I have gotten this to work by just enabling "Synchronize Enabled" in the CARP Settings and selecting the interface desired, the firewalls will find each other via multicast and tell each other what states they have. I am load balancing across multiple firewalls and need to handle as many states as possible. I have also gotten syncing of rules working by following all the instructions for CARP but leaving out the virtual IP parts.

dotdash, you saved the day!  :)

So it has been working all along, I just did not properly perform the ping test, when I had the VIPs set up with type Proxy ARP.

Thank you very much, your 4 steps showed the way to success.

BTW I had conversations with a lot of ppl today in various ways, and they all just told me, that this setup can not work properly, and that my best chances are to return to the former setup with the DSL modem handling the PPPoE connection. Now I can proof them wrong! :)

only the primary machine has anything to sync, aside from the config. If you sync the config from primary to secondary and secondary back to primary you're going to break stuff. It's possible to set it up that way, as I've heard of people doing it before and breaking stuff.

@dbuckle:

I was having a similar problem on a wrap board where whenever the CRAP interface was changed

Hey now, don't call it names.  ;D

Yeah, the config file can be restored. You'll have to reflash to get to 1.2b1, but once you're on that version you can use the firmware update page to upgrade going forward.

Hi,

Thanks for the kind link. I was searching the forum, but in some strange way I got 0 results for some time.

I have read about the spanning tree option, this migt be a good idea, but this solution is also what I really like, thanks a lot !!

I got it.

My ISP had not removed the filter on their side, even though they had assigned the ip to me.  Once they made the change, everything started working.

Cheers!
Ken

There's really not much to the VHID numbering other than making them unique.  This is not something that you'll ever need to change or inspect once it's set up.

-Martin

turn on nat reflection

Thanks a lot for your help!  The passwords were correct.  What I ended up doing is deleting that CARP interface and recreating it.  Then I rebooted the backup machine.  When it came back up, it became backup for all the interfaces, including the one I had a problem with.  I made the master fail so that the IPs were handed over to the backup, and when the master came back up, the backup gave all the IPs back to the master without issue.  I hope this just stays this way and wasn't a one time thing…

Please test a recent snapshot.  I have added a patch that may resolve this issue.

Not to make life more complicated, but how would I add BGP into the mix to provide failover to another site?

Eric

@Perry:

You setup vlans like any other nic
http://pfsense.hotserv.dk/hmm.htm

VERY, VERY helpful … thanks bunches!!  I have it up and running now with little difficulty thanks to this great presentation.

@rexsrexs:

I can't make the CARP type VIP with subnet xxx.xxx.xxx.44/32 the pfbox will also complaint, it said

Sorry, we could not locate an interface with a matching subnet for 202.133.1.44/32. Please add an ip in this subnet on a real interface.

If you are using a CARP VIP, the subnet mask of the VIP should match the subnet mask of the Interface (/29 in your case). The 1-1 NAT should still be a /32 to match one internal and one external address.

Yeah, I got ya.

its me again. problem solved. i just made the host that used to be enslaved the master. exMaster is now the gimp. and gimp works fine. gimp is now encaged. and whenever master needs something from gimp, gimp may fulfill his duties. i think it was the builtin nic from some dellMachine.

pfSense is a good product. i especially like the fact, that it is not a blackbox like some other enterPriseSolutions. well, whatever! good work it is.
thanks a lot for this solution and think about it: if they say it is fiction, it is probably the truth.

Sorted.  I disabled the default Anywhere->LAN rule at some point along the line.

Thanks for the heads up hoba.