Yeah, you either have to add an intermediate router or have the provider adjust. Perhaps they could route the /27 directly without the /30 transit network.

Old problem and seems that no one cares… Anyway... I've reinstalled slave router from scratch some time ago and it was working just fine for about two weeks. Now lighttpd stops working on it few seconds after restart (both, web configurator restart and system reboot). It gives error 500 when trying to access and logs are filled with entries like: Dec 23 09:02:20 lighttpd[47357]: (mod_fastcgi.c.3329) response not received, request sent: 871 on socket: unix:/tmp/php-fastcgi.socket-0 for /firewall_aliases.php?, closing connection Dec 23 09:02:20 lighttpd[47357]: (mod_fastcgi.c.2543) unexpected end-of-file (perhaps the fastcgi process died): pid: 47576 socket: unix:/tmp/php-fastcgi.socket-0 and then Dec 23 09:02:20 lighttpd[47357]: (network_openssl.c.118) SSL: 5 -1 1 Operation not permitted Dec 23 09:02:20 lighttpd[47357]: (connections.c.637) connection closed: write failed on fd 22 BTW, are there any updates to 2.1 STABLE? I'm on "built on Wed Sep 11 18:17:37 EDT 2013" and it says "You are on the latest version."

No, you cannot to failover or CARP with a /30 on any currently released version. With a /30 you only have one IP, the ISP uses the other, so there isn't even an IP for a second node to function. On 2.2 that should be possible but not ideal, but that's a long way off.

@miloman: did you reboot your esxi host after enabling promisc mode? i had reboot my esxi but I still have a high cpu load  :(

Checking my friend!!!

Wy don't you just isolate your master on a switch not connected to your production network?

I would recommend the Mikrotik RB260GS switch. Can mirror multiple ports to one sensor port and supports vlans. http://wiki.mikrotik.com/wiki/SwOS

CARP VIPs are always single host addresses. The subnet mask on a CARP VIP must match the parent subnet. So if you WAN is x.x.x.a/28, then your CARP VIP must be (for example) x.x.x.b/28 – it's still just one IP. It's not like proxy ARP where it makes a bunch of IPs if you pick a larger mask.

I believe this is where i should be looking Load balancer (hinted from here http://forum.pfsense.org/index.php/topic,68769.0.html)

The way that I have been able to get this working is to Create a VIP on a separate subnet, then I have a Rule that allows any traffic to that Subnet to the VIP. Since the LAN Traffic is on the same private space interface the traffic can flow between the two. Just make sure you allow ANY ANY Traffic between the two DMZ's  then any Server/Client on DMZ-1 can talk to the VIP on DMZ-2 that is a Load Balancer that points to Servers in DMZ-1 Subnet… seems a bit wonky but it works.. the biggest problem with allowing traffic to flow out the same interface and then back in.. NO Load balancer will allow this.. so you have to create another subnet for it to route to... even if the servers behind the Load Balancer are on the same subnet. Good luck!

It does but you need to manually handle the VIP settings because they can't sync automatically. Also the DHCP failover setup doesn't support 2+ peers IIRC.

@craggy: How long should it take for a secondary firewall to take over the CARP VIP and start passing traffic again when the master is shutdown or rebooted? We have set up a secondary pfSense cluster in a new Data Center and the failover times are about 10 seconds with 5 to 10 ping drops and a very obvious pause during the switchover phase whereas at our primary site our pfSense cluster fails over in about 2 seconds with usually only a single ping dropped and is generally unnoticed. Both sites are identical, VMware esxi 5.1, hp bl460c blades, same HP VC networking etc. Only difference is the data centre. My boxes are instant; I've got a failing box and it needs a reboot every few days. If you're seeing 10 seconds then it might be something about being virtualized or maybe you've changed the base & skew settings.  For base & skew I use 0/1 on the primary and 0/100 on the secondary.

Nevermind…was a cabling problem - all is working