Sorry all, got it fixed myself.  Did two things - changed the PARP IP's to single ip's, but each one with a mask of /29 and also refreshed my webserver arp cache so that it wasn't still trying to use the old router as its gateway. Knew that I'd get there in the end !! Jake

@Eugene: Let me give you one advice. Make your life simpler: set up your mail server behind pfSense and that is it. Mail server[local IP]–----[local IP]pfSense[public IP]–--Provider Don't waste your time creating messy and hard to troubleshoot set up. You're right. I kindly asked ISP for more IP addresses, now I'll have /29. Let's say I put the mailserver on separate DMZ, then: 1. configure WAN as x.x.x.6/29, gateway x.x.x.1 2. add CARP address x.x.x.5/29 3. add NAT 1:1 from x.x.x.5/29 to internal server IP on DMZ Right?

Not sure I understand why you need pfSense to do this.  Sounds like you just need a server running haproxy on your LAN with a VIP.  Why do you need pfSense?  Do you really need to route from one network (LAN) to another (WAN)?

This has been covered many times before, and I believe there is some info in a sticky on one of the boards here. Also, it's in the doc wiki: http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F And of course in the book :)

Thanks for the suggestion.  I looked into LAGG but it didn't seem like it was supported in any meaningful way in 1.2.x, and since it's a production environment I couldn't risk running 2.x where it does seem to be supported. If anyone cares, I did test using CARP/pfsync for switch redundancy and it does work, just as jimp indicated.

Thanks for reply.

In case people still experience this issue (I did very recently), I made a writeup of the solution: http://sysadminadventures.wordpress.com/2010/03/22/fixing-vm-based-pfsense-carp-announcement-echoes-when-using-teamed-network-adapters/

After doing some more digging, it appears the answer lives here: http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Limiter Still a little confusing since this Pipe doesn't really act like a true interface.

Yes, you're correct on both counts. That should be state table – I fixed that in HEAD. And you can leave it blank if you want, it will use multicast to update.

I found the answer. It was caching. After the server was rebooted, NAT didn't work anymore and I had to recreate the Proxy Arp entry in the pfSense.

No, not yet, but I was planning on it:  I dug a little deeper in previous posts and found a similar problem which was fixed by rebooting a router.  After reading your reply, I'm confident that doing so (in conjunction with having the right type of VIPs) will take care of the problems I was having.  I can't try again for a few days because another project got elevated priority.  Thanks very much for your response.

Is your outbound nat set up to use this VIP?

Are you trying to reach more redundancy by using two subnets or you really need to connect two subnets to LAN?

You can explicitly disable multicast/broadcast and put these rules on the top. Or alternatively - do not allow ANY protocol to ANY address but allow only traffic you really need to allow. First approach is more efficient as multicast/broadcast packets are droped without going through all rules before being dropped by 'default deny all'.

What does that mean please? @cpliu903: when R1 sync to R2, R2 change status to master,  not backup.

ok..thanx..that was my guess too.