Hi everybody, I've just upgraded to pfSense 2.3, but I still have the same issue. Any idea? Thank you again.

you know that pointing to a wiki is not going to help…. Anyway to the question Maybe your looking at multi WAN? meaning that the WAN has a diferent gateway from each other ex: 181.xx.xx.114/29 with gateway of 181.xx.xx.113 and lets say you have another lSP 201.xx.xx.21/29 with gateway of 201.xx.xx.222 meaning its called multi WAN with fail over But if you have one lSP 181.xx.xx.114/29 with gateway of 181.xx.xx.113 but thy give you another ip of 181.xx.xx.117 you need to add a Virtual IP (VIP) then create NAT rules

Hello, Thank you for your reply. Therefore, the following configuration is normally possible ? CARP VIP IP interface : 192.168.1.249/24 STACK CARP IP ALIAS VIP interface :  192.168.2.249/24 Thank you again for your help. Soulearth

Hello all, I'd also like to know if this issue is still present in pfSense 2.2.6. Anyone using such configuration ? Regards, Régis

The sync address is just the IP of a pfSense Box, which gets the configuration settings. This can be slave or master or any box else. If you intend to obvert sync direction, first delete the sync IP from the master than add the new one to the slave.

@ewuewu: What I want to obtain is: LAN addresses should not be translated AND sould leave the pfsense via the WAN CARP address Packet can't leave pfSense "via the WAN CARP address". That is just a virtual IP address, nothing physical. Packets may leave pfSense via an interface or can be routed to a gateway. They just have a source and a destination address, and these can be translated or not.

Aaaaand… I broke it again - same behavior.  Unclear exactly how I did that.  I was putting some Snort stuff together, but even suspecting that, and disabling it, still get no-resume behavior (testing from one of the WAN interface sides. Interestingly, if I reverse the scenario - start downloading a file from the LAN side, pull a cable, that does resume.  So it is somehow related to the WAN side, or the number of VIPS/1:1NATs I have?  B/c WAN, DMZ, and LAN are all using CARP VIPs.  I'll do some more testing, but yes, FW2 (looking in Diag->States) does have that in there (http connection), so states are synching.

If you have CARP and Traffic shaper configured take a look here: http://forum.pfsense.org/index.php?topic=45045 armando

Thanks. Gee it says so right there. (I did read the entire HA chapter in the book again before I asked :/ ) You're right. I'm probably over-thinking it. Creating the laggs would probably be more disruptive anyway.

I was able to correct this. Because my testing environment is using different hardware and interfaces I needed to setup the interfaces more carefully What I discovered is that when CARP assigns matches interfaces, it must choose them in sequential order from the assign interfaces page, matching them with the other firewall. What I had was Firewall 1 #1 LAN #2 EM1 #3 EM2 #4 Bridge0 Firewall 2 #1 WAN #2 LAN #3 CXL0 #4 CXL1 #5 Bridge0 So, what I think happened was that CARP was matching #4 from each list, so my bridge0 (#4 on Firewall 1) was being matched with CXL1 (#4 on Firewall 2) Once I reassigned my interfaces and lined up the interface numbers CARP matched the correct interfaces.

BGP and NAT are two different systems on BGP you have neighbor not gateway how many BGP sessions you have with your providers?and which ip is recognized by your provider for BGP session?

That is good to know. Thank you very much for your help. Really appreciate it.

In this scenario, both routers are advertising the 4.15.227.0/25 subnet, only the secondary is advertising with an artificially more distant path, this wouldn't be chosen unless the primary is down. The inside,  when using OSPF, for example, the secondary advertises the default gateway with a less favorable metric than the primary, thus on your inside switches, you end up with two default routes, but only the best one would be used. In the case that the primary pfsense goes down, then the secondary's routes become the only remaining routes on the ISP and Internally, and it keeps on working. You could also put a link between the two boxes to route traffic over it in the event that either just the inside or the outside link goes down on the primary, then the traffic would flow through the secondary on the cross-over link, or if your switches support multi chassis LAGG you could add redundancy that way too. Because pfSense is a stateful firewall, under certain circumstances, the session would drop, but for web traffic it wouldn't be noticeable for the most part.

I think I may have fixed this one! It took me a lot of experimenting to get the ARP cache on the Draytek to recognise the PFSense Carp IPs…. Finaly seems to be Port forwarding ok though. Next I will see if I can use a Carp IP as the Outgoing network IP.

You can. Check the sync box on settings tab.