Make sure you have the CARP VIP selected as the 'interface' for the VPN and not the actual interface (e.g. 'WAN') When set that way, pfSense 2.0.2 and later will disable the VPN on the backup node until it becomes a CARP master.

@podilarius: Thank you for the update. Sure It does make you wonder: why does it (sometimes) then work when you explicitly permit all IGMP in, if the problem is at layer 2? I believe that the multicast "join IGMP group" and "leave IGMP group" messages must be interpreted somehow by the CARP peer causing it to properly fall into backup state.  These particular switches seem to 'lock' the particular port(s) out of an IGMP group for 260 seconds (default) following an IGMP group membership LEAVE request.  Very bizarre.  5 minutes later or so they start forwarding the packets again. Anyways, IGMP snooping isn't really a useful addition to this network so it can stay off. :)

Forgot to mention, pfSense version is 2.0.2-RELEASE. Marco

That wouldn't work without some manual hacking and even then isn't likely to do what you really want/need. It might be best set set the modem to do PPPoE and then have it do 1:1/DMZ from the PPPoE WAN IP to a CARP VIP on the shared segment. Much less hacking, plus you get stateful failover. It does add another layer of NAT, but it may be unavoidable in this case.

Well, shucks.  Now I need to read up on IP Aliasing because I know nothing about it. Is it fair to assume that I can use that trick to add a separate block of IP addresses to my firewall as described in the first post? If so, then this is awesome – I don't need to either migrate to a big block of IPs I can't currently justify or add new ports to the primary firewall (and replace the secondary) for a second network drop – now I just need to find the time to reread my pfSense manual.  Well, I'll check to see if there's a current manual available...

That is something that I missing, but it does say to change dhcp settings. Probably will be in the next version.

Yup NAT reflection OR split DNS. I would choose split DNS. It is much faster than reflection.

Have to manually set the gateway to CARP address but DHCP seems to work fine.

Ahh… thanks. That was acticated too due to open op for VOIP from several clients to same external gateway. I read that was needed to have two way sound.

I think for CARP on ESX you have to have promiscuous mode turned on.

@Reiner030: ah on which IIRC net it is? (http://www.freenode.net/irc_servers.shtml if I guess right from http://irc.netsplit.de/channels/details.php?room=%23%23pfsense&net=freenode ?) Hi Reiner030, good guess, see http://www.pfsense.org/index.php?option=com_content&task=view&id=64&Itemid=72. @Reiner030: Yes, found this type of editing also nice to get the slave easy to be cloned… Idea/Question for this: Would be nice to have perhaps also a cut&paste synchronization for different fw pairs with mostly same configuration. Are there special format requirements for XML ? Found editing aliases very problematic if you have dozen of IPs with comments in one big line... I don't understand what you mean with the cut&paste sync? I think you also have clarify yourself about the special req for xml question. or just try another editor: vim? ;-) @Reiner030: Would be nice to have an option like in the firewall rules: No XMLRPC Sync ( Hint: This prevents the rule on Master from automatically syncing to other CARP members. This does NOT prevent the rule from being overwritten on Slave. ) or better an option like I am slave for this VIP Good idea!

ok, I will try this configuration thanks for your time, when I do the changes I will let you know. Maybe on sunday I will make them, because I cannot turn down the machine on the week…

solved i didn't get to the ios update part because i found the problem. spanning tree was converging at random times even though there was no topology changes. edited some stp costs, that did the trick.

No, I have not try to reboot them, I will try it later in the afternoon.

got it to work :P The answer happened to be my apache2 server that i was using for testing…. [still not bothered to fix that yet but meh] I was running packet captures with pings between me and a friend and watched the packets pass as expected… I then asked if he could ssh to the same IP and he instantly got hit with the user request screen :P For those who got confused with my other posts and need to work out how to get this far below is a summery of what I did. On the WAN interface: Type = PPPoE Username = [user].btclick.com pass = welcome123 Virtual IPs {i made 5 of these with all IPs in my range} Type = IP Alias Interface = WAN Address = x.y.z.193/29 1:1 NAT Interface = WAN External subnet IP = x.y.z.193{one of my publicIPs} Internal IP = 10.0.200.1 {one of my internal IPS} FireWall allowed any port from any source IP to port 22 on 10.0.200.1 Now i need to work out how to get openVPN to run of a VIP…..

HI, I am sorry to post a question to your question, but it seems like you have solved the problem i am having in this post http://forum.pfsense.org/index.php/topic,59670.0.html (i cant figure out how to make load balance work from external network, or internal network at all) i might be able to help you with your problem: i had the same problem with not being able to access my webservers on the external domain name when i was on the internal network with the client, i UNticket the following option in System -> Advanced -> Firewall / Nat -> "Disable NAT Reflection for port forwards" This box should be unchecked, and it should solve your problem (Did for me). I can post a screenshot of it, if my description is hard to understand (my english is not perfect) :-) Now, can you help me with my problem ?

There is much more to it than that. Gateway status means nothing to CARP status. It's not something that you can assume has any relation whatsoever. In certain cases it might be close, but that does not make it a general solution. If there is a loss of connectivity, the slave will take over, but for the master to self-demote, it must lose link on an interface. (Or you can manually disable CARP of course)