I note that we've been here before, I had a good read of:
http://www.mail-archive.com/support@pfsense.com/msg07031.html

Do we have an official stance on this ARP load balancing functionality now?

http://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN
[/ quote]

I've seen that, but so much time ago I used redir and it could just redir tcpp ports. and I need an udp redirect :(

I read the readme from newest version and no mention of udp also

thanks anyway :)

none

You can bridge. Short of a routed subnet or NAT, that's your only option. Details in the book.  http://pfsense.org/book

Only where the package itself supports it, a few of them do but not all.

Conflicting IP or VHID likely.

@stevekez:

Is the kind of setup I describe possible and if so what things do I need to look at when configuring such a thing?

That's one of the most common types of setups I help our support customers deploy. Works great. My presentation from DCBSDCon covered this type of setup. http://www.youtube.com/watch?v=aElQidbWUxA

The book has a lot of content that goes over things you need to consider here.  http://pfsense.org/book

@stevekez:

If there are problems with the above description (such as LAG not working between multiple switches, as I've already identified as a potential gotcha  :-[),
[/quote]

Only lagg with bonding (LACP, EtherChannel) tends to be a problem there. The failover mode is what people generally use for their servers between switches like that.

You need a /29 minimum per interface for CARP. The routed public IP scenario is covered in depth in the book. http://pfsense.org/book

@juliansomers:

However, your reply troubles me somewhat: when you say

don't use PARP with two firewalls, it won't failover properly and will cause problems.
could you be more specific? What are the problems that I can expect, other than the PARP VIPs not being available on the slave firewall when a failover happens?

That was assuming you put them on both firewalls. If you only put them on one it won't be a problem, but won't fail over either. The proper solution is to have your provider route the additional subnets to one of your CARP IPs, then you can use Other VIPs and will have proper failover.

@GruensFroeschli:

So you created an NAT rule for each VIP?
Did you also create a firewall rule for each VIP?

Sure, I have one NAT rule for one VIP and one OPT1 rule (just to be a clear test). I have no other rules for OPT1 and port TCP 3389 (but I have rule for WAN):

Virtual IPs:
95.XX.XX.36/32 P ARP
95.XX.XX.37/32 P ARP
95.XX.XX.38/32 P ARP

NAT rule:
OPT1 TCP 3389 192.168.28.5 (ext.: 95.XX.XX.37) 3389 TestRDP

OPT1 rule:
TCP * * 192.168.28.5 3389 *

This configuration works only when .37 is the first line in VIPs… If it is second ot third it doesn't work.

As far as i know each box needs a 'real' wan ip which for carp ha would require a minimum of 3 wan ips from your isp, 1 virtual 2 physical.

Packages have to be manually installed on each box.

Hi Dotdash

Cheers for the response, i have changed the CARP LAN address range as you suggested and currently it seems to be taking over addresses correctly. I dont actually need a class A for my DMZ either it just happens to be that this is how it was configured originally and as i have many servers in the DMZ and it works im not going to reassign them all. The reason i have assigned the adskew to 5 and not 0 is so that i can add in my main pfsense firewall into the cluster and gradually get it to take over addresses by assigning them as 0 on it.

Anyway cheers for the assistance, if i have any more probs ill post back…i should know in a day or two if everything is working fine.

Yup, I looked at that. $600 for 5 hours of support, of which I'd need perhaps 30 minutes? I would have happily paid $100 to resolve this, but $600 is significantly more than both firewalls cost me ;)

Either way, I've got no real plans to look at pfSense again for this application. It's going to cost me £20 to produce a redundant PSU unit for the firewall. On the off-chance that the WRAP board should fail, I can handle 10 minutes of downtime. I've only ever had PSUs fail though, so I'm not particularly worried.

CARP was a "nice feature to have" not a "must have", so I'll stick with m0n0wall.

HB

I doubt that your wan connection has a /4 subnet mask. That's something like 270 million addresses in your subnet. A /29 would seem more correct. xx.yy.169.64/29 would be 65-70 usable.
CARP VIPs need to be created with the correct subnet mask. e.g. xx.yy.169.66/29
Proxy ARP VIPs use a /32 mask. I think 'other' VIPs use a /32, but I haven't used them in a while. Other type VIPs may not work for you depending on how the provider routes the IPs to you. Stick with CARP or Proxy-arp unless you have a compelling reason to use other vips.

Unfortunately it's currently not possible to get multiple dynamic public IPs per DHCP.
With 2.0 where CARPdev is used it "should" work.

A possible (ugly) workaround:
Plug as many NICs as you have additional IPs into your pfSense and set them as DHCP.
Like this your additional NICs will request an IP from your ISP.

Another (similarly ugly) workaround would be to connect a VLAN capable switch to your pfSense and assign as many VLAN-interfaces as you have additional IPs.
You would need to assign a PVID on the switch for each "virtual" interface and then connect them to another switch which then goes to your modem/router/whatever_connects_you_to_your_ISP. (you need a separate cable for each virtual interface from the VLAN switch to the normal switch).

This would look like this:

pfSense
                    |
                    |
            VLAN-switch
              | | | | | | |
            normal switch
                    |
                    |
                modem

Each system in a CARP cluster sends out a "heartbeat" with its various settings (vhid, etc) skewed at a specific rate. The master is always broadcasting at the fastest rate, and each other member has a higher skew, based on the "Advertising Frequency" setting for the CARP VIP.

Anything that would cause the master to stop broadcasting, or cause it to broadcast at a lower rate, would cause a failover. Could be link loss on a NIC, a dead switch port, hard lock, panic, etc, etc.

Some system problems can also trigger a CARP member to skew itself higher (to advskew 240) if a hardware fault of some kind is detected.

This happens for me , some networking programs have no problem (like radmin, a remote administrator) they just freeze for a couple of seconds. Others like ftp connections die. I was thinking that it's just the nature of the transfer and ftp can't compensate. At least a fail over should be a rare occurrence and we might have to live with these kinds of things.

bards1888,

May I know more about your successful configuration?

Say the WAN IP address of the fw1 & fw2? Is the PPPoE using dynamic / static ip?

Many Thanks
Alpha