That is something that I missing, but it does say to change dhcp settings. Probably will be in the next version.

Yup NAT reflection OR split DNS. I would choose split DNS. It is much faster than reflection.

Have to manually set the gateway to CARP address but DHCP seems to work fine.

Ahh… thanks. That was acticated too due to open op for VOIP from several clients to same external gateway. I read that was needed to have two way sound.

I think for CARP on ESX you have to have promiscuous mode turned on.

@Reiner030:

ah on which IIRC net it is? (http://www.freenode.net/irc_servers.shtml if I guess right from
http://irc.netsplit.de/channels/details.php?room=%23%23pfsense&net=freenode ?)

Hi Reiner030, good guess, see http://www.pfsense.org/index.php?option=com_content&task=view&id=64&Itemid=72.

@Reiner030:

Yes, found this type of editing also nice to get the slave easy to be cloned…
Idea/Question for this:

Would be nice to have perhaps also a cut&paste synchronization for different fw pairs with mostly same configuration. Are there special format requirements for XML ? Found editing aliases very problematic if you have dozen of IPs with comments in one big line...

I don't understand what you mean with the cut&paste sync? I think you also have clarify yourself about the special req for xml question. or just try another editor: vim? ;-)

@Reiner030:

Would be nice to have an option like in the firewall rules:

No XMLRPC Sync ( Hint: This prevents the rule on Master from automatically syncing to other CARP members. This does NOT prevent the rule from being overwritten on Slave. )

or better an option like

I am slave for this VIP

Good idea!

ok, I will try this configuration thanks for your time, when I do the changes I will let you know. Maybe on sunday I will make them, because I cannot turn down the machine on the week…

solved

i didn't get to the ios update part because i found the problem. spanning tree was converging at random times even though there was no topology changes. edited some stp costs, that did the trick.

No, I have not try to reboot them, I will try it later in the afternoon.

got it to work :P

The answer happened to be my apache2 server that i was using for testing…. [still not bothered to fix that yet but meh]

I was running packet captures with pings between me and a friend and watched the packets pass as expected… I then asked if he could ssh to the same IP and he instantly got hit with the user request screen :P

For those who got confused with my other posts and need to work out how to get this far below is a summery of what I did.

On the WAN interface:
Type = PPPoE
Username = [user].btclick.com
pass = welcome123

Virtual IPs {i made 5 of these with all IPs in my range}
Type = IP Alias
Interface = WAN
Address = x.y.z.193/29

1:1 NAT
Interface = WAN
External subnet IP = x.y.z.193{one of my publicIPs}
Internal IP = 10.0.200.1 {one of my internal IPS}

FireWall
allowed any port from any source IP to port 22 on 10.0.200.1

Now i need to work out how to get openVPN to run of a VIP…..

HI,

I am sorry to post a question to your question, but it seems like you have solved the problem i am having in this post http://forum.pfsense.org/index.php/topic,59670.0.html (i cant figure out how to make load balance work from external network, or internal network at all)

i might be able to help you with your problem:
i had the same problem with not being able to access my webservers on the external domain name when i was on the internal network with the client, i UNticket the following option in System -> Advanced -> Firewall / Nat -> "Disable NAT Reflection for port forwards"
This box should be unchecked, and it should solve your problem (Did for me).
I can post a screenshot of it, if my description is hard to understand (my english is not perfect) :-)

Now, can you help me with my problem ?

There is much more to it than that. Gateway status means nothing to CARP status. It's not something that you can assume has any relation whatsoever. In certain cases it might be close, but that does not make it a general solution.

If there is a loss of connectivity, the slave will take over, but for the master to self-demote, it must lose link on an interface. (Or you can manually disable CARP of course)

@tmx:

i have an 3 Host ESX HA Cluster….  one pfsense VM each with an DRS separation rule...  but i'ts also just for fun ;)

If you're going to virtualize and use CARP I'd suggest using two VMs, both with FT enabled.  You can have the VM for the primary FW on box 1 with the FT copy on box 3 and the VM for the backup FW on box 2 with the FT copy on box 3.  With that setup you'd always have two pfSense nodes online, even due to a sudden hardware failure, without having to resort to 3 nodes and the downsides from that setup.

Hi,

perhaps this is nearby also my problem…

I want use Quagga for internal WAN failover with OpenVPN for local WLAN bridge between 2 buildings as mentioned here several times with nice tutorials/howtos.

Problem: when Quagga is running my master firewall can't accept virtual CARP IPs and NAT/route them to the internal server :(

Since I tried to "Disable Redistribution" to my public network Quagga disabled itself:
Feb 22 15:05:59 ospfd[14924]: ASBR[Status:2]: Already ASBR
Feb 22 15:05:59 ospfd[14924]: ASBR[Status:2]: Update
Feb 22 15:05:59 ospfd[14924]: ASBR[Status:1]: Update
Feb 22 15:05:59 zebra[14603]: Zebra 0.99.21 starting: vty@2601

And aunt google cannot say annything to it…
The only thing I found out that ASBR ist the "autonomous system boundary router" and these messages cames normally only when ospfd is running multiple times.
But that is not the case and all OSPF nodes have different router ids as before, too.

Perhaps someone has a good idea onto this problem (running pfsense 2.0.1 beta version from Sunday).

Bests

Reiner

yes you can.

/sbin/routed seems to be the RIP Deamon and the file /etc/gateways seems keeping the options per IF…

can i start/kill RIP by using the rc.carpmaster/rc.carpbackup?
would it work simillar to this example:
http://community.spiceworks.com/how_to/show/25042-auto-start-stop-quaqqa-with-carp-in-pfsense

Ive done the following manualy tests:
scp the /etc/gateways from master to the slave, kill the routed PID on the Master, kill the master node, start /sbin/routed on the slave (new master) then checked the routing table on the new master...
Works!