Pushing 1Gbit/s through FW+NAT isn't very hard.  A modern Celeron or i3 will have no issues. What exactly are the "network issues" that you're experiencing?

I found a workaround which is not ideal but allows me to move on. I noticed that in fact i couldn't ping the LAN VIP if i was connected in WiFi to the active CARP appliance. So basically instead of having two active hotspots, I just had to make sure the hotspot was disabled on the active CARP appliance. To do so here is what I did: 1 - Modify /etc/devd.conf to point to custom rc.carp scripts ... # CARP notify hooks. This will call carpup/carpdown with the # interface (carp0, carp1) as the first parameter. notify 100 {     match "system"          "IFNET";     match "type"            "LINK_UP";     match "subsystem"          "[a-zA-Z0-9_]+_vip[0-9]+";     action "/etc/rc.carpmaster.custom $subsystem"; }; notify 100 {     match "system"          "IFNET";     match "type"            "LINK_DOWN";     match "subsystem"          "[a-zA-Z0-9_]+_vip[0-9]+";     action "/etc/rc.carpbackup.custom $subsystem"; }; ... 2 - Create /etc/rc.carpmaster.custom #!/bin/sh /etc/rc.carpmaster $1 ifconfig ath0_wlan0 down /usr/local/sbin/pfSsh.php playback svc restart racoon 3 - Create /etc/rc.carpbackup.custom #!/bin/sh /etc/rc.carpbackup $1 ifconfig ath0_wlan0 up So basically, when an appliance becomes master: It runs the usual carp scripts It disables the hotspot It restarts racoon (to make sure IPSEC connection are restarted) when an appliance becomes master: It runs the usual carp scripts It enables the hotspot Having the same SSID and both appliance not too far from one another makes it almost transparent to end-users (about 30 seconds service interruption in case of a CARP failover).

AFTER your box is up and running (not so well as you write), call the ISP and ask them to clear the cable modem's ARP table.  If it starts working (for a little while), then you are seeing the same thing I'm seeing which only started within the last few weeks. Somehow, the router in the cable modem puts the interface's actual ip in its ARP table with the first VIP mac address.  Then, it puts the VIP's mac address in it's table for the pf router's actual interface card ip. The result is no traffic gets through.  Traffic addressed on the link to the vip has the interface address and so it gets dropped.  Traffic addressed to the VIP on the link has the interface's IP and that gets dropped.  I still don't have an answer.

This turned out to be a simple mistake on my part combined with a UI problem. When creating the SYNC interfaces - I had clicked "Insert my local MAC address" in the MAC address field, thinking it would populate using the NIC's MAC address, not the machine I am logging in from. When I realized it didn't, I blanked the field, assuming it would revert to its own MAC if the field was blank. Not so. My originally entered MAC address remained with the interface even after the field was blanked and saved, resulting in a loop. Changing the MAC addresses such that they do not conflict solved the issue.

1- Provided they are used with a CARP VIP or subnets routed to a CARP VIP, yes 2a- Yes, CARP VIP or IP alias w/CARP VIP as its interface 2b- Yes, provided your routed subnet is routed via your CARP VIP 3- Proxy ARP won't work with failover, it would cause an IP conflict. All it does is listen for ARP requests for the IPs it is given and answer with the firewall's MAC on the appropriate interface. That's really all there is to it.  See here for more info.

This is also related to hiding everything behind the CARP VIP: You don't want to use the CARP VIP to do the gateway pinging, otherwise your CARP BACKUP hosts won't know if they are connected. The pings go out, but with the source address rewritten as the CARP VIP so the ping responses come back to the VIP, not the CARP BACKUP host. So you need to add a NO NAT for these ping packets to make the gateway pinging work properly.

yes, you can submit a feature request (don't assign it or give it a target though).

I've figured it out!  Despite looking like everything is fine after hitting apply, the system acts really strangely until you disable CARP and reenable.

Yes you just have to ensure you use a different VHID for each VIP on the same interface

Thanks. I've been trying to figure out why NTP was unable to reach our NTP servers, and using ntpq I'd determined that dstadr was set to a guest interface. Having now selected both interfaces in the NTP config page, my pfsense box can now reach our NTP servers, and clients on the guest interface can reach the pfsense NTP server.

Interfaces > (assign) Make sure all interfaces exist on both units and have been assigned in the correct order. That behavior can be seen when you have interfaces out of order on one system. Also make sure their internal names line up, e.g. OPT3 on primary is the same as OPT3 on the secondary. You might have to edit config.xml on the backup to fix the order properly in some cases

Hi jimp, Thank you for the quick answer. When I added 'firewall rule' and 'Outbound NAT rule' it works! But now it works only https sites. Not others. Please help. Thanks in advance Sabir

I could get the manager permission to take the service down for a couple of minutes. I restarted pfSense from Diagnostics -> reboot and now everything works fine as it is expected.

One additional question about this thread..  And yes, I'm also talking about a home environment, and yes, it's only because I'm a techie and it's fun!  :-) In the docs, it says that you need a REAL WAN address for each CARP participant, and in the diagram it does show "real" addresses. On my cable modem setup, I have the ability to do DHCP to get a 10.x address from the cable modem, and I have five REAL addresses that I have setup as secondary addresses on my pfsense.  The real addresses of course have a different default gateway than the 10.x gateway on the DHCP interface… My first question is whether I lose the ability to do inbound NAT/PAT on two real addresses if I use one for each of two CARP nodes, or if use of the address for CARP wont stop me from using those addresses for inbound traffic at the same time. I am assuming that CARP will take those addresses and stop me from using them otherwise, so my second question is whether PFSense will let the CARP addresses both be DHCP 10.x addresses, so long as they can communicate together on that address and they have the same gateway?  I am allowed by Comcast to have multiple 10.x addresses via DHCP, and I'd prefer to use that for CARP if I will lose the ability to use the IPs for other than the CARP process. Thanks, and sorry for my newbie, non carp-understanding question!! -Steve

Hello voluhar, Could you explain a little bit better what do you need and what do you need to do? I can't undestand what you mean when you talk about: I have strange situation where I have to map 10.0.1.0/24 -> 192.168.1.0/24 OPT1 10.0.2.0/24 -> 192.168.1.0/24 OPT2 10.0.3.0/24 -> 192.168.1.0/24 OPT3 what is the 10.X and 192.168.X ? Best Regards   Francesco Capuano

CARP is done at the IP level.  It doesn't matter how many interfaces each system has.