I agree mate, however just about to upgrade to 100Mb WAN connection, so upgrading the firewall with new Dell R200 with Intel Quad NIC, can't really afford both at present, so going to use the original firewall as failover (have found pfsense so stable I don't think it'll be needed, you can never tell hardware failures etc) so not overly worried about failover as long as it'll support the connection albeit at a lower speed. Cheers for your help. J

1)  I'm not sure what you mean by WAN access as opposed to Internet access, but if you mean the network that pubip[1-3] are in, then yes.  Same with the Internet (assuming that you've set up NAT and firewall rules allowing access in the first place. 2)  PFSense will replicate rules from the "master" machine to the other machine as long as you have configured CARP (in the CARP Settings under Firewall->Virtual IPs->CARP Settings) to do so.

Figured out where i was going wrong on this - on the first set of firewalls i was using VHID 1 /2 and the same for the second internal firewalls, silly mistake - after setting the internal to VHID 3 /4 it is all working correctly. ;D

Which version are you using. I've been trying to do the same thing and I can't get thenew PARP addresses + NAT to work ?

Yes, that's exactly what I did. I added a PARP IP via the Virtual IPs menu and allowed it to auto create the rule for me (allowing HTTP back to the web server running internally). I then added an additional rule allowing ICMP to internal address. Both rules are created on the WAN interface and reference the internal address that I'm allowing traffic to. I've done this many times for IP's that are on the WAN interfaces primary network. I then used the packet capture option to sniff the traffic destined for the PARP address on the WAN side and I do see both ICMP and HTTP traffic hitting the WAN interface when I test the respective protocols. I then did the same thing sniffing the LAN interface to see if there's any packets being sent to the internal NAT's IP - and I don't see anything. I've also run a packet sniffer on the web server to ensure that I'm not missing something and that traffic is in fact not hitting the machine somehow - there's nothing coming out on the LAN side. Downloading the config XML and looking at the version element - it says I'm running version 2.9. Looking at index.php it says I'm running 1.2-RC1 (built on Sat Jul 21 13:42:54 EDT 2007 ) Thanks Warrick

That's what happens when multicast traffic isn't passed properly. Some switches block or break multicast.

Yeah it didn't appropriately warn before 1.2.1, it's supposed to do that. CARP interfaces can't be removed on a running system. You don't have to reboot right away, but the VIP won't be removed until you do.

This doesnt really make much sense. Set the subnet to what you actually have on the main WAN IP.

You can also do it this way: http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf

Hrm, there shouldn't be any way even when you're switching from proxy ARP to CARP to accomplish that. I know the input validation works when adding, maybe it's missing when switching from one type to another. Thanks for the report.

@GruensFroeschli: Diagram: internet                 |                 |    [WAN] 10.10.10.2/27            pfSense   [OPT1] 192.168.1.1/25 –------ servers   [LAN] 192.168.10.1/24                 |                 |             clients Can you please clarify where you have the 10.20.20.0/26 subnet? Are these IP's used directly on the servers or as VIP's on the WAN? Was the 10.20.20.0/26 subnet assigned to you by your ISP? (since these are public IPs) The 10.20.20.0/26 subnet is allocated for the real IP addressing needs of some boxes that reside in the 192.168.1.0 subnet (OPT1) It only exists in the 1:1 NAT configuration page and the NAT-ing is done on the WAN interface. I didn't make any VIP for this subnet, except for the PAT-ing of the LAN Yes, this real-ip subnet is unique If so you could add these public IP's to the servers directly. –> Assign 10.20.20.1 to the pfSense. This actually is the option that I am considering too. It involves changes on the servers though so was trying a workaround. The case is that if this was a new installation that would be my approach from the begining. This was an existing setup that worked having an openbsd box in place before I used pfSense as a way better managed PF solution, especially for the non-BSDers. Basically: if you 1:1 NAT something you cannot access this forward from the inside itself. Use for that normal port forwards, since pfSense is able to reflect normal portforwards. Search the forum for my username and "normal portforward" since i posted in quite a few threads how to do that. Another alternative is, that you use 1:1 NAT from the outside, and for access from the inside you set up split DNS. This is described here. http://forum.pfsense.org/index.php/topic,7001.0.html Thank you for this tip :) Found lots of interesting info there and the especially the text about adding aliases on the physical interfaces is very interesting. If I remember correct this was what I did, adding the 1:1 IPs as aliases on the WAN that is, on the previous box to make it see this, otherwise "virtual" subnet, as local thus appearing on the fw's routing table. The way I understood the whole VIP concept made me think that it was the way to make something similar. SplitDNS would be a viable option too if this was an isolated enviroment (not different links going to different places interconnecting private networks which share the same NSs) Thanks again for your time! George

