No the vlans are vlans. Each of our customers are on their own vlan behind the firewall with public address on their machines. We route through the firewall to the public addresses, no nat or port forwading. Everything in the forum seems to be with nating and port forwarding from the public ip's on the WAN to private ip's. This is the current setup that we are trying to cluster. WAN Gateway              FW1 WAN              Vlan1 interface          Customers machine xxx.xxx.58.145<–-->xxx.xxx.58.148<------->xxx.xxx.53.1<--------->xxx.xxx.53.2 Thanks Rick

For the people that have been reading this hoping for answers to my questions, maybe I can help you out. From a newbie standpoint, I have this working: my ignorance was in understanding that virtual ips, thus this forum being CARP/VIPs, is the key to using CARP/pfsync Here's what I have that is working in a small test environment: box1: WAN: public IP LAN: 10.2.1.1/16 OPT1: 192.168.10.10 box2: WAN: public IP LAN: 10.2.1.2/16 OPT1: 192.168.10.11 In the CARP settings I am sychronizing everything and using the 192 addresses as the peer sync addresses for each box respectively.  Box1 has 192.168.10.11 and the webGUI password entered at the bottom of the page on the CARP settings. Box2 has these boxes left blank. Under virtualIPs I created a new local address of 10.2.1.4/16 associated with the LAN interface that is of type CARP.  Put in a VHID password and bahm, CARP up and running. You can post beginner level questions and I can try to pass on the little bit I've learned.

Dotdash i sent you a private message with a clarification of how things are setup

Apparently it was it.. I had to simply reboot the two FW. Weird.. Now it's working fine.. (have been for two days) Thank you for your support! ;)

Create a VIP PARP with the Outside address you are wanting to use. .5 I assume. Go over to the Load Balancer Tab/section Create the Pool first, your web servers Create the Virtual Server this is the Same IP Address as the VIP The VIP is going to be your Outside address and the Pool is going to be your in side address Also don't forget to create Firewall Rules to allow the Web traffic from the outside interface to the inside interface. Also When create the Virtual Server it will ask you for a "Pool down" server I used an old server matching my 2 production Web servers as my Pool down server it is Really slow so I didn't want it in the round robin but it is a nice fail back plan… Hope this helps

Never mind. I was looking for load balancing on UDP but I learned that verion 1.2 only supports TCP load balancing.

Excellent! Now if only there was a way to sync FreeRADIUS between machines in a carp cluster. But I can solve that problem through other methods, aka a single system on the LAN that isnt one of the pfSense boxes.

@dotdash: You don't want 'other', but here is some info: http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632 You can use CARP on a stand alone system. Just use a unique vhid for each VIP. Set the password to whatever, it doesn't matter. ok, thank you a lot. I have set the CARP, with unique vhid and any password, and ping, port forwarding etc.. works thank you , once more..

Yes, it can work! I have it working on vmware-server 1.0.7, Linux host. read this: http://www.ogris.de/docs/vmware-server-vrrp.html and this: http://mark.foster.cc/blog/2008/10/pfsense-and-carp-on-vmware-server.html Basically a small hack the vmnet driver. I don't think this will work on ESX though, just vmware-server.

CARPDEV is what is really needed for this, but it's still not working well. Depending on your setup, you may be able to use Other VIPs. See this thread: http://forum.pfsense.org/index.php/topic,7039.0.html You could also try adding alias IP's http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf and then adding CARP IPs.

Failover will occur in under 5 seconds. Could be an issue with your switch where it won't allow the active CARP MAC on the other port until X minutes have passed. The MAC doesn't change, but a MAC moving from one port to another could be a problem depending on your switches and how they are configured.

Good day, I tried it and it works. this is my set up. public ip –->wan pfsense lan ----10.10.10.0/24 the i added the alias ip 10.10.20.1 and added the recommended  firewall rules Now from workstation w/ ip 10.10.10.100 i can ping 10.10.10.1,  10.10.20.1 and workstation 10.10.10.100 and vice versa. I think every things fine but i notice that from my pfsense console and under the lan interface menu that it's ip is now set to 10.10.20.1. Is this the right behavior when adding alias? or i mess up something? my understanding is that my lan ip will still be 10.10.10.1 and my alias ip 10.10.20.1 will work fine under the hood. By the way im currently running 1.2.1rc1 as of sept. thanks and good day.

You should look over the tutorial. http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm Generally you want a virtual CARP IP on each interface so the secondary node can take over function from the primary.

Thanks GruensFroeschli, that took care of it!

pfSense doesnt filter outbound traffic. CARP traffic leaving pfSense cannot be blocked. And if you have a CARP IP on an interface you wouldnt want to block the CARP traffic, would you? You could use pfSense as a filtering bridge before your network and thus filter CARP-traffic. –> If you have CARP-traffic on your own public subnet you could avoid sending it to the rest of the internet (or at least your ISP).

i just tested it again & it worked. thank you GruensFroeschli

It is intuitive. If you 1:1 NAT someting then your forward EVERYTHING (thus 1:1). And adding firewall options to the NAT options is a very bad idea. –> Keep firewall rules and NAT rules apart. This is one of the big plusses of pfSense.

actually i did it :). It appears that all traffic from squid go out from the localhost, so i changed the NAT source to be not only LAN but any