I'm not sure.  Just curious what all pfSense, or any router for that matter, can do.

jimp: Have you seen that I have the same problem with 2.0?
http://forum.pfsense.org/index.php/topic,28442.0.html

@c0urier:

Just had the same issues.

My fix was to enable passive mode in vsftp and do some port forwards for the passive ports and that did the trick. The problem I had was that I could not resolv the external IP, only the internal which does not work with passive mode.

Since you don't write what version of pfsense nor what FTP application it's pretty hard to give you direct help. For me anyway!

Hi c0urier

To be exact, the PFsense version I'm using right now is 1.2.3 and the FTP server is Filezilla. I thinks it's something related to the VIP since I'm able to reach interally the ftp box.

Hope this clarification could give more lights on this.
Thank you.

Carlos.

Right so had a rummage in the log files and worked out what the problem was.

Block Sep 8 15:41:43 WAN xxx.xxx.xx.xx:535 172.16.0.244:80

The port-forwarding rules that I had setup in NAT were only allowing connections from the "interface address" ie. the real ip of gateway-1 or gateway-2's Wan interface.

Selected to allow from the wan-carp interface "172.16.0.244" and all is now working well.

Sorry for spamming forum, hopefully someone might find it useful at some point.

Traffic leaving the pfSense box itself does not have NAT applied, so that cannot be the issue. It would have to be your WAN settings, or ISP routing to your slave system's WAN IP. It may work for clients behind the system when failed over because routing for the CARP VIP (and WAN IP on the master unit of course) may be correct.

Double check your WAN configuration (subnet mask, etc) and confirm with your ISP that the IP address you are using is properly routed to you.

Thanks Jimp,

Right on the spot…

No change, I realize having 2 nics on same subnet is not a good idea, but this gave me the ability to offload a bunch of PARP addresses to one nic and a bunch more to another. Mostly just so high volume services can be split up across available interfaces.
This did work using no CARP addresses, just PARP type virtual ip addresses. I really like the CARP and failover works great including state tables. Is my only option to bond the nics together? I can do that, but last time i tried bonding WAN, OPT1, OPT2 together I ended up re-installing and restoring the config file. So a little hesitant on trying it again.

The CARP only seems to work on the WAN interface alone, nothing I do allows me connections from OPTx using CARP Address.

It's only multicast between the firewalls, that should have no implications on whether or not you get ARP from that IP.

@cmb:

@jhabers:

Hmm Im using Broadcoms Smart Load Balancing with 4 NICs teamed on each server. Could that be causing confusion?

yeah some load balancing/NIC teaming does that normally. Otherwise it's generally indicative of an IP conflict or ARP poisoning.

thanks, is it safe to ignore those messages? anyway to get them not to log?

As long as IPsec is bound to a CARP IP, it can't come up on the secondary until it's master. If you have dual master status, there's some kind of connectivity problem between the two hosts (though that should be no diff from 1.0.x to 1.2.x).

just curious. why you need multi-wan when your WANs are on the same network segment? CARP should be good enough for fail safe.

by the way, Multi-WAN + CARP should be working on 1.2.3-Release. setup the interface(s) individually from both master and slave, then setup CARP accordingly. and then go for Multi-WAN according to the book just like without CARP.

You can.  That shared IP becomes the source IP of any traffic egressing from your network and you're able to NAT traffic inbound on that interface.

what's line 4693 in your config?

Since your CPE is already a SPOF, you might consider adding a cheap unmanaged switch behind each CPE, then you could have each CPE plugged into each switch directly, instead of having them plugged into only sw1 or sw2. That way if sw1 dies, you still have both ISP1 and ISP2 active.

If a cheap unmanaged switch dies, you only lose either ISP1 or ISP2. Much more desirable scenario than losing both a managed switch and access to one ISP in the process.

That is correct; If one fails they all should fail.

If the settings are right, the next thing to look at would be switches and cabling. It's possible that there is an issue there. I talked to someone last week who was getting odd master/slave flips and it turned out they were using the little switch on the back of their cable/dsl modem and it was not up to the task. Merely sticking a different switch in that role fixed all of the issues.

Great; Thanks! JIMP  I love how this works so well and easy to setup! (With a little help ;) )

Yes so each PC on the network would point to the Gatway IP at the Virtual IP on the LAN port.

There are security issues with doing state sync on LAN, and it can consume a significant amount of bandwidth depending on the rate at which states are added/removed.

No, package settings are not synced between cluster nodes.