You just setup a CARP VIP on the WAN, then change the AON so the outbound NAT uses the WAN CARP instead of the interface. The CARP tutorial (http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm) is a good reference for configuration.

Strange, but thanks for the info.

Hi Peter,

Did you get anywhere with this? I'm currently looking at the same issue.

Cheers,

A slightly better fix for this is possible now with 1.2.3-RC and 2.0, but it's still not ideal.

The CARP interface will now report a transition to MASTER as a "link up" event, and a transition to BACKUP as a "link down" event to the system. These can be caught with devd and used to call scripts on these events – no more need to rely on cron or a delay. This will happen instantaneously once the CARP interface on the backup takes over.

This is more meant for a full install, but I suppose it could be altered to work as the initial solution was for a livecd/embedded platform.

If you are running a recent (as of the date on this post) snapshot of 1.2.3, or 2.0, you can try this.

Edit /etc/devd.conf, and add the following:

notify 100 {         match "system"          "IFNET";         match "type"            "LINK_UP";         match "subsystem" "carp";         action "/usr/local/bin/carpup $subsystem"; }; notify 100 {         match "system"          "IFNET";         match "type"            "LINK_DOWN";         match "subsystem" "carp";         action "/usr/local/bin/carpdown $subsystem"; };

In this instance, you don't really need the $subsystem variable, but it may be useful if you want to perform other actions. It contains the name of the actual carp interface that transitioned. If you want to lock this down to just one carp interface, you could change the subsystem match to "carp0" or "carp1", whichever you like.

Restart devd (or reboot):

killall -9 devd && /sbin/devd

You can then create the scripts mentioned on the "action" line above. For this case, it would be two different scripts:

/usr/local/bin/carpup

#!/bin/sh /sbin/ifconfig bridge0 up

/usr/local/bin/carpdown

#!/bin/sh /sbin/ifconfig bridge0 down

Finally, make sure those are executable:

chmod a+x /usr/local/bin/carpup chmod a+x /usr/local/bin/carpdown

You could add anything else that you want to these scripts. Calling some sort of notification program would be useful, or whatever else is desired.

I'm trying to come up with some sort of generic detection code that would take the carp interface, and attempt to see if its parent interface is a bridge member, and if so, bring down that bridge member. A little more complex, but it is a more generic solution that should work in more, similar, scenarios.

@mgiammarco:

Two questions:

why do you want the migration of all interfaces? Why in my setup there is automatic migration of all interfaces? I need only migration of the broken interface.

Hi,
1. Because I have noticed if there isn't a total failover I'm not able to access the DMZ from the LAN when only one interface has migrated the the backup host. But that can also be that I have done something wrong in my setup??  ???

2. So I would like to know what you have done to make all interfaces migrate?

Ok I have almost solved problem two: it seems that with cisco catalyst 500 default option of igmp snooping enabled it happens that when master becomes available again the multicast packets are sent with some delay causing a problem with stake keeping.

The problem one is not solved: if I detach wan2 cable in the master pfsense wan and lan goes to backup state and wan2 goes to "init" state (what does it mean?). In the backup pfsense all wan, wan2 and lan go to master state.

The problem is that I have discovered that I "sometimes" lose a port forward on wan and I also lose the internet traffic on wan2.

What does "init" state mean?

Please reply me.

Mario

Ok I have almost solved this problem: it seems that with cisco catalyst 500 default option of igmp snooping enabled it happens that when master becomes available again the multicast packets are sent with some delay causing a problem with stake keeping.

<wan><if>fxp0</if>
        <mtu><ipaddr>192.168.1.201</ipaddr>
        <subnet>1</subnet>
  [..]

I finally found the problem. Simple little configuration mistake, see above. I apologize for the trouble caused.</mtu></wan>

Thanks Eugene. I'll give it a whirl when everyone is off with the plague or something.  ;)

Please see this: http://forum.pfsense.org/index.php/topic,16345.0.html and this: .http://forum.pfsense.org/index.php/topic,16373.html  I suspect you have discovered the same feature as me and several other people:

!NAT + loadbalancer + MultiWAN = Multicast storm.

After quite a bit of testing and so on I seem to have the same issue as this: http://forum.pfsense.org/index.php?topic=16373

I added the sync components one by one and as soon as the load balancer config copied over then things went beserk.  By unplugging all WAN connections bar one I was able to run tcpdump and see multicast traffic flooding the systems.

It seems that load balancers forward MCAST from your LAN to the other box which then repeats it back for a loop.  CARP needs MCAST to work though.  The bug is also seen in 1.2.3-RC1.  I also have systems broadcasting in over VPNs connected to my ADSL routers so it is a bit hard to block all this.

See: http://forum.pfsense.org/index.php/topic,16566.0.html for potential fix.

I have the similar problem.. I am trying to configure VIPs for the mail server (Exchange2007), I have 1.2 pfSense version, 3 interfaces (WAN, LAN and OPT1) the email server is connected to OPT1 interface together with domain controler. I made an identical configuration like "jits" showed in screenshots (with my IP adresses of course :)), but I can't connect or ping to my external IP of email server.
Can anyone help me with this issue ?

screens in attachment.

Reagrds Michal

VIPs.JPG
VIPs.JPG_thumb
NAT.JPG
NAT.JPG_thumb
Rules.JPG
Rules.JPG_thumb