Each system in a CARP cluster sends out a "heartbeat" with its various settings (vhid, etc) skewed at a specific rate. The master is always broadcasting at the fastest rate, and each other member has a higher skew, based on the "Advertising Frequency" setting for the CARP VIP. Anything that would cause the master to stop broadcasting, or cause it to broadcast at a lower rate, would cause a failover. Could be link loss on a NIC, a dead switch port, hard lock, panic, etc, etc. Some system problems can also trigger a CARP member to skew itself higher (to advskew 240) if a hardware fault of some kind is detected.

This happens for me , some networking programs have no problem (like radmin, a remote administrator) they just freeze for a couple of seconds. Others like ftp connections die. I was thinking that it's just the nature of the transfer and ftp can't compensate. At least a fail over should be a rare occurrence and we might have to live with these kinds of things.

bards1888, May I know more about your successful configuration? Say the WAN IP address of the fw1 & fw2? Is the PPPoE using dynamic / static ip? Many Thanks Alpha

Here's an update… I changed the subnet to 24 for the LAN interface, and the virtual IP. I was able to reboot the master, and still have access to the firewall. -Thanks! :)

My ftp is working, the active mode was the solution.   Thanks.

I think this turned out to be a hardware issue. I'm not certain if it was a specific piece of hardware that was malfunctioning, or if it was some kind of intermittent compatibility issue. I suspected hardware after the machine started randomly locking up. I had an identical machine, so I swapped the hard drives into that one, and it had weird issues as well, but my LAN interface (which was a VLAN) wouldn't work at all, so I had to take the add-on NIC card out of the original machine and put it in this one, even I just replaced an identical card. Then it worked, but it still had random lock ups and such. From there, I migrated my whole setup to a VM, and I've had no problems. So either it was the hard drives, the original NIC, or both machines have some internal hardware issue.

Solved, with work around. See my other posting with subject: VMWARE ESX 3.5 / vSwitch w/ 2 Physical NICs / CARP / PFSense 1.2.3 NIC-teaming/fail-over in vSphere seems to be the problem. Best regards, Quentin

Send an e-mail to wikiadmin@pfsense.org Or if you just want to write the content for the page I (or someone else with access) can add the content for you.

So, here is what I've done so far, but I'm having problems. Define the new IP under Firewall -> Virtual IP -> Other.  Ip is 116.90.xxx.43/32 Go to Firewall -> Nat then define the following rule. Under port forward add a new rule External address: 116.90.xxx.43 protocol : TCP External Port Range: Web_Server_Ports (alias for TCP ports 22, 80 and 443) NAT_IP: Splunk server (alias for 10.0.2.41) Local Port: Web_Server_Ports Check auto create firewall rule Now, from within my network if I ssh, http or https on the IP 116.90.xxx.43 my nat works.  However when I try to hit my public IP externally it doesn't work and I don't see any denied messages in the firewall.  I'm assuming it's something wrong with the way I've defined virtual IPs.  Any ideas what I've done wrong? Thanks, Todd

That seems like it would work well, thanks! I will give it a try today.

You also have to configure the outbound NAT to actually use the VIP.

Super! I need to get more beer then…. :D :D @dotdash: Your IT expert is right. He is the expert after all. (OpenBSD has CARPdev, which allows you to run a cluster with one public IP, but FreeBSD does not have this functionality yet)

@Wielke: problem is we can't use any of the 80.x.x.146/147/148/149 (our public IP range) as VIP's as we can't use them after that to NAT with? Why? You can.

Just a thought.  You could try dyndns and vpn to a domain name instead of having to look up the address.

Yes. This is due to how NAT works. You cannot NAT out the same interface on which packets arrive. For normal port forwards you can alternatively use "NAT reflection", although this is kind of an ugly hack. You "could" create on top of the 1:1 NAT forwarding, a normal NAT forwarding for the ports you need and enable NAT reflection. But i would not recommend it since you're already doing it the proper way. More relevant info in the FAQ: http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F http://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT%3F