If the responses aren't coming back, it sounds like the servers are missing their default gateway or have it set to something other than pfSense.

Do CARP IP addresses work with load balancing?

Active/Passive is currently the only supported configuration. You are correct in that you should add a dedicated interface for the sync. The carp tutorial is a good place to start: http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm

Hi thanks for the reply.  I have not looked at this in a while as it did not seem possible and as of yet it is not possible. We do use multihomed DNS, however it is not ideal as there is no failover, if a server goes down, DNS does not automatically remove or change the DNS record, which means there is a failure and no response for x% of requests made (depending on how many host are in the loop). I will still like to find a solution for this, if possible without having to fly out to the data centre to reconfigure the entire network :) Thanks

I posted some responses from dotdash, I still have few things not quite configured correctly. I created by second PF-Sense machine by copying my first box.  The only difference is the IP address and the name of the server. I have following Settings: Synchronize Enabled Synchronize Interface - OPT2 pfSync sync peer IP 192.168.17.2 Synchronize rules Synchronize NAT Synchronize IPsec Synchronize Virtual IPs Synchronize traffic shaper Synchronize to IP 192.168.30.2 Remote System Password (username reset to ADMIN and password set to match on both servers Added Virtual IP to the Master machine   Type = CARP   Address  192.168.17.2 /24   matched the VIP password   VHID group 1   Advertising Frequency 0 Rules OPT2 All traffic set to pass between servers When I bring up the second server CARP comes up with FW1 as master and FW2 as backup.  However I see two issues at that point I see even with 192.168.14.2 added as a second gateway, I can't access the internet and IPSEC tunnels appear to be up on both firewalls. I really want to get this running due to my occasional virtual server issue. Many thanks, RC

<taps microphone="">hello, is this thing on? :D</taps>

After doing some more digging, I figured it out.  It was a VMWare thing. I had to set the virtual adapter with a security policy exception to allow promiscuous mode. There seems to be another issue though - it seems as though there is another client out there on the WAN (albeit, on a different VLAN) using a pfSense box, because I see the same MAC address as what my pfSense box is using for my CARP MAC Address. Is there a way to change the CARP MAC address so I can differentiate my MAC address from this other person's?

There is a lot in your post, but I'll try to answer some of your questions. @Izinyoka: Does the firewall use its own WAN IP for outbound connections, or does it use the VIP? You should use AON and specify your CARP address for outgoing. @Izinyoka: 2. Can it also provide redundancy for ISP failure? CARP is generally used to provide failover if your firewall has a hardware problem. ISP redundancy is a separate issue. You can use multi-WAN failover as one solution. @Izinyoka: 3. Im sure I read somewhere that CARPDev can provide redundancy like in case 1. with only one public IP, is that correct?  because it looks like CARPDev is included in version 2 and I tried it but I don't see a difference (inbound packets are still distributed between both boxes randomly). I have to check out the newest 2.0 snaps, but AFAIK, CARPDEV is not yet stable on FreeBSD and not in 2.0. If you were using CARPDEV, the WAN interfaces would have private IPs and they would share the public CARP IP.