I think this thread might interrest you: http://forum.pfsense.org/index.php/topic,6049.0.html Also i kind of remember about a thread trying to figure out what the TV-part was. I think it had something to do with the TV-traffing beeing on another VLAN or something like that, but i cannot find the thread anymore… edit: found it: http://forum.pfsense.org/index.php/topic,4491.0.html But i think it's not related :(

hmm, let me see.  I tried to access the .30 ip from a web browser on a totally separate internet connection in a completely separate building.  I am already aware that I am not able to access vips from within the LAN.  I am also aware that local services cannot bind to PARP addressses.  I wouldn't of posted my question if I didn't already search. Thank you.

This may be the right post: http://forum.pfsense.org/index.php/topic,7039.0.html

CARPDEV does this, but it is not yet working on FreeBSD. For now, you will need at least three public IPs for a CARP cluster.

I have had this setup before, but I was not using pfsense at the time. But since I was using pf on openBSD it should be close. There was no need other than all the server IPs would have had to change and there where a lot of servers. What we setup was a bridging firewall. Some call it an IP-less firewall. Either way you are going to be filtering packets as they cross the kernel. As I understand it pfSense can do this. I have not tested this, but I hear it works well. I bet there is even a doc on how to do this. We had a 24 bit subnet and all machine (even the users :-O through dhcp). If you are going to have a setup where some are NATed and some servers that are not NATed then perhaps you need firewalls with 3 interfaces. 1 LAN, 1 WAN, and on bridged interface with the WAN and all server on that. Then you can filter using rules based on interface.

@Comradin: any hints on how to check if balanced sessions are sticky or not? Set it up and observe if your requests continue to hit a particular one of the backend servers.

Hopless… just no way to get MultiWAN working with CARP failover. I have this situation now... I figured out ISP2 gives me only 2 IPs, so im screwed... but im screwed because CARP sucks, not because of this ISP. U see.. there is no way to use Multiwan on MASTER and One WAN on BACKUP (so only one ISP would be CARP-ed) I ended up so that Backup is making random reboots now. It didnt survive Master crash at all.. and after Backup became Master.. and the real master woke up - it NEVER gave back the Master status to the right box. Basically after a crash.. the internet would never come back automatically. Seems im on "manual" hardware failover now.

I re-installed 1.2 and the weird lockup issue went away.  CARP is working great, however SYNC'ing still doesn't work.  ???  The states table syncs but nothing else. SO my main issue has been corrected as I don't have a signal point of failure, however I would like the config's to sync so anytime I make a change I don't have to remember to make it to my "Backup" Not sure where else to look for the problem, would uploading a packet capture or config help someone troubleshoot this further? Thanks

I got the reason why it didn´t work: The LAN Interface of FW1 was a 10 mbit network card! Until I put in a 100 mbit network card it works fine!

It sounds like you have it backwards. You want to enter the IP address of the backup on the carp page of the master. Putting an IP address in that field and checking the box essentially tells it to push the settings to that device.

Thanks dotdash, in my trolling I ultimately decided you had given the answer to me …I'm upping to /28 ideally ...it's a pain with my ISP ...I actually use a lot of port forwarding to get it down to the 5 ...i could get it to 3 maybe, but that's really pushing it ...but any way, thanks again ...and looking forward to CARPDEV someday.

I've your answer expected ;D but: In CARP-Documentation is written that's possible. Is it not supported because it's not tested? Or is not working and I'll get problems? Is it technical (e.g. unsupported) possible to sync in both directions (fw001 <–> fw002). I ask because I want share applications over two firewalls: fw001: vpn, internet access,... fw002: web hostings, dmz, ... If one firewall goes down then the other firewall run all. Is it planned in future to support master-master?

Iv seen this one before… sorry to say that im a noob and just figuring it out my own probs at: http://forum.pfsense.org/index.php/topic,10458.0.html At my configuration... it happened when the CARP suddenly "worked" after i sorted out some bugs... then again it didnt work. It was when the SYNC interfaces were on 10Mb/s old NICs. And the LAN VIP became master on Backup, WAN and WAN2 were left Master at the Master box. And then when i went to 100/10 NIC's the backup took all the VIP's as master... so it might be something different than your prob. One question... how would i bypass the "broadcast" thing if it really is the switch or NIC's bad appetite for not eating broadcast packets. ?

Im fairly new to CARP stuff… u can read my try's at: http://forum.pfsense.org/index.php/topic,10458.0.html I can confirm this happening. I had 3 VIP's at master... LAN WAN WAN2 I created LAN VIP on the backup and then got the CARP working... The same happened.. weirdly displayed and only icons showing at the CARP status screen. So i deleted all VIP's at backup, then saved CARP settings at Master and it synced VIP's to backup properly. I assume it has something to do with the VIP syncing over the one that already existed.

And now I seem to have successfully trained the switch to properly prioritize the ports, I had to change not only the port priority, but the path cost. For the record, my DMZ port configuration on switch #2 look like this: interface FastEthernet0/1 description Firewall - Master - DMZ Port switchport access vlan 20 spanning-tree vlan 20 port-priority 64 no cdp enable interface FastEthernet0/2 description Firewall - Slave - DMZ Port switchport access vlan 20 spanning-tree vlan 20 cost 500 no cdp enable Sorry for the noise! Keep up the good work, everybody.

Are you really really sure that you can ping these VIP's now? Because it's NOT possible to ping proxy type VIP's.