I suppose I should mention how we route to the blocks internal to our network.

We have a /29 assigned to the WAN interface, and carp running between the two firewalls.

We then have our upstream statically routing blocks to the CARP IP of the firewall, and internally have these blocks assigned to interfaces directly connected on the firewalls.  No RFC1918 IP space is used, only public address space.

Okay.  So I got this working by throwing in a NAT rule.

I did finally get sync working.  Discovered that one of the network cards was bad.  The thing that annoyed me initially is that once I told it to sync, I could never get it to stop making the attempt short of resetting to factory.

AFAIK this depends on how you setup your ISPs.
pfSense currently only supports PPPoE client on WAN interface. If the second ISP can be handled by an external router you should be fine.

i tried http/https, various ports and passwords, various carp-configurations (what to sync) and so on.
the link to the wiki was already posted above and i considered it carefully but to no success.

a note to special characters: the default generated rules already contain '-' in their description, also the aliases get comments added with timestamps in them containing ':'. so i guess those characters are ok (but i have non other than [[:alnum:]] in my own rules and descriptions, not even blanks).

@hexa:

I could go with filtered bridge, but won't this break other functionality i want in this set up?

If I enable bridge WAN <> OPT2, then DNAT (WAN<>OPT1) rules stop working.
So bridge isn't a solution.

At least a year I would guess, it's impossible to say.

yes this should be possible.

@MrPK:

Use CARP! Even if you wont use the CARP capabilities, this works fine for me. You must enter some VIP Password (any you like, you won't need it anyway). Every Virtual IP must have different VHID Group. Leave Advertising Frequency on 0. When you're done go to NAT, use "Port forwarding", map your external IP (VIP's) to your internal IP. Done!

Thank you, MrPK. This solutoin solved my problems.
Just want to know what the difference is between CARP and Other in NAT 1:1 setting.
Please advise me.

Thank you in advance.

I think the soekris boards should be ok.

even if they were too weak it shouldn't stop it being setup right it just might not work properly.

Check and resave the carp config on the master.
Check the masters interface assignments especially the CARP sync link.
Check the subnet masks on both nodes for the CARP sync link

If it still won't go post a screen shot of the carp setup for both boxes and the sync interfaces

A diagram of your network would help.

You need 3 IPs per wan connection 1 for each real box and 1 for them to share as the CARP address

I had something like this because I had not ticked the "Synchronize Enabled" on the slave but it was not as many states

Ok I've figured out all of my confusion and it is working seamlessly.

Thanks for the help!

The box I have with all the VIPs is running 1.2 beta2, but I haven't heard of any recent issues with VIPs. I forget if beta 2 had the additional save button with the carp reboot warning…

Thanks for your help, Hoba

if i have 3 real IPs : 212.172.11.27, 213.172.11.27, 214.172.11.28.

Although i have read the tutorial many time but seem i not be able to understand well  so that you can base on 3 ip real ips and give me some major setting on pfsense.

To ngoc ( may be you are VietNamese)  ::)

Can you give me your email i want some questions about the pfsense want to ask you. Thanks Ngoc so much

Hoba, thanks for confirming what I suspected.  At the moment I am using a Netopia router to map IP addresses from public to internal.  While a Netopia tech assured me that this is not simply a straight pass-thru tunnel, from what I can determine it is and that leaves my servers exposed.  That's why I was attempting to use pfSense and get a solid, configurable firewall I know won't leave my servers unprotected.

How do I make FTP work using proxy ARP for VIPs?  Since I don't maintain all the domains I host FTP is necessary.

Tony

Anybody???

Thanks, and although I've only been using pfsense for a short time I have to say it's very impressive