@GruensFroeschli:

You got the AoN rule wrong.
This rule is for outbound traffic.
So the source sgould be the server and not any,
and the destination should be any and not the server.

Awesome! It's working!

Thanks a lot GruensFroeschli

Not usually.

The WAN IP is still needed since it will be used for the firewall itself, just not for traffic leaving your LAN.

As for the outbound NAT rules, they are processed in a first-match-wins fashion. If you have three rules that specify traffic from LAN uses a VIP, it will use whichever one is on top, it won't skip it to use the next one down to do any kind of balancing.

If you want to use them all for your LAN, you'd have to specify the rule in such a way that it matched a different portion of your LAN for each VIP.

@jimp:

The bridging is what creates the loop, not being plugged into WAN and OPT1.

When you bridge two interfaces, you essentially bond them together and combine the WAN and OPT1 networks. Doing this once is fine, doing this twice creates a loop.

Bridged interfaces do NOT have a CARP IP assigned, and work nothing like traditional interfaces with CARP IPs, which is why there are so many warnings. Unless you deactivate the bridge somehow (STP, script, devd, etc) both bridges are always active.

Thanks for your reply. Now I understand why its creates a loop, because the bridged interfaces are both active. Then I will try using the STP method. Thanks for your help and time.

Correct, you will add one VIP for each additional IP that you want pfSense to own.  The WAN interface already owns one of the IPs and the Comcast gateway own another.

Are there any tutorials out there that show a typical virtual IP setup?  The interface seems relatively self-explanatory, the port forwarding just isn't happening.

Another weird thing that happened when I had pfSense in place is that I couldn't rdp to one of my customer's servers.  When I put the Endian back in place it worked fine.  I didn't dig into anything at the time to figure out why, but all outbound connections from the lan to the wan were supposed to be permitted based on the first firewall rule that is there by default.

Thanks
-Rich

Ok, many thanks! i'll install VMWare and i'll try with it.

Hi again,

Under 1.2.3-RELEASE, it seems that when I edit the config.xml with the following :

@bb-mitch:

TO MAKE THE CHANGE PERMANENT ADD COMMANDS TO CONFIG FILE (DOWNLOAD, EDIT, RESTORE) JUST BEFORE SECTION

<shellcmd>/sbin/ifconfig fxp0 10.0.0.1/24</shellcmd>
OR
<shellcmd>/sbin/ifconfig fxp0 alias 10.0.0.1/24</shellcmd>
AND
<shellcmd>/usr/local/bin/redir –lport 8989 --cport 80 --caddr 10.0.0.138 &</shellcmd>

… the SNMP daemon fails to start properly.  If I stop then restart the daemon from the GUI, all returns to normal, but ideally I'd like to be able to have the additional IP and the REDIR happening on startup without any other complications.

It also occurs to me that if this interferes with SNMP, it might also interfere with other processes I haven't yet detected.

Any thoughts?

-- Phob

Thanks makes perfect sense. Thanks. I should be getting the book delivered this week. The install wouldnt be til Aug so I have some time to test everything out. Know a little about VLANs but correct me if I am wrong, I could get switches that have vlan capabilities so I dont have to buy those little switched right? Each Cat5 feed would go to a separate switch with the power going to a APC7750 for redundant power. IPs arent a problem, I have 16 priced in and adding more is only a few more bucks a month.

Thanks again
Jon

Help Please. i have 2 pfsense servers with CARP enabled…failover and VIP works fine but can't get squid to work with VIP.
I have squid installed on both servers and it works when sending traffic to the individual IP's but doesn't work with VIP. Is there anything i'm missing here ?
your assistance will be much appreciated.
Thanks

The problem (question) is I can't see this automatically added rule but CARP works.

# pfctl -sr | grep vlan16 block drop in on ! vlan16 inet from 10.29.252.0/24 to any block drop in on vlan16 inet6 from fe80::211:aff:fe53:4460 to any pass out quick on vlan16 all flags S/SA keep state label "let out anything from firewall host itself" pass out quick on vlan16 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself" pass out quick on vlan16 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself" ... user rules ... pass in quick on vlan16 inet proto tcp from any to 127.0.0.1 port = 8039 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on vlan16 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"

I didn't do anything and it works today.
OK i to be exactly truthful i did hard reboot yesterday before i went home. :-)

Is there any solution for this problem ? or any work around ,
i want to test my settings before moving to production .
should i expect save behavior from VMware as well ?

It's a non-issue on 2.0, where IP aliases are handled in the GUI as a type of Virtual IP.