Actually it depends on your setup…..automatic load balance not possible....but you can do manual redirect traffic to different pfsense server based on CARP priority on multiple VLANs setup.

@jimp: No, but that's not pfSense's fault, it's VMware. You can make a port group just for the ports of the firewall, and make that promiscuous, and then have another different port group for the clients that is not promiscuous. Thankx, works great.

@jflsakfja: I stand corrected on the backup sync settings then. If syncing certificates, wouldn't this also affect the webgui cert? (hostname on backup system is different than the master) Yes but that is easily solved by either using the same GUI cert for both, or by importing the cert from the secondary to the master before setting up the sync. Then re-select the correct GUI cert after the sync.

Thank you very much. I will try changing this options and tell you how it work.

If the CARP VIP is on the lagg interface, the link status of the lagg and thus CARP VIP should only flip if both NICs die.

If you have a Layer 3 switch, or any switch that supports VLAN and 802.1Q you can create additional LAN networks that can be individual /24's. I wouldn't suggest using a LAN block larger than a /24 as you can run into performance/stability issues with broadcasts overwhelming all hosts on the network. Instead, carve up that /22 into multiple blocks like so: 192.168.0.0/22: 192.168.0.0/24 - 192.168.0.1-254 192.168.1.0/24 - 192.168.1.1-254 192.168.2.0/24 - 192.168.2.1-254 192.168.3.0/24 - 192.168.3.1-254 This will also give you the ability to segment your network, and will make overall management easier. You can even split those /24 blocks into smaller network blocks so you can keep servers, management IP's, VIP's, VPN users, etc.. separate and firewalled across LAN's. For example, with the blocks above, we want to further segment the first block. First split them into two /25's: 192.168.0.0/24: 192.168.0.0/25 - 192.168.0.1-126 192.168.0.128/25 - 192.168.0.129-254 Then we can split the second block into two smaller, /26 blocks: 192.168.0.128/26 - 192.168.0.129-190 192.168.0.192/26 - 192.168.0.193-254 Yes you 'lose' a few IP's in each network for subnet, broadcast, and gateway IP's, but overall it's a great solution to optimally use your IP blocks. Hope this helps!

There's three ways to do this: 1. Create a 1:1 NAT which maps External IP 1 to Internal VM IP 1, and so on. Your VM's would have LAN addresses assigned to them and would sit behind the firewall. 2. Create a bridge connection between ISP and your XS farm. You will need an additional interface, VLAN or physical, and would have to place the internal bridge interface on your XS host/vlan. This isn't an optimal configuration so I wouldn't recommend it. 3. Ask the ISP to route traffic for your IP block to you via a transit link (preferably a private address subnet /29 or /30) and use your pfsense box to route traffic for your networks. You can create an internal LAN net, and a DMZ network as physical or VLAN interfaces (although I would recommend separate interfaces).

Hi, how about checking the switch where the pfsense connected and lastly the LAN card. If it's still the same after isolation above, try other motherboard. Hope this can help you. Thanks

its a goog idea to use alias ip with /32 on both server? the routing goes every time to the active firewall. if not we must nat on the upstream firewall.

Hi, I have solved the problem! You must begin with the subnet addresses! e.g. xxx.yyy.99.128/25 128 is my network subnet address 255 is my broadcast address 129 is the gateway 130 have i configured for the WAN2 Interface address 130/25 When I go to Virtual IP add „other” select dropdown „network“ and type xxx.yyy.99.131 /25 then only the first IP 131 work! When I type  xxx.yyy.99.128 /25 all works so if it should :-) Regards Andreas

So nothing you are aware of actually goes 10gb?

You have configured FW1 to sync its states via the SYNC interface, using the the LAN IP Address of FW2..  Leave this field blank on BOTH firewalls.  Also, you'll need to make sure that you have a rule on SYNC that permits pfSync traffic from SYNC subnet to SYNC Address. On any interface(s) with CARP, ensure that you specify a rule that says 'permit carp from LAN subnet to LAN address'. On your LAN, you may also want to add a 'permit tcp from LAN subnet to LAN address on port 519' to ensure that the DHCP Fail-over communications are permitted through. Other than that, it looks correct.

@brian.stivala Your additional VIPs inside the WAN subnet or LAN subnet should be CARP VIPs in this case, NOT proxy ARP or IP alias. @dotdash: Only CARP VIPS are sync'd. Alias IP's are not. You should add all your VIPs as CARP. If you have additional routed subnets, you may need to add an alias IP on the secondary subnet on each box, then add the rest as CARP. Not quite that simple. Proxy ARP - Never Syncs CARP - Always Syncs Other type - Always Syncs IP alias bound to normal interface - Will not sync IP alias bound to a CARP VIP as its interface - Will sync IP alias bound to localhost (2.1+) - Will sync See here: http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

This is solved, and where actually surpricingly easy. Added the VIP as static IP, next I created an NAT rule, where the source = the DMZ network, and the NAT address is = VIP. Voila, solved. :) Now ingoing traffic to both IPs is working, and client and dmz have different outgoing IP addresses. cooool  ;D

why not assign a static IP to the management interface of ESX so that you can always connect to ESX. then configure your pfsense to boot first in ESX, and add a startup delay on the other VMs so that when they boot pfsense is already up?

Thank-you, Jim.  That was the issue - I needed to tighten up my NAT rule.