Hi Jimp,

Thanks for the advice, I will schedule a window for next week, in the mean time I will try removing the affected addresses and re adding them.

Have a good day,

Great, thanks again for the help.

If you are not using CARP type VIPs, then the IPs will not be pingable.
Look at the wiki-page to VIPs for more information.

You dont need to do anything (like creating a 1:1 forward) for the VIP to function.
The VIP will bind to the interface on which you create it –> Not necessarily on WAN.

You set the subnet on the same page on which you create the VIP.

You can use CARP-VIPs even if you dont need CARP functionality.

If you set up a VIP (any type) and forward stuff from it  (and allow it with firewall rules) to a server behind it should just work.
I'm not sure i understood what your problem was.
Did you test from the outside? Did you try to access it from within your LAN?
Did you look at the pfSense wiki ( http://doc.pfsense.org )?
There are quite a few howtos.

They were definitely both using HTTPS on port 443 with identical passwords.

The weird thing is that there were no errors indicating success or failure in the System Log.  If it claimed bad password or can't connect, then I would have something to work with.

Instead, I'd make a change and nothing would happen.

Also strange was that it would work for a while after a reboot, so it wasn't completely non-functional, it just stopped working after a while? shrug

I believe so, what I do know is they have HSRP configured on their end, which from what I understand is just VRRP, but Cisco's rendition.
Thanks for your help JimP, you are a good man.

Doh!  I read that you're not supposed to define sync settings on the backup so I didn't try that.  It must have meant to not define the other settings near the bottom.:(

Thanks a million, everything works great now.

we basically couldnt get any configuration to work with the opt1 output. so we gave up on that.

currently we have it configured back to the cable modem smc 8014. that has 1 cable go to the pfsense. and 1 cable go to a switch with the xbox's on it. using static ip's.
this way has intermittent issues with allowing the xbox's to stay connected. they always have to retry connection to get it to work.

so now i had an oceanic tech replace the modem. but it is still having the same problem. where it does not always pull the static ip's correctly. they tell me anything after the modem is not their problem. even though all im doing is adding a switch to the modem to allow more ip's to be pulled.

basically i want them to put it in s pseudo bridge mode with statics. this disables everything on the modem/router to allow my devices to pull everything how they want. but oceanic does not support this mode and will not allow the user to put it into this mode. so im at a loss of what to do.

so the tech was cool, and we actually are neighbors. so maybe he will find the right level 3 tech that can help me with my problem

Firewall –> Virtual IPs --> CARP Settings
Is what gets synced.

Read the text by 'subnet mask' carefully. I doubt your WAN is a /32…

Sorry all, got it fixed myself.  Did two things - changed the PARP IP's to single ip's, but each one with a mask of /29 and also refreshed my webserver arp cache so that it wasn't still trying to use the old router as its gateway.

Knew that I'd get there in the end !!

Jake

@Eugene:

Let me give you one advice. Make your life simpler: set up your mail server behind pfSense and that is it.
Mail server[local IP]–----[local IP]pfSense[public IP]–--Provider
Don't waste your time creating messy and hard to troubleshoot set up.

You're right. I kindly asked ISP for more IP addresses, now I'll have /29. Let's say I put the mailserver on separate DMZ, then:

1. configure WAN as x.x.x.6/29, gateway x.x.x.1
2. add CARP address x.x.x.5/29
3. add NAT 1:1 from x.x.x.5/29 to internal server IP on DMZ

Right?

Not sure I understand why you need pfSense to do this.  Sounds like you just need a server running haproxy on your LAN with a VIP.  Why do you need pfSense?  Do you really need to route from one network (LAN) to another (WAN)?

This has been covered many times before, and I believe there is some info in a sticky on one of the boards here.

Also, it's in the doc wiki:

http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

And of course in the book :)

Thanks for the suggestion.  I looked into LAGG but it didn't seem like it was supported in any meaningful way in 1.2.x, and since it's a production environment I couldn't risk running 2.x where it does seem to be supported.

If anyone cares, I did test using CARP/pfsync for switch redundancy and it does work, just as jimp indicated.

Thanks for reply.

In case people still experience this issue (I did very recently), I made a writeup of the solution:

http://sysadminadventures.wordpress.com/2010/03/22/fixing-vm-based-pfsense-carp-announcement-echoes-when-using-teamed-network-adapters/

After doing some more digging, it appears the answer lives here:

http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter

Still a little confusing since this Pipe doesn't really act like a true interface.

Yes, you're correct on both counts.

That should be state table – I fixed that in HEAD.

And you can leave it blank if you want, it will use multicast to update.