i see.. okay, thank you very much…

Taking a second look through everything, turns out I had the problematic vlans assigned to the wrong interface in pfSense. Once I got that straightened out, everything started working. facepalm Thanks again for the help.

Hello jimp, Luckily i am running 2.0.1 so that is all good.  I double checked the IP's and found i was using the failover interface address and not the address of the backup in each VLAN.  I have changed this and all is now working. Cheers Alan

I responded to the thread on 1. Easy to get that config wrong. As for 2, without seeing your exact list of outbound NAT rules it's impossible to speculate what isn't configured right there.

I was able to connect to my PCs' internet addresses from begin the firewall once I went into Advanced > Firewall/NAT and checked the box labeled: Automatically create oubound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from. In other words, when connected to a PC on my LAN, with that box checked, I can now connect to machines using their internet addresses instead of being forced to use internal, LAN IPs.

@repa: currently only one to test it. Firewall is LAN -> WAN "Default allow LAN to any rule " Outbound NAT is "Manual Outbound NAT rule generation" with no entry. When using manual outbound, you need to specify outbound nat. Change it to manual to test and then Back to manual.

Perfect… Thank you so much for the sparring. :)

Hey,   with 2.0.1 the NAT is not a problem anymore. If you still have the problem, maybe could be a "traffic shaping" queue. I mean, the CARP traffic can be dropped under heavy traffic, and this can bring to an inconsistent CARP status between the master and the slave box. I am not sure, I figure out that could be a traffic shaping problem today… this is my post: http://forum.pfsense.org/index.php/topic,45045.0.html Ciao, Michele

Hello, anyone that can pls confirm this? Now it's 3 days, 6h that the two firewalls are working and everything is going great! The problem was: WAN Interface: x.x.x.x/24 2 CARP VIPs (on 83) were: x.x.x.x/32 The question is: Can this misconfiguration bring to an inconsistent CARP status (half of VIPs Master on one firewall, the other half Master on the other firewall)? Thanks a lot, Michele

All kernels (even Dev) are SMP on 2.0. There is no longer any benefit to loading a uniprocessor kernel (Mentioned a little here but also in more detail by me around the forum). I've had some issues with the dev kernel in certain setups as well but it does a lot more strict locking checking and reporting, which is what you appear to have hit here. We have enough debug info in the stock kernel these days that the full dev kernel isn't quite as necessary on its own, but still useful in rare cases.

Thanks I will discuss it with him. Thanks so much for the help! Chris

@dmitche: Untangle drops all VLAN tags when it rebuilds the packet so I cannot pass and tags to/through it :( create three new vlans, apply it on pfsense and untagle port then you can setup this: workstation –--- vlan19 ------ untagle bridge ----- vlan119 pfsense workstation ----- vlan20 ------ untagle bridge ----- vlan120 pfsense workstation ----- vlan30 ------ untagle bridge ----- vlan130 pfsense assign 10.10.30.1/24 on vlan 130 at pfsense assign 10.10.20.1/24 on vlan 120 at pfsense assign 10.10.19.1/24 on vlan 119 at pfsense

The last IPsec config, if deleted, would not be removed from the secondary in 2.0. That's fixed in 2.0.1.

CARP and multi-WAN are two separate, unrelated things. Though you could hack apinger's config to run a custom script that disables CARP when a WAN goes down and triggers a filter reload, and another one that re-enables it + a filter reload when a WAN comes back up.

you may need to split your questions, I can't see carp issues, just pptp issues To change xml, backup your config first, got to console, remove duplicated entries from /conf/config.xml and reboot.

could be done but not supported officially http://forum.pfsense.org/index.php/topic,40917.0.html