I got the reason why it didn´t work:

The LAN Interface of FW1 was a 10 mbit network card! Until I put in a 100 mbit network card it works fine!

It sounds like you have it backwards. You want to enter the IP address of the backup on the carp page of the master. Putting an IP address in that field and checking the box essentially tells it to push the settings to that device.

Thanks dotdash, in my trolling I ultimately decided you had given the answer to me …I'm upping to /28 ideally ...it's a pain with my ISP ...I actually use a lot of port forwarding to get it down to the 5 ...i could get it to 3 maybe, but that's really pushing it ...but any way, thanks again ...and looking forward to CARPDEV someday.

I've your answer expected ;D but:
In CARP-Documentation is written that's possible.

Is it not supported because it's not tested? Or is not working and I'll get problems? Is it technical (e.g. unsupported) possible to sync in both directions (fw001 <–> fw002).

I ask because I want share applications over two firewalls:

fw001: vpn, internet access,...
fw002: web hostings, dmz, ...

If one firewall goes down then the other firewall run all.

Is it planned in future to support master-master?

Iv seen this one before… sorry to say that im a noob and just figuring it out my own probs at:
http://forum.pfsense.org/index.php/topic,10458.0.html

At my configuration... it happened when the CARP suddenly "worked" after i sorted out some bugs... then again it didnt work. It was when the SYNC interfaces were on 10Mb/s old NICs. And the LAN VIP became master on Backup, WAN and WAN2 were left Master at the Master box. And then when i went to 100/10 NIC's the backup took all the VIP's as master... so it might be something different than your prob.

One question... how would i bypass the "broadcast" thing if it really is the switch or NIC's bad appetite for not eating broadcast packets. ?

Im fairly new to CARP stuff… u can read my try's at:
http://forum.pfsense.org/index.php/topic,10458.0.html

I can confirm this happening.

I had 3 VIP's at master... LAN WAN WAN2
I created LAN VIP on the backup and then got the CARP working...
The same happened.. weirdly displayed and only icons showing at the CARP status screen.

So i deleted all VIP's at backup, then saved CARP settings at Master and it synced VIP's to backup properly.
I assume it has something to do with the VIP syncing over the one that already existed.

And now I seem to have successfully trained the switch to properly prioritize the ports, I had to change not only the port priority, but the path cost.

For the record, my DMZ port configuration on switch #2 look like this:

interface FastEthernet0/1 description Firewall - Master - DMZ Port switchport access vlan 20 spanning-tree vlan 20 port-priority 64 no cdp enable interface FastEthernet0/2 description Firewall - Slave - DMZ Port switchport access vlan 20 spanning-tree vlan 20 cost 500 no cdp enable

Sorry for the noise!

Keep up the good work, everybody.

Are you really really sure that you can ping these VIP's now?
Because it's NOT possible to ping proxy type VIP's.

You cannot ping Proxy type VIP's.
Only CARP type VIPs.
http://forum.pfsense.org/index.php/topic,7001.0.html

and pay attention! the interfaces must have the same order, please take a look at the screenshot…..

e.g. LAN, WAN, SYNC for the master and LAN,SYNC,WAN is not working......

ScreenShot003.jpg
ScreenShot003.jpg_thumb

@cyriles:

I have 2 ADSL internet connexions (PPPOE) with dynamic IP addresses, I want them to work in Load Balancing mode, one connexion on the Master and one on the Slave.

Here is your first issue. If you set it up this way, the failover will not be very clean and the slave connection will only be used when the master is down.
Typically, you would use Two WAN ports on each computer, and connect both to both DSLs. In your case, two PPPoE WANs are not possible, and you would need a router between the second WAN and the DSL. Searching should provide detailed information on this.
@cyriles:

Now my second question :

Do I have to plug one access point on each server and if yes, will they both be "online" or only one at the same time depending on the working server (Master or Slave) ?

I would think the simple answer to this would be to setup your WIFI port like another LAN, connect the AP to a switch that is connected to the WIFI-OPT ports on both pfSense boxes and point the AP's gateway to the CARP address of the WIFI-OPT interface.

How do i configure Sticky Address? And what is the behavior with this option?
Thanks
G

So I figured out that the problem is all about return-path. The real network servers had their own default routes and were basically returning traffic along that path instead of through pfsense.

The equivalent of this is LVS-DR, for you linux virtual server types out there. Is there an equivalent of LVS-NAT, where web servers route traffic back to the pfsense load balancers that originally requested it?

Ok that makes sense

Thank you !!!

Thanks GruiensForeschli. The NAT didn't work. I know that NAT is resolved prior to firewall rules.

Does anyone know how "Virtual Servers" works? If it's a matter of configuration I can try to dig into the code to do this, or set up a bounty. Is it a combination of custom NAT with gateway routing, or what's the behind-the-scenes program that handles this?

It's interesting to note, in the NAT, it says:

If you want this rule to apply to another IP address than the address of the interface chosen above, select it here (you need to define Virtual IP addresses first). Note if you are redirecting connections on the LAN, select the "any" option.

… why do LAN port forwards require the "any" option, but WAN does not? Is it a limitation of the program doing the NAT? If it's that kind of limitation, then I guess there is no solution.

You must have one VHID per IP if you're running CARP. ifconfig alias IPs are not able to be used in a failover deployment.

@RedRocket:

Yes, my ISP is assigning vhids, i am not sure what the normal practice is here, I do know however that if there is any fuckup with vhids on our network interfering with theirs or other clients, they will simply pull the plug on us.

Doesn't surprise me, it's not a bad idea. They need to be willing to provide enough VHIDs though.

~~I'm ending up with the same problem on a 1.2 STABLE release.

I have:

both machines up-to-date usernames the same passwords the same firewall rules on the SYNC interfaces on * * * *

I also rebooted both machines, but this gives no clue.

HTTPS or HTTP set on both machines doesn't make any difference also.

What could be wrong here ?~~

I have solved this issue. It should have been a subnet that needed to be test on /24… this was also in the second trouble shooting part.

So, I've setup pfsense 1.2 using carp for automatic failover.  This is very nice stuff!  However, the ntpd server does not allow the ntpd server to be started on the LAN carp device.  don't forget, that if you edit your openNTP settings, these changes will be lost.  So…

Try this:

diagnostics->edit and load the following file:
/var/etc/ntpd.conf

and add the following line and save:
listen on 172.16.1.1  ( or whatever your LAN carp ip is )

diagnostics->command:
kill -KILL pgrep -u root ntpd && /usr/local/sbin/ntpd -f /var/etc/ntpd.conf

@juraj_bond:

In Firewall-Virtual IPs-Carp Settings-Synchronize Enabled.

Yea I figured it out… Ive now tried with device polling, disabling syncing the state table, changed the table size with no result.

Still when Im ghosting with multicast I get the same high ping issues and interrupts...