got it to work :P

The answer happened to be my apache2 server that i was using for testing…. [still not bothered to fix that yet but meh]

I was running packet captures with pings between me and a friend and watched the packets pass as expected… I then asked if he could ssh to the same IP and he instantly got hit with the user request screen :P

For those who got confused with my other posts and need to work out how to get this far below is a summery of what I did.

On the WAN interface:
Type = PPPoE
Username = [user].btclick.com
pass = welcome123

Virtual IPs {i made 5 of these with all IPs in my range}
Type = IP Alias
Interface = WAN
Address = x.y.z.193/29

1:1 NAT
Interface = WAN
External subnet IP = x.y.z.193{one of my publicIPs}
Internal IP = 10.0.200.1 {one of my internal IPS}

FireWall
allowed any port from any source IP to port 22 on 10.0.200.1

Now i need to work out how to get openVPN to run of a VIP…..

HI,

I am sorry to post a question to your question, but it seems like you have solved the problem i am having in this post http://forum.pfsense.org/index.php/topic,59670.0.html (i cant figure out how to make load balance work from external network, or internal network at all)

i might be able to help you with your problem:
i had the same problem with not being able to access my webservers on the external domain name when i was on the internal network with the client, i UNticket the following option in System -> Advanced -> Firewall / Nat -> "Disable NAT Reflection for port forwards"
This box should be unchecked, and it should solve your problem (Did for me).
I can post a screenshot of it, if my description is hard to understand (my english is not perfect) :-)

Now, can you help me with my problem ?

There is much more to it than that. Gateway status means nothing to CARP status. It's not something that you can assume has any relation whatsoever. In certain cases it might be close, but that does not make it a general solution.

If there is a loss of connectivity, the slave will take over, but for the master to self-demote, it must lose link on an interface. (Or you can manually disable CARP of course)

@tmx:

i have an 3 Host ESX HA Cluster….  one pfsense VM each with an DRS separation rule...  but i'ts also just for fun ;)

If you're going to virtualize and use CARP I'd suggest using two VMs, both with FT enabled.  You can have the VM for the primary FW on box 1 with the FT copy on box 3 and the VM for the backup FW on box 2 with the FT copy on box 3.  With that setup you'd always have two pfSense nodes online, even due to a sudden hardware failure, without having to resort to 3 nodes and the downsides from that setup.

Hi,

perhaps this is nearby also my problem…

I want use Quagga for internal WAN failover with OpenVPN for local WLAN bridge between 2 buildings as mentioned here several times with nice tutorials/howtos.

Problem: when Quagga is running my master firewall can't accept virtual CARP IPs and NAT/route them to the internal server :(

Since I tried to "Disable Redistribution" to my public network Quagga disabled itself:
Feb 22 15:05:59 ospfd[14924]: ASBR[Status:2]: Already ASBR
Feb 22 15:05:59 ospfd[14924]: ASBR[Status:2]: Update
Feb 22 15:05:59 ospfd[14924]: ASBR[Status:1]: Update
Feb 22 15:05:59 zebra[14603]: Zebra 0.99.21 starting: vty@2601

And aunt google cannot say annything to it…
The only thing I found out that ASBR ist the "autonomous system boundary router" and these messages cames normally only when ospfd is running multiple times.
But that is not the case and all OSPF nodes have different router ids as before, too.

Perhaps someone has a good idea onto this problem (running pfsense 2.0.1 beta version from Sunday).

Bests

Reiner

yes you can.

/sbin/routed seems to be the RIP Deamon and the file /etc/gateways seems keeping the options per IF…

can i start/kill RIP by using the rc.carpmaster/rc.carpbackup?
would it work simillar to this example:
http://community.spiceworks.com/how_to/show/25042-auto-start-stop-quaqqa-with-carp-in-pfsense

Ive done the following manualy tests:
scp the /etc/gateways from master to the slave, kill the routed PID on the Master, kill the master node, start /sbin/routed on the slave (new master) then checked the routing table on the new master...
Works!

@Reiner030:

Hi,

upgrading can't help - I have same problem with pfSense 2.1. Beta1 … :(

I have a DMZ Setup for 2 buildings... the DMZ area is an public AS.
"Public" router pair on building 1 has the .1 and works great from all firewalls.
"Public" router pair on building 2 has the .254 and works lousely...

I first noticed it when my master router on building2 crashed and slave router was using the .254.
The only maschine who get a ping to the CARP IP was the slave itself. All other firewalls get not response.

Now when master is up again they got an answer but with different loss percentages between 18% and 52%.
The only packet-lossy machine is the holder of the .254. (even the slave has losses) :(
Important: other way works all completely packet-lossy so there can't be local networking problems
(it's an VLAN, all other normal traffic has also no problems).

Sorry, found out my problem of this post…
Other admin transferred my testing VM to another ESX server which wasn't "fixed" several days before this errror behavior so I didn't remembered it:
http://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting#VMware_ESX.2FESXi_Users

Perhaps this troubleshooting page helps origin poster, too ...

Bests

Reiner

IIRC with Shaw your static IP assignment is on the modem and there aren't any MAC restrictions, but it's worth experimenting (I'd check packet captures instead personally).

Thanks Chris but we are using a fully routed setup. Changing default gateway breaks connectivity. Is what I'm trying to achieve possible in a routed configuration?

I  have never tried it, but I guess you could use xmlrpc sync to only sync dns. I don't have 2 free machines ATM to test.

No one?

Nailed IT

I forgot something … the WAN vSwitch in my ESXI wasn't set to properli for the carp.
Promiscuous mode accepted

(but was correctly set for the LAN)

Crap … had it reversed sorry. (in reference to ping.) ... Where's the coffee!!!

In the 1:1 rule are you putting in a value for the Destination field?

in vmware i had to enable promiscuous mode in the vswitch to get carp working, or else i would run into the same problems as you are describing.

sadly i don't know where the equivalent for this setting is in hyper-v.

solved

sigh, it always helps when you take a seat, write your problem down on a piece of paper (in this case forum).

firewall-virtual IPs, edit the carp address, "advertising frequency #"

now i just need to press edit, type 5 and then save about a 100 times. :)