Thanks

Hello, Thanks for your reply! I'm using version 2.1.3. So, is there any configuration to send packets (at least ARP replies) with the vip mac address ?

I think I know what's causing that, if you're referring to Interfaces>assign. There was an edge case along those lines that's been fixed in 2.2. Could try your config on a test 2.2 install and see if you can replicate? I suspect not, but if so I'd like to look at it ASAP as we're nearing release candidate stage on 2.2.

Hello viragomann, Thank you for your reply! I can see that notification is sent when CARPSYNC has issues. This is very helpful. Is there a command line way of checking that there is an issue? Thank you

@_Cyph3r_: Your post confused me a bit, because outbound nat is not "gateway" based. Am I correct in assuming that you have a WAN interface with a public ip you have a TestLAN interface with a private ip you want traffic from the TestLAN towards internet to be originating as if it was the Public VIP? Outbound NAT rule like this should do the trick: Interface: WAN Source: subnet(s) behind the TestLAN (eg 192.168.1.0/24) Translation: your VIP everything else left on default Can't comment on the failover, sorry. Thank you for your answer Cypher. Here is what i did this far: VIP - IP alias - This ip is in the same range as the WAN ip. Outbound NAT rule: Interface: The interface mentioned above in the VIP conf. Subnet: TEST_LAN subnet Translation: The VIP mentioned above Static Port: No Did the same for the ISAKMP one (just changed the translation in fact) but Static Port is at Yes. Firwall rule: Protocol: any source: Test_LAN subnet destination: any gateway: The gateway of the WAN mentionned above. So now i can ping 8.8.8.8 or www.google.com but, i can't access http://www.google.com or any other website in a browser from the LAN. Also tried with another browser, no luck there. @Derelict: Thank you for your answer Derelict, if i understand well, i just have to configure an outbound NAT rule for each WAN interface on the TEST_LAN and when failover happens, it will just use the one corresponding to the actual WAN ? Thanks. EDIT: We tried some other protocols, SSH work. I tried adding some outbound NAT rules stating that the target ports is 80 and another for 443, didn't work. Also tried the same two rules with the static port options activated, didn't work either. It's strange, it seems to fail to map some ports, but 30022 (the modified ssh port we use) worked.

The issue you described is caused in some circumstances with many instances. Pre-2.2, it restarts dhcpd 2-3 times on the secondary after syncing the config, which triggers some bug in ISC dhcpd that does exactly as you describe. That's fixed in 2.2.

i'm sorry i have two /26 subnet not /29. i know that my subnet are different and to each other. but how can i tell pfsense that ? one solution i found is to create a second "WAN" interface with my second subnet (and his gateway) with this configuration, it's working ! CARP are up everywhere (Ping,  NAT & Outbound !) Only problem, firewall logs is filled with VRRP advertises (CARP announces from range A.B.C.192 /26 on X.Y.Z.192/26 interfaces and CARP announce from range X.Y.Z.192 /26 on A.B.C.192/26 interface). I really think it's a gateway problem when i create Alias IP, i can't tell him to use a specific gateway…

Anything you do to either of a completely separate pair of systems won't impact a different pair. There are a variety of general network issues that could cause the described scenario, maybe routing to non-CARP IPs somewhere, among other possibilities.

Awesome, that's exactly what I was expecting.  Just didn't want to burn a public IP address if I didn't have to.  Thanks for the help.

Similar issue with VIPs and 1:1NAT I've moved from a physical to a virtual (VMWare 5.5) pFSense 2.1.5 deployment and I'm still not able to get the 1:1 natting working properly. The biggest issue that I see is that when I enable the 1:1 NAT the guest loses the ability to ping my WAN Gateway. If I remove the 1:1 or disable it then that guest is again able to ping my WAN Gateway.. I have my firewall wide open (any/any) on all interfaces so I don't think it's a firewall rule causing this. Any ideas from the community would be great!. SETUP: VIPs and 1:1NATs 1. 97.x.x.10/29 | 1:1NAT = 192.168.5.1 (F5 APM Web Access) 2. 97.x.x.11/29 | 1:1NAT = 192.168.2.5 (2012R2 RDS Gateway) 3. 97.x.x.12/29 | 1:1NAT = 192.168.2.4 (2012 R2 Web Server) Physical Interfaces (em0-em2) -EM0 (WAN) 97.x.x.13/29 (Gateway 97.x.x.9/29)  <– Lab WAN -EM1 (all vlans from this) = EM1_vlan2 = 192.168.2.254 (tagged: vlan 2 -EM2 HomeNetwork 192.168.100.254/24 (Gateway 192.168.100.1/24)  <-- This goes to my Home DDWRT Router 9 vLANS / Layer3 Gateways CoreNetwork_v2    | 192.168.2.254 VM_Network_v3    | 192.168.3.254 VM_Network_v4    | 192.168.4.254 VM_Network_v5    | 192.168.5.254 VM_Network_v6    | 192.168.6.254 VM_Network_v7    | 192.168.7.254 VM_Network_v8    | 192.168.8.254 VM_Network_v9    | 192.168.9.254 SAN_Network_v10 | 192.168.10.254

