i tried http/https, various ports and passwords, various carp-configurations (what to sync) and so on.
the link to the wiki was already posted above and i considered it carefully but to no success.

a note to special characters: the default generated rules already contain '-' in their description, also the aliases get comments added with timestamps in them containing ':'. so i guess those characters are ok (but i have non other than [[:alnum:]] in my own rules and descriptions, not even blanks).

@hexa:

I could go with filtered bridge, but won't this break other functionality i want in this set up?

If I enable bridge WAN <> OPT2, then DNAT (WAN<>OPT1) rules stop working.
So bridge isn't a solution.

At least a year I would guess, it's impossible to say.

yes this should be possible.

@MrPK:

Use CARP! Even if you wont use the CARP capabilities, this works fine for me. You must enter some VIP Password (any you like, you won't need it anyway). Every Virtual IP must have different VHID Group. Leave Advertising Frequency on 0. When you're done go to NAT, use "Port forwarding", map your external IP (VIP's) to your internal IP. Done!

Thank you, MrPK. This solutoin solved my problems.
Just want to know what the difference is between CARP and Other in NAT 1:1 setting.
Please advise me.

Thank you in advance.

I think the soekris boards should be ok.

even if they were too weak it shouldn't stop it being setup right it just might not work properly.

Check and resave the carp config on the master.
Check the masters interface assignments especially the CARP sync link.
Check the subnet masks on both nodes for the CARP sync link

If it still won't go post a screen shot of the carp setup for both boxes and the sync interfaces

A diagram of your network would help.

You need 3 IPs per wan connection 1 for each real box and 1 for them to share as the CARP address

I had something like this because I had not ticked the "Synchronize Enabled" on the slave but it was not as many states

Ok I've figured out all of my confusion and it is working seamlessly.

Thanks for the help!

The box I have with all the VIPs is running 1.2 beta2, but I haven't heard of any recent issues with VIPs. I forget if beta 2 had the additional save button with the carp reboot warning…

Thanks for your help, Hoba

if i have 3 real IPs : 212.172.11.27, 213.172.11.27, 214.172.11.28.

Although i have read the tutorial many time but seem i not be able to understand well  so that you can base on 3 ip real ips and give me some major setting on pfsense.

To ngoc ( may be you are VietNamese)  ::)

Can you give me your email i want some questions about the pfsense want to ask you. Thanks Ngoc so much

Hoba, thanks for confirming what I suspected.  At the moment I am using a Netopia router to map IP addresses from public to internal.  While a Netopia tech assured me that this is not simply a straight pass-thru tunnel, from what I can determine it is and that leaves my servers exposed.  That's why I was attempting to use pfSense and get a solid, configurable firewall I know won't leave my servers unprotected.

How do I make FTP work using proxy ARP for VIPs?  Since I don't maintain all the domains I host FTP is necessary.

Tony

Anybody???

Thanks, and although I've only been using pfsense for a short time I have to say it's very impressive

It is actually working fine for a month now on 1.0.1.  Download 1.2-BETA-2 today, having fw support built-in but not fwip.

I would also like to have it in 1.2

Martin

Now that I had time to work on this after hours when traffic is to a minimal, here is my solution.  It only took 5 minutes to config and test.  All seems fine.

1. Setup WAN Interface with the new public IP
2. Created a ProxyARP VIP for Old Wan IP
3. FW Rules don't need changing … nor do I need 1:1 mapping
4. Downloaded current XML backup file
5. Copy/pasted all my NAT rules in backup file for quick duplication
6. Added this to each duplicate rule: <external-address>Old IP</external-address>
7. Restored FW with updated XML file
8. Tested a few of our services and sites which still have DNS with Old IP... all OK
9. After the Old IP expires I just delete the VIP and duplicate NAT rules.

I hope this helps someone with a similiar issue.

Thank you very much for the info.

The state table won't become a problem as far as I can judge now.

Now it realy is a GREAT firewall! ;-)

I think the problem was mostly a bad network connection.

However I am having the problem now where the secondary box keeps taking over master role and the primary releases and runs as backup.

I keep going to the Firewall >>VIP >> Carp settings,  on the master machine and hitting save.

I think that should reassert its role as master correct…? If not, how do you?