Thanks. I've been trying to figure out why NTP was unable to reach our NTP servers, and using ntpq I'd determined that dstadr was set to a guest interface. Having now selected both interfaces in the NTP config page, my pfsense box can now reach our NTP servers, and clients on the guest interface can reach the pfsense NTP server.

Interfaces > (assign) Make sure all interfaces exist on both units and have been assigned in the correct order. That behavior can be seen when you have interfaces out of order on one system. Also make sure their internal names line up, e.g. OPT3 on primary is the same as OPT3 on the secondary. You might have to edit config.xml on the backup to fix the order properly in some cases

Hi jimp, Thank you for the quick answer. When I added 'firewall rule' and 'Outbound NAT rule' it works! But now it works only https sites. Not others. Please help. Thanks in advance Sabir

I could get the manager permission to take the service down for a couple of minutes. I restarted pfSense from Diagnostics -> reboot and now everything works fine as it is expected.

One additional question about this thread..  And yes, I'm also talking about a home environment, and yes, it's only because I'm a techie and it's fun!  :-) In the docs, it says that you need a REAL WAN address for each CARP participant, and in the diagram it does show "real" addresses. On my cable modem setup, I have the ability to do DHCP to get a 10.x address from the cable modem, and I have five REAL addresses that I have setup as secondary addresses on my pfsense.  The real addresses of course have a different default gateway than the 10.x gateway on the DHCP interface… My first question is whether I lose the ability to do inbound NAT/PAT on two real addresses if I use one for each of two CARP nodes, or if use of the address for CARP wont stop me from using those addresses for inbound traffic at the same time. I am assuming that CARP will take those addresses and stop me from using them otherwise, so my second question is whether PFSense will let the CARP addresses both be DHCP 10.x addresses, so long as they can communicate together on that address and they have the same gateway?  I am allowed by Comcast to have multiple 10.x addresses via DHCP, and I'd prefer to use that for CARP if I will lose the ability to use the IPs for other than the CARP process. Thanks, and sorry for my newbie, non carp-understanding question!! -Steve

Hello voluhar, Could you explain a little bit better what do you need and what do you need to do? I can't undestand what you mean when you talk about: I have strange situation where I have to map 10.0.1.0/24 -> 192.168.1.0/24 OPT1 10.0.2.0/24 -> 192.168.1.0/24 OPT2 10.0.3.0/24 -> 192.168.1.0/24 OPT3 what is the 10.X and 192.168.X ? Best Regards   Francesco Capuano

CARP is done at the IP level.  It doesn't matter how many interfaces each system has.

Yeah, you either have to add an intermediate router or have the provider adjust. Perhaps they could route the /27 directly without the /30 transit network.

Old problem and seems that no one cares… Anyway... I've reinstalled slave router from scratch some time ago and it was working just fine for about two weeks. Now lighttpd stops working on it few seconds after restart (both, web configurator restart and system reboot). It gives error 500 when trying to access and logs are filled with entries like: Dec 23 09:02:20 lighttpd[47357]: (mod_fastcgi.c.3329) response not received, request sent: 871 on socket: unix:/tmp/php-fastcgi.socket-0 for /firewall_aliases.php?, closing connection Dec 23 09:02:20 lighttpd[47357]: (mod_fastcgi.c.2543) unexpected end-of-file (perhaps the fastcgi process died): pid: 47576 socket: unix:/tmp/php-fastcgi.socket-0 and then Dec 23 09:02:20 lighttpd[47357]: (network_openssl.c.118) SSL: 5 -1 1 Operation not permitted Dec 23 09:02:20 lighttpd[47357]: (connections.c.637) connection closed: write failed on fd 22 BTW, are there any updates to 2.1 STABLE? I'm on "built on Wed Sep 11 18:17:37 EDT 2013" and it says "You are on the latest version."

No, you cannot to failover or CARP with a /30 on any currently released version. With a /30 you only have one IP, the ISP uses the other, so there isn't even an IP for a second node to function. On 2.2 that should be possible but not ideal, but that's a long way off.

@miloman: did you reboot your esxi host after enabling promisc mode? i had reboot my esxi but I still have a high cpu load  :(

Checking my friend!!!

Wy don't you just isolate your master on a switch not connected to your production network?