Resurrecting this thread - was not Charter ISP after all. :-X I've moved from a physical to a virtual (VMWare 5.5) pFSense 2.1.5 deployment and I'm still not able to get the 1:1 natting working properly. The biggest issue that I see is that when I enable the 1:1 NAT the guest loses the ability to ping my WAN Gateway. If I remove the 1:1 or disable it then that guest is again able to ping my WAN Gateway.. I have my firewall wide open (any/any) on all interfaces so I don't think it's a firewall rule causing this. Any ideas from the community would be great!. SETUP: 3: Physical Interfaces (em0-em2) -EM0 (WAN) 97.x.x.13/29 (Gateway 97.x.x.9/29) -EM1 (all vlans from this) = EM1_vlan2 = 192.168.2.254 (tagged: vlan 2 -EM2 HomeNetwork 192.168.100.254/24 (Gateway 192.168.100.1/24) 9 vLANS / Layer3 Gateways CoreNetwork_v2    | 192.168.2.254 VM_Network_v3    | 192.168.3.254 VM_Network_v4    | 192.168.4.254 VM_Network_v5    | 192.168.5.254 VM_Network_v6    | 192.168.6.254 VM_Network_v7    | 192.168.7.254 VM_Network_v8    | 192.168.8.254 VM_Network_v9    | 192.168.9.254 SAN_Network_v10 | 192.168.10.254

Much appreciated - looking forward to 2.2

It'll have to be changed to a /29 for the interconnect subnet. Generally not a problem to get your WAN-side subnet changed from /30 to /29. It's not an uncommon request, since it's typical of router redundancy protocols.

I believe this is similar to DMZ configuration mention in the book. I have another issue with subnets to solve, I shall share the results once done.

No. You can use proxy ARP to let a couple IPs in another segment appear on the LAN (though it's ugly) but you will not get layer 2 for (broad|multi)cast which is what that will want/need. For that you'll need to use IGMP proxy or Avahi or similar to get the interesting traffic to the other segment

I've just seen your post, if still interested try this: 0) We are assuming that the first CARP VIP you have defined on both pfsense boxes is for the "master" (in normal condition) and the second VIP is for the "backup" (in normal condition). As a result, CARP interfaces are something like xxx_vip1 and xxx_vip2 1) Setup 2 dyndns names, respectively the master and the backup FQDNs (be careful, the order matters) on both the "master" and the "backup" pfsense boxes E.g.: pfbox1.dyndns.org (master pfsense) pfbox2.dyndns.org (backup pfsense) 2) Modify file rc.carpmaster adding the following at the end of it: /* Start DynDNS for CARP nodes */ $config['dyndnses']['dyndns'][strval((int)(SUBSTR($argv[1],-1)-1))]['enable'] = true; write_config(); shell_exec("/etc/rc.dyndns.update"); 3) Modify file rc.carpbackup adding the following at the end of it: /* Stop DynDNS for CARP nodes */ $config['dyndnses']['dyndns'][strval((int)SUBSTR($argv[1],-1)-1))]['enable'] = false; write_config(); shell_exec("/etc/rc.dyndns.update"); Explanation: The above mentioned scripts trim the VIP interface name extracting its interface number (e.g. "xxx_vip1"->1), that becomes an index to access every pfsense's DynDNS table, enabling/disabling the service update for the given box, so there should be a 1:1 relationship between overall VIPs and DynDNSes sequence, being them defined in the same way on all the CARP boxes. Due to current code, this trick can support up to 9 pfsense systems, with related VIPs and DynDNSes (tested on nanobsd 2.1.5-release i386).

Possibly obvious: The IP's are on different subnets and are unreachable from each other. Perhaps you have two subnets on the same wire, which is terrible, but I'm not here to judge. If so, did you create outbound NAT and firewall rules for the alias subnet? e.g. rules, lan: lan net>any 10.80.0.0/16>any nat, outbound: wan 10.50.0.0/16 * * * * * wan 10.80.0.0/16 * * * * *

All new stuff to me, could be how the ISP is doing it, they send us the /24 over a vlan (in the same building them), we used to have the /24 split between 2 offices and 3 routers, now thought the C Class is split between 2 separate router, no CARP or anything. With that though, and we were able to get them to do as you 2 have suggested, how do i do NAT rules for specific IP's then if the IP's are not entered into PFSense? i just put in the IP directly in the rule instead of first adding it into the Virtual IP area? Would that also not cause extra traffic to the routes so when someone goes to say www.mycompany.com it will broadcast to both Routers to see which responds? To add to that, incase i can not get them to set it up this way or could cause problems (they have had problems doing simple things before) is there a way to "re-order" the virtual IPs into order by IP address? (yes.. ocd)

Looks like my hoster (who is hosting us a vmware vCloud) is blocking the traffic from the virtual mac address. The traffic on the internal interfaces gets through because it is handled differently on the hypervisors site. Any advise on alternative settings which will achieve the same thing? I'm not after hardware redundancy by itself, I was looking for a way that would let me upgrade my pfsense without a downtime. Thanks for your help so far.