Well, it seems this saved the day: [2.1-RELEASE][admin@master]/root(20): pkg_add -r http://files.pfsense.org/packages/amd64/8/All/libevent-1.4.14b_2.tbz Definitely this is bug.

I took a tcpdump of both interfaces does this look normal? FW1 00:00:00.000000 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36 00:00:02.001079 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36 00:00:02.001082 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36 00:00:02.001087 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36 00:00:02.001082 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36 00:00:02.001081 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36 00:00:02.001085 IP 10.1.0.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0, authtype none, intvl 2s, length 36 FW2 tcpdump -i bce1_vlan101 -ttt -n proto CARP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bce1_vlan101, link-type EN10MB (Ethernet), capture size 96 bytes 00:00:00.000000 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36 00:00:02.392089 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36 00:00:02.392086 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36 00:00:02.392088 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36 00:00:02.392089 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36 00:00:02.392089 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36 00:00:02.392093 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36 00:00:02.392085 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36 00:00:02.392089 IP 10.1.0.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100, authtype none, intvl 2s, length 36

I figured this out, apparently if you make a gateway from the interfaces tab it can gain priority and cause your routing to break? Probably user error on my end but once I removed the gateway I was able to route traffic again. Thanks for your help.

It really is necessary to have the pfSense versions match up, otherwise you will have configuration sync and/or state sync issues. Otherwise, as has been stated, you don't need identical hardware or NICs, just an identical number of interfaces and to have them assigned in the exact same order on both.

Read this thread http://forum.pfsense.org/index.php/topic,67045.0.html

quote>–-So that part is working until I get to the public IP addresses that were assigned to me. 209.37.20.65/27 ( made up the ip addresses but they are similar) I cannot figure out how or what I am doing at this point. this circuit I has a block of IP addresses in the class c range that are supposed to be routed to the other Public Ip in the A class that they gave me. I tried putting in the 12.x.x.x ip address as the DG and using the first IP address in the C class as the IP on the WAN interface. I then put the remaining IP addresses as IP Aliases under CARP settings. I can ping the public IP addresses from the LAN side but cannot ping from a different circuit on the WAN side. When I do trace route it is one hop. In review. When I use the 12.x.x.x settings the circuit will start routing and work. Once I told the ATT rep that that was working he went ahead and assigned me the block of IP addresses in the class C range. So I assumed they use the 12.x.x.x to provision the circuit, test it out and then assign the real IP addresses but using the Class C settings as I have for many years results in no surfing. The only thing I could get from the tech was I need to put the 12.x.x.x IP address as the DG. The graphic below is a sample config from a Cisco  

have you tried searching the forums? believe it or not, you are not the first one to have these problems. :) http://forum.pfsense.org/index.php?topic=44529.0 CMB said this in the thread above: Microsoft finally dropped some code to provide proper FreeBSD support, which we'll integrate when we get to a base version that supports it (2.2). In the mean time, hyper-v isn't a great option.

Hi ssheikh, thanks a lot for your swift reply! I'll ask to enable the promiscuous mode only for WAN, LAN and OPT1 (DMZ) interfaces, than. Kind regards, Luigi

Your NAT rules should not apply NAT to traffic originating from the firewall itself. (e.g. you do NOT want a source of "any" on NAT rules, but the LAN subnet or an alias of your internal subnets)

Found the answer –> http://forum.pfsense.org/index.php/topic,66838.0.html

Well, the solution is the same :) You do SNAT to virtual IP. Create alias with the virtual IP, then do Outbound NAT: IF Source is your WAN_IP THEN Translate address to VIP_ALIAS

It's not possible to utilize both CARP nodes at the same time for outbound traffic from the same internal systems. If your drops were done using LACP to a switch on WAN doing LACP, rather than direct to your individual nodes, it may work, but without two stackable switches there you'd lose some redundancy.

@doktornotor: So you basically broke a working sensible setup to replace it with this horrible kludge? Uh. Either undo the harm you did, or stick everything on one subnet. I undid the harm by removing the Virtual IPs, and I did set the IP addresses for each interface since the Virtual IP routine didn't have enough options. So this pretty much solved the problem. Thanks.

What about your firewall rules on the lan interface ? Have a look at this post: http://forum.pfsense.org/index.php/topic,63309.0.html

@KurianOfBorg: Definitely sounds like the routing. An IP alias is just like adding an additional IP on your PC. By default, everything binds to it. There were no routes added manually to the system, so it has to be something with Racoon/ipsec and the way it "takes over" in a sense.

It's exactly the same as it was before, just with a more appropriate name and location. The config options and settings are all the same, the only difference is where the page is located and its name.

how about using 1 pfsense only (without all the CARP things)…...can 1 pfsense ping all the public ip ...?? if not, ISP problem, if yes, your pfsense CARP setup problem.

just try to help… 1. First, make sure on single pfsense server, you can go out to internet.... enable automatic nat, removed all the static nat entries configure you pc gateway point to 192.168.1.252 make sure your pfsense WAN have default gateway point to the router (i noticed your wan gateway is in different subnet ???) Make sure step 1 is successful before proceed to step 2 2. repeat the above for the second pfsense server and point your pc gateway to 192.168.1.253 3. Configure CARP... make pfsense server 1 Master on both LAN & WAN point your PC gateway to 192.168.1.254...it should work...