Not to make life more complicated, but how would I add BGP into the mix to provide failover to another site? Eric

@Perry: You setup vlans like any other nic http://pfsense.hotserv.dk/hmm.htm VERY, VERY helpful … thanks bunches!!  I have it up and running now with little difficulty thanks to this great presentation.

@rexsrexs: I can't make the CARP type VIP with subnet xxx.xxx.xxx.44/32 the pfbox will also complaint, it said Sorry, we could not locate an interface with a matching subnet for 202.133.1.44/32. Please add an ip in this subnet on a real interface. If you are using a CARP VIP, the subnet mask of the VIP should match the subnet mask of the Interface (/29 in your case). The 1-1 NAT should still be a /32 to match one internal and one external address.

Yeah, I got ya.

its me again. problem solved. i just made the host that used to be enslaved the master. exMaster is now the gimp. and gimp works fine. gimp is now encaged. and whenever master needs something from gimp, gimp may fulfill his duties. i think it was the builtin nic from some dellMachine. pfSense is a good product. i especially like the fact, that it is not a blackbox like some other enterPriseSolutions. well, whatever! good work it is. thanks a lot for this solution and think about it: if they say it is fiction, it is probably the truth.

Sorted.  I disabled the default Anywhere->LAN rule at some point along the line. Thanks for the heads up hoba.

You may be able to block IM if you so desire using Snort, not sure if it detects IM or not, that's the common way to block P2P traffic. IMSpector is available in packages to monitor IM. There isn't a good content filter yet, but there is a commercial one that will be available as a package before too long. Problem with routing branch office traffic back through your main office is it wouldn't go through Barracuda the way I showed it above. If you don't need to see the traffic before it gets NAT'ed, you could do this instead: LAN – pfsense -- switch -- Barracuda -- modem/router where modem/router is whatever device connects you to your ISP, whether a perimeter router, cable or DSL modem, etc.

No, the CARP IPs and the real interface IPs have to be in the same subnet so you "lose" 1 IP per Member in the cluster per interface, at least it can't be used for failover with CARP. Portforwards for example will of course still work for those real interface IPs, they just won't failover in case one of the nodes dies.

@dbuckle: CARP Status still shows a lot of (about 30-40) pfSync nodes which I'm worried about. This is normal. Also see http://wiki.pfsense.com/wikka.php?wakka=InBoundLoadBalancingTroubleShooting

I am using an anonymous proxy to test from outside. I didn't reinstall, updated a while back to the new version (didn't cause a problem), and I don't believe I rebuilt the config. Everyone keeps telling my my config should work when I had this problem last time but I am not sure why it just started working back then. I switched NICs and had all my info in, no luck.

It's possible that there is a soekris issue.  This pair are in production, but I have another 4801 at home running m0n0wall that I'll upgrade to pfSense 1.0.1 and test with iPerf to see if I can generate similar issues with polling and non.  Then I'll upgrade to the 1.2 snapshot and see if the upgrade of the base OS from 6.1 to 6.2 fixes any polling/performance issues. I'm running the latest bios that I know of, as these boxes were only purchased about 2 months ago. Thanks for your attention in this matter.  I'll report back if I can find anything useful.

I would go for a reinstall. Once the basic network is setup you can shoot over most of the settings with sync from the master. …oh, and thanks for loving pfSense  :D

Should work okay.  Start a bounty for the documentation request.

some this  issue is only on your lan yes i have seen a similar issue a time ago now i just dont sync the lan with a vip i keep it out of the loop so agreed there must be a bug introduced somewhere. i think it only happened when the wan was multiwan though. can't be sure and dont have time to test ift for you. could you put the lan on a vlan and not use it and put the subnet in question on an opt and see if it goes away maybe try adding a ticket for it or wait a bit to see if someone can confirm it

I'm currently running 3-15-2007, but I will upgrade to the latest after I test a little bit. Thanks! Scott

Doesn't matter either way.  SQUID is a userland proxy and as soon as you fail over to the second host no matter what the application state is lost and any states will be lost. So basically even if it did use the correct WAN/CARP IP the situation would not change on fail over.