@GruensFroeschli: So you created an NAT rule for each VIP? Did you also create a firewall rule for each VIP? Sure, I have one NAT rule for one VIP and one OPT1 rule (just to be a clear test). I have no other rules for OPT1 and port TCP 3389 (but I have rule for WAN): Virtual IPs: 95.XX.XX.36/32 P ARP 95.XX.XX.37/32 P ARP 95.XX.XX.38/32 P ARP NAT rule: OPT1 TCP 3389 192.168.28.5 (ext.: 95.XX.XX.37) 3389 TestRDP OPT1 rule: TCP * * 192.168.28.5 3389 * This configuration works only when .37 is the first line in VIPs… If it is second ot third it doesn't work.

As far as i know each box needs a 'real' wan ip which for carp ha would require a minimum of 3 wan ips from your isp, 1 virtual 2 physical.

Packages have to be manually installed on each box.

Hi Dotdash Cheers for the response, i have changed the CARP LAN address range as you suggested and currently it seems to be taking over addresses correctly. I dont actually need a class A for my DMZ either it just happens to be that this is how it was configured originally and as i have many servers in the DMZ and it works im not going to reassign them all. The reason i have assigned the adskew to 5 and not 0 is so that i can add in my main pfsense firewall into the cluster and gradually get it to take over addresses by assigning them as 0 on it. Anyway cheers for the assistance, if i have any more probs ill post back…i should know in a day or two if everything is working fine.

Yup, I looked at that. $600 for 5 hours of support, of which I'd need perhaps 30 minutes? I would have happily paid $100 to resolve this, but $600 is significantly more than both firewalls cost me ;) Either way, I've got no real plans to look at pfSense again for this application. It's going to cost me £20 to produce a redundant PSU unit for the firewall. On the off-chance that the WRAP board should fail, I can handle 10 minutes of downtime. I've only ever had PSUs fail though, so I'm not particularly worried. CARP was a "nice feature to have" not a "must have", so I'll stick with m0n0wall. HB

I doubt that your wan connection has a /4 subnet mask. That's something like 270 million addresses in your subnet. A /29 would seem more correct. xx.yy.169.64/29 would be 65-70 usable. CARP VIPs need to be created with the correct subnet mask. e.g. xx.yy.169.66/29 Proxy ARP VIPs use a /32 mask. I think 'other' VIPs use a /32, but I haven't used them in a while. Other type VIPs may not work for you depending on how the provider routes the IPs to you. Stick with CARP or Proxy-arp unless you have a compelling reason to use other vips.

Unfortunately it's currently not possible to get multiple dynamic public IPs per DHCP. With 2.0 where CARPdev is used it "should" work. A possible (ugly) workaround: Plug as many NICs as you have additional IPs into your pfSense and set them as DHCP. Like this your additional NICs will request an IP from your ISP. Another (similarly ugly) workaround would be to connect a VLAN capable switch to your pfSense and assign as many VLAN-interfaces as you have additional IPs. You would need to assign a PVID on the switch for each "virtual" interface and then connect them to another switch which then goes to your modem/router/whatever_connects_you_to_your_ISP. (you need a separate cable for each virtual interface from the VLAN switch to the normal switch). This would look like this: pfSense                     |                     |             VLAN-switch               | | | | | | |             normal switch                     |                     |                 modem

Each system in a CARP cluster sends out a "heartbeat" with its various settings (vhid, etc) skewed at a specific rate. The master is always broadcasting at the fastest rate, and each other member has a higher skew, based on the "Advertising Frequency" setting for the CARP VIP. Anything that would cause the master to stop broadcasting, or cause it to broadcast at a lower rate, would cause a failover. Could be link loss on a NIC, a dead switch port, hard lock, panic, etc, etc. Some system problems can also trigger a CARP member to skew itself higher (to advskew 240) if a hardware fault of some kind is detected.

This happens for me , some networking programs have no problem (like radmin, a remote administrator) they just freeze for a couple of seconds. Others like ftp connections die. I was thinking that it's just the nature of the transfer and ftp can't compensate. At least a fail over should be a rare occurrence and we might have to live with these kinds of things.

bards1888, May I know more about your successful configuration? Say the WAN IP address of the fw1 & fw2? Is the PPPoE using dynamic / static ip? Many Thanks Alpha

Here's an update… I changed the subnet to 24 for the LAN interface, and the virtual IP. I was able to reboot the master, and still have access to the firewall. -Thanks! :)

My ftp is working, the active mode was the solution.   Thanks.

I think this turned out to be a hardware issue. I'm not certain if it was a specific piece of hardware that was malfunctioning, or if it was some kind of intermittent compatibility issue. I suspected hardware after the machine started randomly locking up. I had an identical machine, so I swapped the hard drives into that one, and it had weird issues as well, but my LAN interface (which was a VLAN) wouldn't work at all, so I had to take the add-on NIC card out of the original machine and put it in this one, even I just replaced an identical card. Then it worked, but it still had random lock ups and such. From there, I migrated my whole setup to a VM, and I've had no problems. So either it was the hard drives, the original NIC, or both machines have some internal hardware issue.

Solved, with work around. See my other posting with subject: VMWARE ESX 3.5 / vSwitch w/ 2 Physical NICs / CARP / PFSense 1.2.3 NIC-teaming/fail-over in vSphere seems to be the problem. Best regards, Quentin

Send an e-mail to wikiadmin@pfsense.org Or if you just want to write the content for the page I (or someone else with access) can add the content for you.

So, here is what I've done so far, but I'm having problems. Define the new IP under Firewall -> Virtual IP -> Other.  Ip is 116.90.xxx.43/32 Go to Firewall -> Nat then define the following rule. Under port forward add a new rule External address: 116.90.xxx.43 protocol : TCP External Port Range: Web_Server_Ports (alias for TCP ports 22, 80 and 443) NAT_IP: Splunk server (alias for 10.0.2.41) Local Port: Web_Server_Ports Check auto create firewall rule Now, from within my network if I ssh, http or https on the IP 116.90.xxx.43 my nat works.  However when I try to hit my public IP externally it doesn't work and I don't see any denied messages in the firewall.  I'm assuming it's something wrong with the way I've defined virtual IPs.  Any ideas what I've done wrong? Thanks, Todd