I believe some people have gotten this to work by adding 5 vlan interfaces and setting them all for DHCP. I'd do a forum/docs search going down that route and see if you can turn up better results. I seem to recall it coming up within the past two weeks.

I have not given all the details: I have configured squid to bind on the LAN if. I have a real IP on the WAN (ip of class 88.xx.xx.12/24) and several VIP (ips of  class 93.xx.xx.0/24) I need the squid users to come out with one of the  VIP, by adding directive tcp_outgoing_address 93.xx.xx.10  in squid conf. How can I do  to do that? (I think I need carpdev to have VIP on virtual interface CARP) kind regards

You could put a dumb off-the-shelf router in NAT mode in front of the pfSense. Or if the modem supports that, reconfigure the modem. Basically put a static, private subnet in front of the pfSense.

@GruensFroeschli: Are the additional IPs routed to your WAN? They are routed to my PPPoE address.  They are not configured on an adapter other than as virtual IP's. @GruensFroeschli: Are they all in use right now? The 8 IP Block is fully utilised via 1:1 NAT and are all working fine The 16 IP block is utilising 2 IP's at present.  1 is NAT, the other is configured as the live IP on the virtual linux system @GruensFroeschli: Do you have the public IP directly on the server? The only live IP configured is the PTP ip for my ADSL connection @GruensFroeschli: There are several ways to go at such a problem. Bridging VIPs –> The public IP on the pfSense, the internal servers have private IPs, traffic from the public IP forwarded to the private IP. routing You cannot use VIPs if you have the public IP directly on the server itself. Presently, VIP's and routing are accomplishing things for all the other IP's. The IP that is causing the issue is the virtual machine configured with the real world ip (no internal IP address allocated)

I just experienced something similar (or same) while setting up two new 1.2.3 based embedded routers.  pfsync is working fine (over a dedicated interface) I created 3 vips (LAN,LAN2,WAN) in that order, vhid's: 1,2,3.  The interfaces would fail over separately - I unplug WAN, it fails over to router2, but LAN stays on router1, and obviously does not provide upstream connectivity. In desperation, I removed LAN2 and WAN vips, and recreated just WAN vip (LAN vhid:1, WAN vhid:2).  Now LAN+WAN seem to fail over together when WAN cable is pulled.  In fact, it all seems to work OK (except DHCP which I'll start a separate topic on) except that when we fail-back to router1, WAN VIP shows as "master" on both machines!  I have to do some more checking as to whether this is affecting anything, but it seems pretty strange.

Thanks for your prompt answer. It is what I needed. Regards.

I note that we've been here before, I had a good read of: http://www.mail-archive.com/support@pfsense.com/msg07031.html Do we have an official stance on this ARP load balancing functionality now?

http://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN [/ quote] I've seen that, but so much time ago I used redir and it could just redir tcpp ports. and I need an udp redirect :( I read the readme from newest version and no mention of udp also thanks anyway :) none

You can bridge. Short of a routed subnet or NAT, that's your only option. Details in the book.  http://pfsense.org/book

Only where the package itself supports it, a few of them do but not all.

Conflicting IP or VHID likely.

@stevekez: Is the kind of setup I describe possible and if so what things do I need to look at when configuring such a thing? That's one of the most common types of setups I help our support customers deploy. Works great. My presentation from DCBSDCon covered this type of setup. http://www.youtube.com/watch?v=aElQidbWUxA The book has a lot of content that goes over things you need to consider here.  http://pfsense.org/book @stevekez: If there are problems with the above description (such as LAG not working between multiple switches, as I've already identified as a potential gotcha  :-[), [/quote] Only lagg with bonding (LACP, EtherChannel) tends to be a problem there. The failover mode is what people generally use for their servers between switches like that.

You need a /29 minimum per interface for CARP. The routed public IP scenario is covered in depth in the book. http://pfsense.org/book

@juliansomers: However, your reply troubles me somewhat: when you say don't use PARP with two firewalls, it won't failover properly and will cause problems. could you be more specific? What are the problems that I can expect, other than the PARP VIPs not being available on the slave firewall when a failover happens? That was assuming you put them on both firewalls. If you only put them on one it won't be a problem, but won't fail over either. The proper solution is to have your provider route the additional subnets to one of your CARP IPs, then you can use Other VIPs and will have proper failover.