cmb, I went back to the book, and learned quite a bit. I was misunderstanding the options in the rules setup, thank you for giving me a direction to look in, I have it working now. In the end I had a look through the firewall logs and saw the 'easy setup' option to create an allow rule and followed the syntax. I didn't realize the feature was there, I'll remember next time.

Answering only the first, do you have set these kind of rules to your vlan's? from vlan-subnet (or any) to any If yes then problem is your rule sets. you can create such alias called localnetworks and add all local networks to that alias. Then add this rule to your vlans block from vlan subnet (or any) to "local networks" and make sure that this rule is above any other rule.

Has to be static and all on the same subnet so that won't work for stateful failover. You can do CARP only on your internal interface, and just lose all your states when you fail over. That's what I do on one of my WANs at home where I can't get static IPs, have two DHCP IPs and just live with losing states when it fails over.

More info. I have another NAT mapping, identical to the 443, but this is for port 25.  It works perfectly. So I tried to change the NAT like so: WAN2    TCP    *    *    IP3    444 (HTTPS)    PDC    443 (HTTPS) And that works perfectly.  Accessing it on http://IP3:444/ works always. Changing it to: WAN2    TCP    *    *    IP3    443 (HTTPS)    OTHER_SERVER    443 (HTTPS) Causes the same issues - hence it is not the destination server at fault. The other mapping I have is also identical to the 443, but for port 80.  This one works too. As I said, loading the NAT on IP1 (the WAN2 real IP) works to 443. State table entry after a telnet that connected/disconnected looks like this: tcp PDC:443 <- IP3:443 <- 96.55.212.111:64668 ESTABLISHED:ESTABLISHED tcp 96.55.212.111:64668 -> PDC:443 ESTABLISHED:ESTABLISHED Any help would be appreciated.

That might work, but i think the problem is in basics of networking gateway has to be on same network. -> with that said you can't use CARP virtual ip's You can use PARP or IP alias version of virtual ip

It's for security and performance reasons. Detailed explanation in http://pfsense.org/book

Update, I finally got the ISP out there and it was an issue on their side so all is well now.  Thanks again!

Okay from my testing, it seems that this works just fine: /sbin/sysctl net.inet.carp.allow=0 or set to 1 to re-enable.

Create another vlan and assign it to a sync interface. Then assign this vlan to a sync interface and allow all traffic on it. I preffer using vlans to do not have many cables plugged on my firewall.

edit your first post subject with [SOLVED]

Yeah, no problem.  The router had already been in production for a while and had some NAT port forwards configured, and the associated firewall rules autoconfigured.  I assumed those rules would carry right over to the CARP setup because the destination was WAN.  I went to make a new rule for some reason or another and noticed that there was a new destination choice called WAN CARP (what I had named that VIP).  When I realized the firewall was discriminating between real IPs and virtual IPs, I had my answer.  I guess I just assumed that my rules were all per-interface, but they're actually more granular than that.  Changed all my regular stuff to the CARP destination and set ICMP to pass on anything and everything worked correctly. I thought I'd have to do some manual outbound rules as well, but so far that doesn't appear to be necessary.  I'll have to read more about that to know for sure, though.

@rootlurker: Hi, I thought you have 5 STATIC IP assigned by your ISP, and you also said it on dynamic IP? Also, "So how do I get the WAN IP to respond to one of my static IP's?" which WAN IP? Hi, The weirdness of BT's setup is that when you connect using PPPoE they assign your connection a dynamic IP. However, we have 5 static IP's that we pay extra for, so somewhere in BT's network, they know to route traffic for those 5 IP's to our dynamic IP, this works fine when we're dealing with another machine on the network, we just set up 1:1 mapping and the packets coming in on that IP go to the local machine and packets destined to go out over the WAN appear to originate from the static IP. It all works fine using 1:1 mapping when there's another machine on the network, but in my case the pfsense box needs to be a VPN endpoint, so I need it to act on traffic coming in from one of the static IP's itself which is what I can't figure out what to do! Thanks

Hi, pfsense can do the LoadBalancing and the Failover ability you know from your actual system. The difference between LoadBalancing in pfsense and Barracuda is, that - as you wrote - Barracuda can detect the less busy WAN and redirect traffic to this WAN. pfsense is "just" doing a round robin. There is no difference if a WAN has high load or not. To configure this in pfsense 2.0 just create the three Gateways, put them all into a Gateway Group with same Tier and chose this Gateway Group in your firewall rules as the Gateway for outgoing/outbound traffic. This is a really easy setup in pfsense 2.0

You may need to change dsl modem to router because CARP needs at least 3 ips on same subnet. I don't know if there is a feature to do not start wan auth While in backup mode.

That setup would work for failover, yes, though you might want to call that dedicated interface "SYNC" to avoid confusing people when posting about it. pfSense doesn't support active-active, so you can't do load balancing between the two boxes.

Hi,   thanks to the help of Jim, the problem has been identified. Some of the outbound NAT rules had "source=any", so also the CARP packets were natted somehow and this brought to an "inconsistent" CARP state. The problem was solved assigning to each outbound NAT rule a proper source different by "any". After this, Ermal added some code (that will be released with 2.0.1 RELEASE) to avoid this issue in any case (http://redmine.pfsense.org/issues/1954). Thanks to Jim and Ermal for supporting! Michele

K. Thank you guys. You helped me a lot. Really nice to have such a good working community here. Maybe someday I will add my part to make it even better. In my opinion we can close this thread.

You can balance firewall work when using packages. Use nat/firewall on box1 and squid on box2 for example. The active/active firewall can be done with carps, but its not desiged for it so, not supported. Take a look in this forum topic http://forum.pfsense.org/index.php/topic,40917.0.html