Thanks cmb. After I posted I was thinking it through during the day and realized it wouldn't work and shifting the terminating ip to the same as the range of  ip's I have a might make more sense. My main focus is being able to run 1 to 1 and Squid. My experience is showing me that squid is worth running as it improves the experience of my customers. I have another issue posted as another topic I don't know if you can answer if you happen to glance back. I have 2 gateways. 2 seperate company's providing. (one is the 10 Mb fiber with the ip allocation) I'm using one or the other  but I'd like to use both. There is almost no info in the forum about load balancing . the two gateways are on the same subnet connected by an 8km wireless link. Can I set them up to load balance? and can I set them up to failover using a single link ? I'm sorry about effectivly double posting but I think you might know and I haven't found even the outline of how to set up load balancing. Once again I'm in your debt Cheers

Thanks for the help, I will just ignore the messages for now….

Ah I see, cheers.  Makes things simpler

Yep 1.2-RC3 is very stable (better than 1.0.1) and I would use it in production. The RELENG_1 path is the next 1.3 edition in its very early stages (it is a slightly confusing numbering system maybe RELENG_1_3 would be better).

I suppose I should mention how we route to the blocks internal to our network. We have a /29 assigned to the WAN interface, and carp running between the two firewalls. We then have our upstream statically routing blocks to the CARP IP of the firewall, and internally have these blocks assigned to interfaces directly connected on the firewalls.  No RFC1918 IP space is used, only public address space.

Okay.  So I got this working by throwing in a NAT rule.

I did finally get sync working.  Discovered that one of the network cards was bad.  The thing that annoyed me initially is that once I told it to sync, I could never get it to stop making the attempt short of resetting to factory.

AFAIK this depends on how you setup your ISPs. pfSense currently only supports PPPoE client on WAN interface. If the second ISP can be handled by an external router you should be fine.

i tried http/https, various ports and passwords, various carp-configurations (what to sync) and so on. the link to the wiki was already posted above and i considered it carefully but to no success. a note to special characters: the default generated rules already contain '-' in their description, also the aliases get comments added with timestamps in them containing ':'. so i guess those characters are ok (but i have non other than [[:alnum:]] in my own rules and descriptions, not even blanks).

@hexa: I could go with filtered bridge, but won't this break other functionality i want in this set up? If I enable bridge WAN <> OPT2, then DNAT (WAN<>OPT1) rules stop working. So bridge isn't a solution.

At least a year I would guess, it's impossible to say.

yes this should be possible.

@MrPK: Use CARP! Even if you wont use the CARP capabilities, this works fine for me. You must enter some VIP Password (any you like, you won't need it anyway). Every Virtual IP must have different VHID Group. Leave Advertising Frequency on 0. When you're done go to NAT, use "Port forwarding", map your external IP (VIP's) to your internal IP. Done! Thank you, MrPK. This solutoin solved my problems. Just want to know what the difference is between CARP and Other in NAT 1:1 setting. Please advise me. Thank you in advance.

I think the soekris boards should be ok. even if they were too weak it shouldn't stop it being setup right it just might not work properly. Check and resave the carp config on the master. Check the masters interface assignments especially the CARP sync link. Check the subnet masks on both nodes for the CARP sync link If it still won't go post a screen shot of the carp setup for both boxes and the sync interfaces

A diagram of your network would help. You need 3 IPs per wan connection 1 for each real box and 1 for them to share as the CARP address

I had something like this because I had not ticked the "Synchronize Enabled" on the slave but it was not as many states