I just wanted to confirm that this was the solution. The interface had gone down due to inactivity while I was repairing the second firewall.

No one with an idea? That usually means that I asked a really stupid question :-) I also might be completely wrong with the idea that it has something to do with the difference between BSD and Linux. Any help here is very welcome. I have no idea left on where to look for the problem.

We also have exactly this issue with UPC Ireland. No resolution as of yet no matter what we tried.

Thanks

Hello, Thanks for your reply! I'm using version 2.1.3. So, is there any configuration to send packets (at least ARP replies) with the vip mac address ?

I think I know what's causing that, if you're referring to Interfaces>assign. There was an edge case along those lines that's been fixed in 2.2. Could try your config on a test 2.2 install and see if you can replicate? I suspect not, but if so I'd like to look at it ASAP as we're nearing release candidate stage on 2.2.

Hello viragomann, Thank you for your reply! I can see that notification is sent when CARPSYNC has issues. This is very helpful. Is there a command line way of checking that there is an issue? Thank you

@_Cyph3r_: Your post confused me a bit, because outbound nat is not "gateway" based. Am I correct in assuming that you have a WAN interface with a public ip you have a TestLAN interface with a private ip you want traffic from the TestLAN towards internet to be originating as if it was the Public VIP? Outbound NAT rule like this should do the trick: Interface: WAN Source: subnet(s) behind the TestLAN (eg 192.168.1.0/24) Translation: your VIP everything else left on default Can't comment on the failover, sorry. Thank you for your answer Cypher. Here is what i did this far: VIP - IP alias - This ip is in the same range as the WAN ip. Outbound NAT rule: Interface: The interface mentioned above in the VIP conf. Subnet: TEST_LAN subnet Translation: The VIP mentioned above Static Port: No Did the same for the ISAKMP one (just changed the translation in fact) but Static Port is at Yes. Firwall rule: Protocol: any source: Test_LAN subnet destination: any gateway: The gateway of the WAN mentionned above. So now i can ping 8.8.8.8 or www.google.com but, i can't access http://www.google.com or any other website in a browser from the LAN. Also tried with another browser, no luck there. @Derelict: Thank you for your answer Derelict, if i understand well, i just have to configure an outbound NAT rule for each WAN interface on the TEST_LAN and when failover happens, it will just use the one corresponding to the actual WAN ? Thanks. EDIT: We tried some other protocols, SSH work. I tried adding some outbound NAT rules stating that the target ports is 80 and another for 443, didn't work. Also tried the same two rules with the static port options activated, didn't work either. It's strange, it seems to fail to map some ports, but 30022 (the modified ssh port we use) worked.

The issue you described is caused in some circumstances with many instances. Pre-2.2, it restarts dhcpd 2-3 times on the secondary after syncing the config, which triggers some bug in ISC dhcpd that does exactly as you describe. That's fixed in 2.2.

i'm sorry i have two /26 subnet not /29. i know that my subnet are different and to each other. but how can i tell pfsense that ? one solution i found is to create a second "WAN" interface with my second subnet (and his gateway) with this configuration, it's working ! CARP are up everywhere (Ping,  NAT & Outbound !) Only problem, firewall logs is filled with VRRP advertises (CARP announces from range A.B.C.192 /26 on X.Y.Z.192/26 interfaces and CARP announce from range X.Y.Z.192 /26 on A.B.C.192/26 interface). I really think it's a gateway problem when i create Alias IP, i can't tell him to use a specific gateway…

Anything you do to either of a completely separate pair of systems won't impact a different pair. There are a variety of general network issues that could cause the described scenario, maybe routing to non-CARP IPs somewhere, among other possibilities.

Awesome, that's exactly what I was expecting.  Just didn't want to burn a public IP address if I didn't have to.  Thanks for the help.

Similar issue with VIPs and 1:1NAT I've moved from a physical to a virtual (VMWare 5.5) pFSense 2.1.5 deployment and I'm still not able to get the 1:1 natting working properly. The biggest issue that I see is that when I enable the 1:1 NAT the guest loses the ability to ping my WAN Gateway. If I remove the 1:1 or disable it then that guest is again able to ping my WAN Gateway.. I have my firewall wide open (any/any) on all interfaces so I don't think it's a firewall rule causing this. Any ideas from the community would be great!. SETUP: VIPs and 1:1NATs 1. 97.x.x.10/29 | 1:1NAT = 192.168.5.1 (F5 APM Web Access) 2. 97.x.x.11/29 | 1:1NAT = 192.168.2.5 (2012R2 RDS Gateway) 3. 97.x.x.12/29 | 1:1NAT = 192.168.2.4 (2012 R2 Web Server) Physical Interfaces (em0-em2) -EM0 (WAN) 97.x.x.13/29 (Gateway 97.x.x.9/29)  <– Lab WAN -EM1 (all vlans from this) = EM1_vlan2 = 192.168.2.254 (tagged: vlan 2 -EM2 HomeNetwork 192.168.100.254/24 (Gateway 192.168.100.1/24)  <-- This goes to my Home DDWRT Router 9 vLANS / Layer3 Gateways CoreNetwork_v2    | 192.168.2.254 VM_Network_v3    | 192.168.3.254 VM_Network_v4    | 192.168.4.254 VM_Network_v5    | 192.168.5.254 VM_Network_v6    | 192.168.6.254 VM_Network_v7    | 192.168.7.254 VM_Network_v8    | 192.168.8.254 VM_Network_v9    | 192.168.9.254 SAN_Network_v10 | 192.168.10.254

Resurrecting this thread - was not Charter ISP after all. :-X I've moved from a physical to a virtual (VMWare 5.5) pFSense 2.1.5 deployment and I'm still not able to get the 1:1 natting working properly. The biggest issue that I see is that when I enable the 1:1 NAT the guest loses the ability to ping my WAN Gateway. If I remove the 1:1 or disable it then that guest is again able to ping my WAN Gateway.. I have my firewall wide open (any/any) on all interfaces so I don't think it's a firewall rule causing this. Any ideas from the community would be great!. SETUP: 3: Physical Interfaces (em0-em2) -EM0 (WAN) 97.x.x.13/29 (Gateway 97.x.x.9/29) -EM1 (all vlans from this) = EM1_vlan2 = 192.168.2.254 (tagged: vlan 2 -EM2 HomeNetwork 192.168.100.254/24 (Gateway 192.168.100.1/24) 9 vLANS / Layer3 Gateways CoreNetwork_v2    | 192.168.2.254 VM_Network_v3    | 192.168.3.254 VM_Network_v4    | 192.168.4.254 VM_Network_v5    | 192.168.5.254 VM_Network_v6    | 192.168.6.254 VM_Network_v7    | 192.168.7.254 VM_Network_v8    | 192.168.8.254 VM_Network_v9    | 192.168.9.254 SAN_Network_v10 | 192.168.10.254

Much appreciated - looking forward to 2.2

It'll have to be changed to a /29 for the interconnect subnet. Generally not a problem to get your WAN-side subnet changed from /30 to /29. It's not an uncommon request, since it's typical of router redundancy protocols.

I believe this is similar to DMZ configuration mention in the book. I have another issue with subnets to solve, I shall share the results once done.

No. You can use proxy ARP to let a couple IPs in another segment appear on the LAN (though it's ugly) but you will not get layer 2 for (broad|multi)cast which is what that will want/need. For that you'll need to use IGMP proxy or Avahi or similar to get the interesting traffic to the other segment