Hi Jim, thanks for the answer, I agree. I'll take a look at implementing this if no one beats me to it.

Thank you very much, I'll give it a try.

Ok, how I resolved it. First I tried created a new router from the 1.2.3 VM, and restored the configuration from the original router.  This router had the same behavior as the failed router. Second I copied the running secondary router, made a few adjustments to the config so that it was the primary and it worked. It has now been running for 12+ hours with no problem. I would guess, that I had some config issues that I missed. User error again!

If the /29 is routed to your CARP VIP, and not the WAN IP, it should follow from one box to the other. I'm not sure about the load balancer, I thought that failed over as well but I haven't tried it myself.

Never heard of anything like that, I setup at least a couple CARP installs every week with VoIP behind them, and have done some for VoIP providers with thousands of simultaneous calls going through. You have to uninstall open-vm-tools package before upgrading or you'll end up in a panic loop. Could be a problem with a conflicting VHID, or any number of other things, hard to say without digging into packet captures.

Can your pbx use stun to let the server determine the wan ip? If you need a stun server setting you can use stun.sipgate.net:10000 although your itsp may have their own or there may be one closer to you.

A few questions. "every time I restart one of the boxes, I need to get into the carp settings and click save for the Sync states so it returns to work." Q1. Which box do you have to log into, the box you restarted or the box that is currently running? Q2. Can you post the settings you have enabled on the "Carp Settings" tab? Q3. How are you checking the states, just visually? I ask the last question because my states are set to sync and they do, however they do not line up line for line.  Just wondering if that's what you were expecting.

What kind of detail do you want? There is just shy of a full page in the book that covers the VIP types and how they work. It's section 6.8, page 119 in the print edition. There is a little more info in the doc wiki as well. Given what you've shown there, either Proxy ARP or CARP type VIPs should work for you. You can forward the ports like you describe in #1 just fine. You can't do scenario #2 unless you bridge an interface to WAN. Doable, but bridging can get ugly.

Hi, Many thanks for the answer. I'll try it soon.

Yes, if you have CARP setup properly, if any one interface fails, the box will cut over to the secondary.

Also, found a gotcha with Virtual IP sync that's worth noting.  The sync doesn't work properly – the virtual IP appears on the slave, but in the CARP Status page it lacks a carp interface.  It won't function until you edit the virtual IP assignment (on the slave) and click Save without making any changes -- after that it functions.

You can do multiple CARP VIPs on the WAN with 1.2.3, there isn't a problem with that. Not sure what you might have been seeing that suggested you need 2.0, perhaps you were looking for IP aliases and not CARP VIPs. If you want multiple IPs on a failover cluster, you'd need CARP VIPs anyhow.

pfSense doesn't yet support active/active even in 2.0.

Whoa, I knew it's not problem of pfSense. My co-worker had done mistake in ESX advanced configuration - the 'Net.ReversePathFwdCheckPromisc' parameter must have the value of '1'.

This is mostly a routing way of doing. You can do through gateway failover or through ospf routing protocol. So each of you should see the others firewall as a provider/gateway