Excellent! Now if only there was a way to sync FreeRADIUS between machines in a carp cluster. But I can solve that problem through other methods, aka a single system on the LAN that isnt one of the pfSense boxes.

@dotdash:

You don't want 'other', but here is some info: http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632
You can use CARP on a stand alone system. Just use a unique vhid for each VIP. Set the password to whatever, it doesn't matter.

ok, thank you a lot.

I have set the CARP, with unique vhid and any password, and ping, port forwarding etc.. works

thank you , once more..

Yes, it can work! I have it working on vmware-server 1.0.7, Linux host.

read this: http://www.ogris.de/docs/vmware-server-vrrp.html
and this: http://mark.foster.cc/blog/2008/10/pfsense-and-carp-on-vmware-server.html

Basically a small hack the vmnet driver.

I don't think this will work on ESX though, just vmware-server.

CARPDEV is what is really needed for this, but it's still not working well. Depending on your setup, you may be able to use Other VIPs. See this thread: http://forum.pfsense.org/index.php/topic,7039.0.html
You could also try adding alias IP's http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf and then adding CARP IPs.

Failover will occur in under 5 seconds. Could be an issue with your switch where it won't allow the active CARP MAC on the other port until X minutes have passed. The MAC doesn't change, but a MAC moving from one port to another could be a problem depending on your switches and how they are configured.

Good day,

I tried it and it works.

this is my set up.

public ip –->wan pfsense lan ----10.10.10.0/24

the i added the alias ip 10.10.20.1 and added the recommended  firewall rules

Now from workstation w/ ip 10.10.10.100 i can ping 10.10.10.1,  10.10.20.1 and workstation 10.10.10.100 and vice versa.

I think every things fine but i notice that from my pfsense console and under the lan interface menu that it's ip is now set to 10.10.20.1.

Is this the right behavior when adding alias? or i mess up something? my understanding is that my lan ip will still be 10.10.10.1 and my alias ip 10.10.20.1 will work fine under the hood.

By the way im currently running 1.2.1rc1 as of sept.

thanks and good day.

You should look over the tutorial. http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm
Generally you want a virtual CARP IP on each interface so the secondary node can take over function from the primary.

Thanks GruensFroeschli, that took care of it!

pfSense doesnt filter outbound traffic.
CARP traffic leaving pfSense cannot be blocked.
And if you have a CARP IP on an interface you wouldnt want to block the CARP traffic, would you?

You could use pfSense as a filtering bridge before your network and thus filter CARP-traffic.
–> If you have CARP-traffic on your own public subnet you could avoid sending it to the rest of the internet (or at least your ISP).

i just tested it again & it worked.

thank you GruensFroeschli

It is intuitive.
If you 1:1 NAT someting then your forward EVERYTHING (thus 1:1).

And adding firewall options to the NAT options is a very bad idea.

–> Keep firewall rules and NAT rules apart.
This is one of the big plusses of pfSense.

actually i did it :). It appears that all traffic from squid go out from the localhost, so i changed the NAT source to be not only LAN but any

I think this thread might interrest you:
http://forum.pfsense.org/index.php/topic,6049.0.html

Also i kind of remember about a thread trying to figure out what the TV-part was.
I think it had something to do with the TV-traffing beeing on another VLAN or something like that, but i cannot find the thread anymore…

edit: found it: http://forum.pfsense.org/index.php/topic,4491.0.html
But i think it's not related :(

hmm, let me see.  I tried to access the .30 ip from a web browser on a totally separate internet connection in a completely separate building.  I am already aware that I am not able to access vips from within the LAN.  I am also aware that local services cannot bind to PARP addressses.  I wouldn't of posted my question if I didn't already search.

Thank you.

This may be the right post: http://forum.pfsense.org/index.php/topic,7039.0.html

CARPDEV does this, but it is not yet working on FreeBSD. For now, you will need at least three public IPs for a CARP cluster.

I have had this setup before, but I was not using pfsense at the time. But since I was using pf on openBSD it should be close. There was no need other than all the server IPs would have had to change and there where a lot of servers. What we setup was a bridging firewall. Some call it an IP-less firewall. Either way you are going to be filtering packets as they cross the kernel.

As I understand it pfSense can do this. I have not tested this, but I hear it works well. I bet there is even a doc on how to do this. We had a 24 bit subnet and all machine (even the users :-O through dhcp). If you are going to have a setup where some are NATed and some servers that are not NATed then perhaps you need firewalls with 3 interfaces. 1 LAN, 1 WAN, and on bridged interface with the WAN and all server on that. Then you can filter using rules based on interface.