Here's an update…

I changed the subnet to 24 for the LAN interface, and the virtual IP. I was able to reboot the master, and still have access to the firewall.

-Thanks! :)

My ftp is working, the active mode was the solution.
  Thanks.

I think this turned out to be a hardware issue. I'm not certain if it was a specific piece of hardware that was malfunctioning, or if it was some kind of intermittent compatibility issue. I suspected hardware after the machine started randomly locking up. I had an identical machine, so I swapped the hard drives into that one, and it had weird issues as well, but my LAN interface (which was a VLAN) wouldn't work at all, so I had to take the add-on NIC card out of the original machine and put it in this one, even I just replaced an identical card. Then it worked, but it still had random lock ups and such. From there, I migrated my whole setup to a VM, and I've had no problems. So either it was the hard drives, the original NIC, or both machines have some internal hardware issue.

Solved, with work around. See my other posting with subject: VMWARE ESX 3.5 / vSwitch w/ 2 Physical NICs / CARP / PFSense 1.2.3
NIC-teaming/fail-over in vSphere seems to be the problem.

Best regards,

Quentin

Send an e-mail to wikiadmin@pfsense.org

Or if you just want to write the content for the page I (or someone else with access) can add the content for you.

So, here is what I've done so far, but I'm having problems.

Define the new IP under Firewall -> Virtual IP -> Other.  Ip is

116.90.xxx.43/32

Go to Firewall -> Nat then define the following rule.

Under port forward add a new rule
External address: 116.90.xxx.43
protocol : TCP
External Port Range: Web_Server_Ports (alias for TCP ports 22, 80 and 443)
NAT_IP: Splunk server (alias for 10.0.2.41)
Local Port: Web_Server_Ports

Check auto create firewall rule

Now, from within my network if I ssh, http or https on the IP 116.90.xxx.43 my nat works.  However when I try to hit my public IP externally it doesn't work and I don't see any denied messages in the firewall.  I'm assuming it's something wrong with the way I've defined virtual IPs.  Any ideas what I've done wrong?

Thanks,
Todd

That seems like it would work well, thanks! I will give it a try today.

You also have to configure the outbound NAT to actually use the VIP.

Super! I need to get more beer then…. :D :D

@dotdash:

Your IT expert is right. He is the expert after all.
(OpenBSD has CARPdev, which allows you to run a cluster with one public IP, but FreeBSD does not have this functionality yet)

@Wielke:

problem is we can't use any of the 80.x.x.146/147/148/149 (our public IP range) as VIP's as we can't use them after that to NAT with?

Why? You can.

Just a thought.  You could try dyndns and vpn to a domain name instead of having to look up the address.

Yes.
This is due to how NAT works.
You cannot NAT out the same interface on which packets arrive.

For normal port forwards you can alternatively use "NAT reflection", although this is kind of an ugly hack.
You "could" create on top of the 1:1 NAT forwarding, a normal NAT forwarding for the ports you need and enable NAT reflection.
But i would not recommend it since you're already doing it the proper way.

More relevant info in the FAQ:
http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F
http://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT%3F

As far as i understood you got a subnet of /29 ?
In this case you dont have to add 6x the same subnet.
With PARP you always add a range (even if the range is /32).

You missunderstand the concept.
You can only sync from a node with a lower Advertising Frequency to a node with a higher Advertising Frequency.
Just because a node is "temporarily" a master doesnt mean it syncs its stuff to the other nodes.
After all only the node with the lowest Advertising Frequency is the "real" master (even if it's offline).

Although i think if you have 3 nodes and you remove the main master, add something on the secondary master it "should" sync to the 3rd node (the only "real" slave).

Figured it out.

I followed the guide to setup CARP here:
http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm

And then did the following:

Firewall 01
1. WAN address: [external IP]
2. LAN address: 10.10.16.254/24
3. FAILOVER (OPT1) address: 10.10.16.251/24
4. DMZ (OPT2) address: 10.10.15.254/20

Firewall 02
1. WAN address: [external IP]
2. LAN address: 10.10.16.252/24
3. FAILOVER (OPT1) address: 10.10.16.250/24
4. DMZ (OPT2) address:  10.10.15.252/20

Virtual IP's
1. (cARP) 10.10.16.253 - used as LAN gateway address for internal machines
2. (cARP) 10.10.15.253 - used as DMZ gateway address for internal machines
3. (cARP) [external ip] - used for external load balancer IP. NAT'd 1:1 (using WAN interface) to internal address on DMZ

Now I get the luxury of fault tolerance with the internal gateway addresses as well as the external IP that DNS will be directed at.