@tmx: i have an 3 Host ESX HA Cluster….  one pfsense VM each with an DRS separation rule...  but i'ts also just for fun ;) If you're going to virtualize and use CARP I'd suggest using two VMs, both with FT enabled.  You can have the VM for the primary FW on box 1 with the FT copy on box 3 and the VM for the backup FW on box 2 with the FT copy on box 3.  With that setup you'd always have two pfSense nodes online, even due to a sudden hardware failure, without having to resort to 3 nodes and the downsides from that setup.

Hi, perhaps this is nearby also my problem… I want use Quagga for internal WAN failover with OpenVPN for local WLAN bridge between 2 buildings as mentioned here several times with nice tutorials/howtos. Problem: when Quagga is running my master firewall can't accept virtual CARP IPs and NAT/route them to the internal server :( Since I tried to "Disable Redistribution" to my public network Quagga disabled itself: Feb 22 15:05:59 ospfd[14924]: ASBR[Status:2]: Already ASBR Feb 22 15:05:59 ospfd[14924]: ASBR[Status:2]: Update Feb 22 15:05:59 ospfd[14924]: ASBR[Status:1]: Update Feb 22 15:05:59 zebra[14603]: Zebra 0.99.21 starting: vty@2601 And aunt google cannot say annything to it… The only thing I found out that ASBR ist the "autonomous system boundary router" and these messages cames normally only when ospfd is running multiple times. But that is not the case and all OSPF nodes have different router ids as before, too. Perhaps someone has a good idea onto this problem (running pfsense 2.0.1 beta version from Sunday). Bests Reiner

yes you can.

/sbin/routed seems to be the RIP Deamon and the file /etc/gateways seems keeping the options per IF… can i start/kill RIP by using the rc.carpmaster/rc.carpbackup? would it work simillar to this example: http://community.spiceworks.com/how_to/show/25042-auto-start-stop-quaqqa-with-carp-in-pfsense Ive done the following manualy tests: scp the /etc/gateways from master to the slave, kill the routed PID on the Master, kill the master node, start /sbin/routed on the slave (new master) then checked the routing table on the new master... Works!

@Reiner030: Hi, upgrading can't help - I have same problem with pfSense 2.1. Beta1 … :( I have a DMZ Setup for 2 buildings... the DMZ area is an public AS. "Public" router pair on building 1 has the .1 and works great from all firewalls. "Public" router pair on building 2 has the .254 and works lousely... I first noticed it when my master router on building2 crashed and slave router was using the .254. The only maschine who get a ping to the CARP IP was the slave itself. All other firewalls get not response. Now when master is up again they got an answer but with different loss percentages between 18% and 52%. The only packet-lossy machine is the holder of the .254. (even the slave has losses) :( Important: other way works all completely packet-lossy so there can't be local networking problems (it's an VLAN, all other normal traffic has also no problems). Sorry, found out my problem of this post… Other admin transferred my testing VM to another ESX server which wasn't "fixed" several days before this errror behavior so I didn't remembered it: http://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting#VMware_ESX.2FESXi_Users Perhaps this troubleshooting page helps origin poster, too ... Bests Reiner

IIRC with Shaw your static IP assignment is on the modem and there aren't any MAC restrictions, but it's worth experimenting (I'd check packet captures instead personally).

Thanks Chris but we are using a fully routed setup. Changing default gateway breaks connectivity. Is what I'm trying to achieve possible in a routed configuration?

I  have never tried it, but I guess you could use xmlrpc sync to only sync dns. I don't have 2 free machines ATM to test.

No one?

Nailed IT I forgot something … the WAN vSwitch in my ESXI wasn't set to properli for the carp. Promiscuous mode accepted (but was correctly set for the LAN)

Crap … had it reversed sorry. (in reference to ping.) ... Where's the coffee!!!

In the 1:1 rule are you putting in a value for the Destination field?

in vmware i had to enable promiscuous mode in the vswitch to get carp working, or else i would run into the same problems as you are describing. sadly i don't know where the equivalent for this setting is in hyper-v.

solved sigh, it always helps when you take a seat, write your problem down on a piece of paper (in this case forum). firewall-virtual IPs, edit the carp address, "advertising frequency #" now i just need to press edit, type 5 and then save about a 100 times. :)

So here's what I ended up doing. Since the setup was basically the same as another setup I had done that was working, I figured I'd just mimic that and hope for the best. I don't have the failover configured yet, but here's what I have. ISP Gateway (x.x.157.17/29) <-> pfSense WAN (CARP x.x.157.18/29) <-> pfSense LAN (CARP 10.205.154.66/21) 1:1 NAT x.x.154.66/26 -> 10.x.154.66/26 x.x.210.0/23 -> 10.x.210.0/23 NO VIPs (outside of the CARP WAN and CARP LAN) I guess since my ISP routes the two subnets (above) to x.x.157.18 as the "next hop", pfSense automatically handles those requests since they match the external IP address of the 1:1 NAT entries. This works out nicely, since I can't see any reason why the subnets wouldn't fail over to the secondary server because neither server is "advertising" that they control the subnets; they just utilize the 1:1 NAT to map them after they receive the packet. Before I finalized this setup, I took a look at the "Other" and "IP Alias" VIPs, and I noticed those can only be done on individual IP (same thing for CARP). This obviously wouldn't have worked for my setup, because I have well over 500 IP addresses.

Hi, Thanks for that clue podilarius, after looking at the state table I noticed ICMP packets from pfsense to the 192.168.3.1 WLAN router were going via the LAN 192.168.0.1 vip. This led me to the Manual Outbound NAT rules and I had a rule there saying: "WLAN 192.168.3.0/24 * * * 192.168.0.1 * NO"  (WLAN to vip1 LAN) Removing this fixed it! I had to remove stale states from the state table manually too for changes to take effect immediately as the gateway status still showed the 192.168.3.1 router as being down (through apinger). I also didn't have a default gateway set on the backup so setting that fixed the routing tables. And on a slightly different note, my 192.168.2.1 adsl modem/router didn't pass multicast over it's switch (they're just getting too clever and locked down these days!) so I had to put in another unmanaged switch inbetween to allow vip2 interfaces to switch from master->backup properly, (as stated in the sticky, but I had to read that more than a few times before it sank in!) Looks like it's ok now, thanks for the help! Best Regards, Vent

Yes, MASTER/BACKUP status changes are logged (and mailed to me \o/). I am using these network cards: Intel Pro/1000 PT Quad Port LP Server Adapter. PfSense finds them as em0, em1, em 2 and em3. Thanks again :)