find any problems there).  Any other thoughts from the community are appreciated.

@jimp:

Ah, the 'carp' bit was probably left over from 1.2.3 and not updated. If you just use "vip" it may work also.

That file isn't written from the GUI, it's just there on the install. It would be overwritten during an upgrade, but it's left alone otherwise.

That explains a lot.

I use explecit vip1 because we also have a vip2 and that may not trigger the bridge port to UP or DOWN.

That should work exactly as you describe, though you will need to make sure your firewall rules on that interface will pass traffic from the new subnet.

I've done that several times

@network1:

What i've done is gone to Virtual IP's > Created a new IP Alias and Assigned it to WAN CARP interface. This has replicated over onto my other box so presume this is the way to do it?

assign a valid ip on each wan interface
configure sync between pfsense boxes(use a dedicated interface for sync or a vlan)
go on firewall-> virtual ip and add a carp ip(not an ip alias) with the same subnet you configured wan interface

Performance isn't relevant to VIPs. It's best to have the bigger subnet routed to an IP in your smaller subnet, but VIPs generally fine too, though that gives you less flexibility on using the second subnet.

Should work fine in Player since it's the same as Workstation from the hypervisor perspective.

i see.. okay, thank you very much…

Taking a second look through everything, turns out I had the problematic vlans assigned to the wrong interface in pfSense. Once I got that straightened out, everything started working.

facepalm

Thanks again for the help.

Hello jimp,

Luckily i am running 2.0.1 so that is all good.  I double checked the IP's and found i was using the failover interface address and not the address of the backup in each VLAN.  I have changed this and all is now working.

Cheers

Alan

I responded to the thread on 1. Easy to get that config wrong.

As for 2, without seeing your exact list of outbound NAT rules it's impossible to speculate what isn't configured right there.