Are your firewall rules set to use the LB pool as the gateway?

I think you'll find that after the initial setup, you'll need help with projects over the next year including, but not limited to upgrading to 2.0 and deploying some of the nice features 2.0 has.

Hello Devnull,

I have the same problem, too. The problem is related to the MAC address which CARP/VRRP uses. It is not exactly a multicast MAC Address, but a special class of MAC designated to CARP/VRRP implementations.

Packets from Windows NLB Ips works properly, because they are going to really multicast MAC Addresses.

I guess the Linux Bridge don´t manage CARP packets properly.

I´m thinking in migrate my virtualization servers to VMWare, where I need this feature.

Regards,

If there are really other gateways for each of these other subnets, you can add them in as static routes.

however, if pfSense needs to talk directly to each of these subnets and be their gateway, that is not possible to do with failover in 1.2.3. In 2.0 you can add IP Alias VIPs, and then add CARP VIPs in the same subnet, so it's possible, but ugly.

If you have good switches, consider separating each subnet into its own VLAN, make the pfSense LAN port a trunk port on the switch, and setup a VLAN tagged interface for each subnet's VLAN.

Hi… not sure if my question was particularly difficult, or if it's too easy... I would really appreciate it, if someone had a hint for me. I am currently using pfSense 1.2.3 - but would be willing to try upgrading to 2.0.

Thanks!

I'm not sure.  Just curious what all pfSense, or any router for that matter, can do.

jimp: Have you seen that I have the same problem with 2.0?
http://forum.pfsense.org/index.php/topic,28442.0.html

@c0urier:

Just had the same issues.

My fix was to enable passive mode in vsftp and do some port forwards for the passive ports and that did the trick. The problem I had was that I could not resolv the external IP, only the internal which does not work with passive mode.

Since you don't write what version of pfsense nor what FTP application it's pretty hard to give you direct help. For me anyway!

Hi c0urier

To be exact, the PFsense version I'm using right now is 1.2.3 and the FTP server is Filezilla. I thinks it's something related to the VIP since I'm able to reach interally the ftp box.

Hope this clarification could give more lights on this.
Thank you.

Carlos.

Right so had a rummage in the log files and worked out what the problem was.

The port-forwarding rules that I had setup in NAT were only allowing connections from the "interface address" ie. the real ip of gateway-1 or gateway-2's Wan interface.

Selected to allow from the wan-carp interface "172.16.0.244" and all is now working well.

Sorry for spamming forum, hopefully someone might find it useful at some point.

Traffic leaving the pfSense box itself does not have NAT applied, so that cannot be the issue. It would have to be your WAN settings, or ISP routing to your slave system's WAN IP. It may work for clients behind the system when failed over because routing for the CARP VIP (and WAN IP on the master unit of course) may be correct.

Double check your WAN configuration (subnet mask, etc) and confirm with your ISP that the IP address you are using is properly routed to you.

Thanks Jimp,

Right on the spot…

No change, I realize having 2 nics on same subnet is not a good idea, but this gave me the ability to offload a bunch of PARP addresses to one nic and a bunch more to another. Mostly just so high volume services can be split up across available interfaces.
This did work using no CARP addresses, just PARP type virtual ip addresses. I really like the CARP and failover works great including state tables. Is my only option to bond the nics together? I can do that, but last time i tried bonding WAN, OPT1, OPT2 together I ended up re-installing and restoring the config file. So a little hesitant on trying it again.

The CARP only seems to work on the WAN interface alone, nothing I do allows me connections from OPTx using CARP Address.

It's only multicast between the firewalls, that should have no implications on whether or not you get ARP from that IP.

@cmb:

@jhabers:

Hmm Im using Broadcoms Smart Load Balancing with 4 NICs teamed on each server. Could that be causing confusion?

yeah some load balancing/NIC teaming does that normally. Otherwise it's generally indicative of an IP conflict or ARP poisoning.

thanks, is it safe to ignore those messages? anyway to get them not to log?

As long as IPsec is bound to a CARP IP, it can't come up on the secondary until it's master. If you have dual master status, there's some kind of connectivity problem between the two hosts (though that should be no diff from 1.0.x to 1.2.x).

just curious. why you need multi-wan when your WANs are on the same network segment? CARP should be good enough for fail safe.

by the way, Multi-WAN + CARP should be working on 1.2.3-Release. setup the interface(s) individually from both master and slave, then setup CARP accordingly. and then go for Multi-WAN according to the book just like without CARP.

You can.  That shared IP becomes the source IP of any traffic egressing from your network and you're able to NAT traffic inbound on that interface.

what's line 4693 in your config?