It wouldn't sync the interface config (WAN, LAN, etc) and IPs, so you'd have a lot of manual changes to make.

I have also recently switched to U-Verse and have a 2Wire but a 3600HGV (I think this RG is just like a 3800HGV but no TV and/or phone) for Internet only with a block of 64 public static IPs (61 usable).  I simply hate the U-verse RG no bridging allowed to my current Netopia firewall.  After doing some research I want to build/use a pfsense box in place of my old Netopia - so right now am playing around with pFsense in a VirtualBox environment with two real physical NICs. I too am trying to pass through my public IP addresses across the pfsense box. I see that this thread identifies a solution: CARP type virtual IP addresses should report as having distinct MAC addresses. However I am so new to pFsense I just don't understand either the above "solution" or even how to set up my system with U-verse, although once it is configured I am pretty comfortable with entering my own "Firewll: Rules". I would be very grateful for any sort of step by step configuration (mini guide or recipe that I can follow) such that I can put pFsense between my 3600HGV and my internal network with both private address space boxes and also the assigned public static IPs. Thanks in Advance

There is no currently supported/working way to do CARP on WAN with a single IP address. You need at least three: One for each box, and the shared CARP VIP. This may change in the future if carpdev ever makes its way in. From what I understand that lets the routers have IPs in a separate subnet from the shared IP. But for now, with only a /30 on WAN, something will have to talk to that. In doing so, however, you lose the high availability that CARP gains you and you're back to a single point of failure.

you need a CARP per each vlan, the behaviour is like HSRP, so read about HSRP and you will understand how CARP is working, it is the same.

Same problem here related with DD-WRT wireless access point behaviour. The problem disappeared after the AP was rebooted to appear again after it was running again. So looks like a problem in the remote side, not in the pfsense, just it complains about something strange.

Are your firewall rules set to use the LB pool as the gateway?

I think you'll find that after the initial setup, you'll need help with projects over the next year including, but not limited to upgrading to 2.0 and deploying some of the nice features 2.0 has.

Hello Devnull, I have the same problem, too. The problem is related to the MAC address which CARP/VRRP uses. It is not exactly a multicast MAC Address, but a special class of MAC designated to CARP/VRRP implementations. Packets from Windows NLB Ips works properly, because they are going to really multicast MAC Addresses. I guess the Linux Bridge don´t manage CARP packets properly. I´m thinking in migrate my virtualization servers to VMWare, where I need this feature. Regards,

If there are really other gateways for each of these other subnets, you can add them in as static routes. however, if pfSense needs to talk directly to each of these subnets and be their gateway, that is not possible to do with failover in 1.2.3. In 2.0 you can add IP Alias VIPs, and then add CARP VIPs in the same subnet, so it's possible, but ugly. If you have good switches, consider separating each subnet into its own VLAN, make the pfSense LAN port a trunk port on the switch, and setup a VLAN tagged interface for each subnet's VLAN.

Hi… not sure if my question was particularly difficult, or if it's too easy... I would really appreciate it, if someone had a hint for me. I am currently using pfSense 1.2.3 - but would be willing to try upgrading to 2.0. Thanks!

I'm not sure.  Just curious what all pfSense, or any router for that matter, can do.

jimp: Have you seen that I have the same problem with 2.0? http://forum.pfsense.org/index.php/topic,28442.0.html

@c0urier: Just had the same issues. My fix was to enable passive mode in vsftp and do some port forwards for the passive ports and that did the trick. The problem I had was that I could not resolv the external IP, only the internal which does not work with passive mode. Since you don't write what version of pfsense nor what FTP application it's pretty hard to give you direct help. For me anyway! Hi c0urier To be exact, the PFsense version I'm using right now is 1.2.3 and the FTP server is Filezilla. I thinks it's something related to the VIP since I'm able to reach interally the ftp box. Hope this clarification could give more lights on this. Thank you. Carlos.

Right so had a rummage in the log files and worked out what the problem was. Block Sep 8 15:41:43 WAN xxx.xxx.xx.xx:535 172.16.0.244:80 The port-forwarding rules that I had setup in NAT were only allowing connections from the "interface address" ie. the real ip of gateway-1 or gateway-2's Wan interface. Selected to allow from the wan-carp interface "172.16.0.244" and all is now working well. Sorry for spamming forum, hopefully someone might find it useful at some point.

Traffic leaving the pfSense box itself does not have NAT applied, so that cannot be the issue. It would have to be your WAN settings, or ISP routing to your slave system's WAN IP. It may work for clients behind the system when failed over because routing for the CARP VIP (and WAN IP on the master unit of course) may be correct. Double check your WAN configuration (subnet mask, etc) and confirm with your ISP that the IP address you are using is properly routed to you.

Thanks Jimp, Right on the spot…

No change, I realize having 2 nics on same subnet is not a good idea, but this gave me the ability to offload a bunch of PARP addresses to one nic and a bunch more to another. Mostly just so high volume services can be split up across available interfaces. This did work using no CARP addresses, just PARP type virtual ip addresses. I really like the CARP and failover works great including state tables. Is my only option to bond the nics together? I can do that, but last time i tried bonding WAN, OPT1, OPT2 together I ended up re-installing and restoring the config file. So a little hesitant on trying it again. The CARP only seems to work on the WAN interface alone, nothing I do allows me connections from OPTx using CARP Address.

It's only multicast between the firewalls, that should have no implications on whether or not you get ARP from that IP.