That took care of it. Thanks!

locking this duplicate post, don't post the same thing twice.

In 2.0.1 and 2.1, if you have interfaces setup with a manual address, then pfsense will create a manual rule for them when switching from auto, the first time you do it. From then on you have to create your own rules.

If you are running clustered firewalls, then you most definitely want it using the CARP addresses. Nothing should be using the physical address except for the localhost (127.0.0.1).

You can, yes. Definitely not recommended (mostly for security reasons). Forced to choose, LAN, never WAN.

I'll have a look this weekend how severe such a change would be and if with my PHP skills I consider it practial, I'll do it.

Found the problem.  The switch did not have the vlan created, even though it was listed in the Port Channel.

Ideally? You would want 2 ports 2 different (redundant/stacked) switches, so that if one of those goes down, it doesn't take down your WAN.

If you "throw one switch in front of the two boxes" your creating another SPOF…

Yep

Hey Jim,

That appears to have worked great!  Everything ran fine through my tests, both Master and Backup.  Thanks very much for your help.  Much appreciated.

Aaron

Hi jimp,

Wouldn't it be prudent for pfsense to have a CARPaware IGMP client? So it can correctly register its multicast membership with the local switch? This would allow CARP on pfsense to become compatible with IGMP Snooping. It might also lift the requirement on ESXi to set the VDS port group in promiscuous mode. I know Windows 2k8 R2 NLB (Network Load Balancer) uses multicast together with an IGMP client, and that runs just fine without compromising security in promiscuous mode.
Maybe a feature request?

Thanks for sharing your thoughts!
Jori Huisman

Yes it does support and use search. you'll find a lot of discussion.

Excellent; I should have known.  Ya'll are all over everything else. ;D

Sadly I would have to switch to one of my ISPs business offers. That would cost more than the double and deliver some telephony service I'd have to pay but would not use. Anyway, as I found no clean way doing this with pfSense, I tried to verify that setup with OpenBSD and I'll stick with that for now. Using ifstated together with CARP you can simply ifconfig down the external interface automatically so it will not interfere with anything on the outside.
It's a pity I'm not really good at anything related to programming but a shell little scripting, otherwise I would try to implement some system triggers (i.E. Disable Interface X) in case of CARP failover for pfSense. I really like pfSense, it's the best Open Source Firewall distribution there is. Maybe someone else likes the idea and does implement it ;)

@Falko:

now to the questions:

can i use multiple CARP VIP as a base for a 1:1 NAT? (i need 10-20 1:1 NAT ip addresses)

Yes.

@Falko:

is it more useful to use multiple default gateways (iproute2) in the linux machines or a set of shared LAN CARP VIP? (one for each VLAN)

Having multiple default gateways on the Linux machines will introduce complications unless you're doing policy routing within Linux. Without policy routing, you'll have issues because only one default gateway will be used, and that will route return traffic out the wrong way in some cases. Single homing everything is easiest for that reason.

@Falko:

do i need a specific switch support/configuration to enable the in/outbound CARP VIPs? (i have a cisco switch)

If it's a real Cisco switch and not a Linksys Cisco, should be fine. The Linksys Cisco switches at times have security-related settings enabled that break multicast. It's also possible to break multicast on a real Cisco switch but such configs are very uncommon.

@Falko:

i using LACP ports with CARP a problem?

no, lots of people do that.

Podialrius,

Thanks so much for your time and help.

The APs were set up there some time ago and not certain why things changed but they did. One good thing, guests can't try and hack the APs when they can't see the webgui or their IP. We can access them but just a heck of a lot easier if it was simpler.

I did not see in the 1.2.3  advanced page anything about bypassing firewall rules. Still need them and NAT for everything else this box is doing.

Will probably move the net back to 50.X. Less hassle other than an occasional attack against one of the APs.

John

solved the problem, was a corruption between packages on the 2 firewalls. removed the packages and the problem was fixed. Seemed to be the squid packages but due to some testing between squid and squid reverse. They were no longer needed.

Scratch this topic. My co-lo provider was handing BGP to us incorrectly. They've since configured it to hand off to us correctly, so I am no longer confused.