I think you're right, I was messing with promiscuous mode on virtualbox nics and everything started working some what  fine but still wasn't working as intended. What I wanted to do was set this up on my server which is running a virtual instance of pfsense for my network at home, lately my server has been having issues and I kept breaking stuff and the internet goes down for few hours; and it becomes difficult to fix things when you don't have the resources of the internet and have to rely on a mobile data plan from your phone. But anyways what I wanted to do was, I had a physical box which use to be my old pfsense router burning 80watts 24/7 which is why I went to virtual setup. Anyways I wanted to CARP to this box so I can take down the server for maintenance and still have internet and not interrupt anybody in the home, who may be playing video games, watching netflix so on. The server runs CentOS 6.5 with KVM, and pfsense utilizes virtio drivers. I can't find anything for promiscuous mode settings for KVM, even though a web search suggest to acknowledge that a promiscuous mode setting does exist. I just have no idea how yet, although I haven't dug deep into it yet.

You can probably swap out the cables without anyone noticing.  Do the backup box first, then disable CARP on the primary and change those too. If your NICs are all built in then I'd probably go to the switch next.  You may just have to declare a maintenance window on that one.

Had same issue yesterday. I was connected via OpenVPN to pfSense. The OVPN server is bound on a WAN CARP VIP and my web GUI is reachable on LAN address only. I just hit the button to add an interface and the VPN was broken. No way to get access from remote again. That's a bad circumstance if the firewall is more than 20 km away and it's late at night!    :- My pfSense is 2.1.1 Does anybody know if this behaviour just aply to bounded services on CARP VIPs or will it be the same if I bind OVPN on an IP Alias?

To the best of my knowledge, this is not a supported configuration. With that said….  you could try a crossed virtual ip configuration; however, without extensive testing, I'm not sure I would attempt to toss this into a production environment... On your LAN... FW1 = 192.168.0.3/24 FW2 = 192.168.0.4/24 CARPVIP1 = 192.168.0.1/24 (Active on FW1 - Skew FW1=0 / Skew FW2=100) CARPVIP2 = 192.168.0.2/24 (Active on FW2 - Skew FW1=100 / Skew FW2=0) Have DHCP on FW1 hand out .1 as Gateway, have FW2 hand out .2 as Gateway If either FW goes down, the VIP fails over to the other FW and responds for both gateway IP's..  You'll probably need to disable XMLRPC sync for the CARP VIPs and manually configure them. ...c

Great.  Thanks!

Thanks for the replies. I have installed both firewalls now, and as I went through the configuration process, it all became clear. Thanks again. :)

0/ Is the switch managed/VLAN capable? If not, go to shop. 1/ Huh? Bridging and isolation in one sentence? 2/ Where's the wireless magic thing? Cannot see any. 3/ Turn OFF the firewall on whatever you are pinging. 4/ Look at the firewall logs 5/ If you still have problems, you need to post your interfaces setup, firewall rules etc.

I got some help from the IRC pfSense channel and it seems to be working now (I tried it on my test environment). I was suggested to uncheck "System: Advanced: Miscellaneous: State Killing on Gateway Failure". It is a new feature and checked by default (although this means inactive, see description).

Using Oracle VirtualBox.

The way to monitor it: If the heartbeats stop being seen by the slave, it takes over as master. It's logged in the system log. If you want to decrease the sensitivity, increase the advbase on the VIPs. A higher base means that it will be less sensitive to a problem but it also takes longer to detect an outage.

@viragomann: VIPs must be defined as IP Alias an must hook up on a CARP interface address to function and be synchronized to backup. Not sure what you mean by this. I add VLAN interfaces to CARP clusters regularly and you don't have to do anything with IP Aliases. The procedure is roughly- Configure your switches with the new VLAN. Create the vlan on both primary and secondary. Assign the new vlan to a new interface, again on both primary and secondary. Configure the new interface on both boxes- eg: primary 10.20.30.2 secondary 10.20.30.3 From now on, you just need to configure the primary: Add a new CARP VIP (eg 10.20.30.1), configure the OB nat, firewall rules, etc.

drat, same issue here, but didn't fix it for me.  the moment I set this NAT rule I get nothing though.

@andrew4902: Do you know if that feature is planned for a future release? It should be possible on 2.2 @andrew4902: I can see valid IP's needed on the LAN side for management purposes but why are IP's even needed on the WAN side except for the 1 floating WAN IP since it will be the default path to the Internet anyways? Without valid IPs on both, the secondary will not be able to independently check for updates or install packages. There would also be no way to directly manage the secondary from a remote location. It couldn't do DNS resolution to a remote DNS server, or even sync its clock to a remote time server. So the single IP method may be valid, but still not ideal.

We tried the whole reboot it, and that's not solved it. We thought it may be a switch echo… but adding a port mirror shows that there are indeed 2 packets being transmitted. I don't know what’s going on here  ... I'm open to any suggestions. :-(

Hi Jason, Thanks for clarifying this to me, had some stuff wrong on the second box. Got that all fixed up now as you described, but still, the setup does not failover yet. There is 2 things I noticed, I don't know if it will tell you something but anyway: 1- I checked the CARP status while the first box's WAN was unplugged and the first box was still the "master". I guess that make sense in a way, since the LAN address still work fine. Do I need to add something in the CARP setting so that it checks the first box's WAN also? 2- When I go in the gateway status on the first box, the "GW_PF2 - LAN - 192.168.1.3" (If I take your example) always switch between "Online" and "Gathering data". What I mean there is that, if I keep refreshing the page, it always switch between the 2 modes. Any other idea? Thanks again for your time and your support!

I have tried this setup on two other pfsense boxes and it seems to work and passes traffic. Thank you for the help