I just experienced something similar (or same) while setting up two new 1.2.3 based embedded routers.  pfsync is working fine (over a dedicated interface)
I created 3 vips (LAN,LAN2,WAN) in that order, vhid's: 1,2,3.  The interfaces would fail over separately - I unplug WAN, it fails over to router2, but LAN stays on router1, and obviously does not provide upstream connectivity.

In desperation, I removed LAN2 and WAN vips, and recreated just WAN vip (LAN vhid:1, WAN vhid:2).  Now LAN+WAN seem to fail over together when WAN cable is pulled.  In fact, it all seems to work OK (except DHCP which I'll start a separate topic on) except that when we fail-back to router1, WAN VIP shows as "master" on both machines!  I have to do some more checking as to whether this is affecting anything, but it seems pretty strange.

Thanks for your prompt answer.
It is what I needed.

Regards.

I note that we've been here before, I had a good read of:
http://www.mail-archive.com/support@pfsense.com/msg07031.html

Do we have an official stance on this ARP load balancing functionality now?

http://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN
[/ quote]

I've seen that, but so much time ago I used redir and it could just redir tcpp ports. and I need an udp redirect :(

I read the readme from newest version and no mention of udp also

thanks anyway :)

none

You can bridge. Short of a routed subnet or NAT, that's your only option. Details in the book.  http://pfsense.org/book

Only where the package itself supports it, a few of them do but not all.

Conflicting IP or VHID likely.

@stevekez:

Is the kind of setup I describe possible and if so what things do I need to look at when configuring such a thing?

That's one of the most common types of setups I help our support customers deploy. Works great. My presentation from DCBSDCon covered this type of setup. http://www.youtube.com/watch?v=aElQidbWUxA

The book has a lot of content that goes over things you need to consider here.  http://pfsense.org/book

@stevekez:

If there are problems with the above description (such as LAG not working between multiple switches, as I've already identified as a potential gotcha  :-[),
[/quote]

Only lagg with bonding (LACP, EtherChannel) tends to be a problem there. The failover mode is what people generally use for their servers between switches like that.

You need a /29 minimum per interface for CARP. The routed public IP scenario is covered in depth in the book. http://pfsense.org/book

@juliansomers:

However, your reply troubles me somewhat: when you say

don't use PARP with two firewalls, it won't failover properly and will cause problems.
could you be more specific? What are the problems that I can expect, other than the PARP VIPs not being available on the slave firewall when a failover happens?

That was assuming you put them on both firewalls. If you only put them on one it won't be a problem, but won't fail over either. The proper solution is to have your provider route the additional subnets to one of your CARP IPs, then you can use Other VIPs and will have proper failover.

@GruensFroeschli:

So you created an NAT rule for each VIP?
Did you also create a firewall rule for each VIP?

Sure, I have one NAT rule for one VIP and one OPT1 rule (just to be a clear test). I have no other rules for OPT1 and port TCP 3389 (but I have rule for WAN):

Virtual IPs:
95.XX.XX.36/32 P ARP
95.XX.XX.37/32 P ARP
95.XX.XX.38/32 P ARP

NAT rule:
OPT1 TCP 3389 192.168.28.5 (ext.: 95.XX.XX.37) 3389 TestRDP

OPT1 rule:
TCP * * 192.168.28.5 3389 *

This configuration works only when .37 is the first line in VIPs… If it is second ot third it doesn't work.

As far as i know each box needs a 'real' wan ip which for carp ha would require a minimum of 3 wan ips from your isp, 1 virtual 2 physical.

Packages have to be manually installed on each box.

Hi Dotdash

Cheers for the response, i have changed the CARP LAN address range as you suggested and currently it seems to be taking over addresses correctly. I dont actually need a class A for my DMZ either it just happens to be that this is how it was configured originally and as i have many servers in the DMZ and it works im not going to reassign them all. The reason i have assigned the adskew to 5 and not 0 is so that i can add in my main pfsense firewall into the cluster and gradually get it to take over addresses by assigning them as 0 on it.

Anyway cheers for the assistance, if i have any more probs ill post back…i should know in a day or two if everything is working fine.

Yup, I looked at that. $600 for 5 hours of support, of which I'd need perhaps 30 minutes? I would have happily paid $100 to resolve this, but $600 is significantly more than both firewalls cost me ;)

Either way, I've got no real plans to look at pfSense again for this application. It's going to cost me £20 to produce a redundant PSU unit for the firewall. On the off-chance that the WRAP board should fail, I can handle 10 minutes of downtime. I've only ever had PSUs fail though, so I'm not particularly worried.

CARP was a "nice feature to have" not a "must have", so I'll stick with m0n0wall.

HB

I doubt that your wan connection has a /4 subnet mask. That's something like 270 million addresses in your subnet. A /29 would seem more correct. xx.yy.169.64/29 would be 65-70 usable.
CARP VIPs need to be created with the correct subnet mask. e.g. xx.yy.169.66/29
Proxy ARP VIPs use a /32 mask. I think 'other' VIPs use a /32, but I haven't used them in a while. Other type VIPs may not work for you depending on how the provider routes the IPs to you. Stick with CARP or Proxy-arp unless you have a compelling reason to use other vips.