You cannot ping Proxy type VIP's. Only CARP type VIPs. http://forum.pfsense.org/index.php/topic,7001.0.html

and pay attention! the interfaces must have the same order, please take a look at the screenshot….. e.g. LAN, WAN, SYNC for the master and LAN,SYNC,WAN is not working...... [image: ScreenShot003.jpg] [image: ScreenShot003.jpg_thumb]

@cyriles: I have 2 ADSL internet connexions (PPPOE) with dynamic IP addresses, I want them to work in Load Balancing mode, one connexion on the Master and one on the Slave. Here is your first issue. If you set it up this way, the failover will not be very clean and the slave connection will only be used when the master is down. Typically, you would use Two WAN ports on each computer, and connect both to both DSLs. In your case, two PPPoE WANs are not possible, and you would need a router between the second WAN and the DSL. Searching should provide detailed information on this. @cyriles: Now my second question : Do I have to plug one access point on each server and if yes, will they both be "online" or only one at the same time depending on the working server (Master or Slave) ? I would think the simple answer to this would be to setup your WIFI port like another LAN, connect the AP to a switch that is connected to the WIFI-OPT ports on both pfSense boxes and point the AP's gateway to the CARP address of the WIFI-OPT interface.

How do i configure Sticky Address? And what is the behavior with this option? Thanks G

So I figured out that the problem is all about return-path. The real network servers had their own default routes and were basically returning traffic along that path instead of through pfsense. The equivalent of this is LVS-DR, for you linux virtual server types out there. Is there an equivalent of LVS-NAT, where web servers route traffic back to the pfsense load balancers that originally requested it?

Ok that makes sense Thank you !!!

Thanks GruiensForeschli. The NAT didn't work. I know that NAT is resolved prior to firewall rules. Does anyone know how "Virtual Servers" works? If it's a matter of configuration I can try to dig into the code to do this, or set up a bounty. Is it a combination of custom NAT with gateway routing, or what's the behind-the-scenes program that handles this? It's interesting to note, in the NAT, it says: If you want this rule to apply to another IP address than the address of the interface chosen above, select it here (you need to define Virtual IP addresses first). Note if you are redirecting connections on the LAN, select the "any" option. … why do LAN port forwards require the "any" option, but WAN does not? Is it a limitation of the program doing the NAT? If it's that kind of limitation, then I guess there is no solution.

You must have one VHID per IP if you're running CARP. ifconfig alias IPs are not able to be used in a failover deployment. @RedRocket: Yes, my ISP is assigning vhids, i am not sure what the normal practice is here, I do know however that if there is any fuckup with vhids on our network interfering with theirs or other clients, they will simply pull the plug on us. Doesn't surprise me, it's not a bad idea. They need to be willing to provide enough VHIDs though.

~~I'm ending up with the same problem on a 1.2 STABLE release. I have: both machines up-to-date usernames the same passwords the same firewall rules on the SYNC interfaces on * * * * I also rebooted both machines, but this gives no clue. HTTPS or HTTP set on both machines doesn't make any difference also. What could be wrong here ?~~ I have solved this issue. It should have been a subnet that needed to be test on /24… this was also in the second trouble shooting part.

So, I've setup pfsense 1.2 using carp for automatic failover.  This is very nice stuff!  However, the ntpd server does not allow the ntpd server to be started on the LAN carp device.  don't forget, that if you edit your openNTP settings, these changes will be lost.  So… Try this: diagnostics->edit and load the following file: /var/etc/ntpd.conf and add the following line and save: listen on 172.16.1.1  ( or whatever your LAN carp ip is ) diagnostics->command: kill -KILL pgrep -u root ntpd && /usr/local/sbin/ntpd -f /var/etc/ntpd.conf

@juraj_bond: In Firewall-Virtual IPs-Carp Settings-Synchronize Enabled. Yea I figured it out… Ive now tried with device polling, disabling syncing the state table, changed the table size with no result. Still when Im ghosting with multicast I get the same high ping issues and interrupts...

Here is the other thread: http://forum.pfsense.org/index.php/topic,7039.0.html My static route was-  WAN (secondary subnet/mask) gateway (the WAN CARP address)

Please us the search: http://forum.pfsense.org/index.php?action=search keyword: "NAT reflection" http://forum.pfsense.org/index.php/topic,7001.0.html

The load balancer is for failing between WAN interfaces. I'm assuming you just need to failover from the master to the slave in your CARP setup. Please check out the tutorial here: http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm but basically, you want to have the internal machines use 10.x.x.9 as the gateway and use x.x.x.9 as the outbound translate in AON.

Have you looked at this? http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm You'll notice that on the secondary node, you only check 'sync enabled' and select the interface. (Ignore the preemption setting, it's on by default now)

CARP and VRRP live happily together provided you are using unique VHIDs. As mentioned in another thread, the messages are cosmetic. If they really bother you, you might try filtering the broadcasts, perhaps with a filter on your switch. Setting the sysctl net.inet.carp.log to 0 might get rid of them also. I'm content to ignore the messages and haven't tried either of these suggestions, so proceed at your own risk.

ok i have found my problem, it is my fault i have not read well the tutorial. i have created the virtual ip manually on both the master and the slave and i think it was the problem, i must create the vip only on the master and they will be sync automatically on the slave.

I have finally solved the problem. I post here the solution because it is a common error that can happen (I am asking pfsense programmers to modify pfsense behaviour): in wan (and only in wan, not wan2) there is a setting to "block private networks". It is suggested to check it, but nobody warns that blocking private networks block also vrrp advertisement!!!!!!!!!!! Now I will investigate on the openvpn not working on udp problem.