If the /29 is routed to your CARP VIP, and not the WAN IP, it should follow from one box to the other.

I'm not sure about the load balancer, I thought that failed over as well but I haven't tried it myself.

Never heard of anything like that, I setup at least a couple CARP installs every week with VoIP behind them, and have done some for VoIP providers with thousands of simultaneous calls going through.

You have to uninstall open-vm-tools package before upgrading or you'll end up in a panic loop.

Could be a problem with a conflicting VHID, or any number of other things, hard to say without digging into packet captures.

Can your pbx use stun to let the server determine the wan ip?

If you need a stun server setting you can use stun.sipgate.net:10000 although your itsp may have their own or there may be one closer to you.

A few questions.

"every time I restart one of the boxes, I need to get into the carp settings and click save for the Sync states so it returns to work."

Q1. Which box do you have to log into, the box you restarted or the box that is currently running?

Q2. Can you post the settings you have enabled on the "Carp Settings" tab?

Q3. How are you checking the states, just visually?

I ask the last question because my states are set to sync and they do, however they do not line up line for line.  Just wondering if that's what you were expecting.

What kind of detail do you want? There is just shy of a full page in the book that covers the VIP types and how they work. It's section 6.8, page 119 in the print edition.

There is a little more info in the doc wiki as well.

Given what you've shown there, either Proxy ARP or CARP type VIPs should work for you. You can forward the ports like you describe in #1 just fine.

You can't do scenario #2 unless you bridge an interface to WAN. Doable, but bridging can get ugly.

Hi,

Many thanks for the answer. I'll try it soon.

Yes, if you have CARP setup properly, if any one interface fails, the box will cut over to the secondary.

Also, found a gotcha with Virtual IP sync that's worth noting.  The sync doesn't work properly – the virtual IP appears on the slave, but in the CARP Status page it lacks a carp interface.  It won't function until you edit the virtual IP assignment (on the slave) and click Save without making any changes -- after that it functions.

You can do multiple CARP VIPs on the WAN with 1.2.3, there isn't a problem with that.

Not sure what you might have been seeing that suggested you need 2.0, perhaps you were looking for IP aliases and not CARP VIPs. If you want multiple IPs on a failover cluster, you'd need CARP VIPs anyhow.

pfSense doesn't yet support active/active even in 2.0.

Whoa, I knew it's not problem of pfSense. My co-worker had done mistake in ESX advanced configuration - the 'Net.ReversePathFwdCheckPromisc' parameter must have the value of '1'.

This is mostly a routing way of doing.
You can do through gateway failover or through ospf routing protocol.

So each of you should see the others firewall as a provider/gateway

Note: I believe this should be moved to Routing/MultiWan

I wasn't able to make this work. I made a better diagram:

Note the "Desired Configuration" on the image.

I can see connections coming in from the internet on the 30.10.0.2 IP just fine. The Cisco still routes this connection because the IP is on its subnet and it is directly accessible.

But replies will go out through the pfSense because that's the default gateway of the client.

How can I make the pfSense route connections from 30.10.0.x/26 back to the Cisco?

I tried using policy routing with a rule of Source 30.10.0.x/26 -> gateway IP: 192.168.100.1 (dedicated VLAN interface to Cisco) - but, initially, pfSense just dropped the packet and didn't even let it exit the firewall even with a 'pass all' rule. I had my head scratching for a few hours until I tried changing 'keep state' to 'none' on the rule, and I could now see it leave the DMZ interface, but it now gets stuck trying to exit the VLAN interface. The 'none' trick didn't work here, no matter what I tried (pass all, etc), the firewall didn't let the packet go out.

Here's the packet getting stuck on its way out:

My understanding is that the following needs to happen:

I looked through the pfSense book several times but couldn't find a similar scenario.

Any ideas? Is this even possible or is there a better way?

(I'm still not sure whether the Cisco will allow these packets to go out, they probably wouldn't have any state associated and they would come in on a different interface - the VLAN.)

I have the exact same problem as the thread starter. As a workaround it works like gullio said, but only for a few hours.
The WAN interface is the via-rhine nic of my Via Epia-M. This nic is connected to a Cisco 1700 router from my ISP.
Is it ARP related? Would it help to use another nic for WAN?

CARP systems must have an identical set of interfaces in the exact same order.

That has always been the case.