Thanks Perry

Have switched better all mine PC and VoIP to LAN Subnet 192.168.2.0/2 and use LAN Gateway 192.168.2.101 from HP pfSense.
Works excellently. Now must I more learn about pfSense.

No PPPoE, no DHCP, all statically.

Have in

/etc/rc.conf

ifconfig_msk0="inet 192.168.2.3 netmask 255.255.255.0"

pfSense

defaultrouter="192.168.2.101"

ADSL Modem

#defaultrouter="192.168.1.110"

Cool thanks I can confirm this working.

When enabled, everything That pass through firewall will be nated using interface address. Just like the rule created to wan when you selecet outbound.

It's done on pf level, not in gui.

I got a chance to power cycle the Master today.  That did not help.  Since this problem started occurring after upgrading to 2.0.1, I'm tempted to open a bug report.  The issue seem to relate to the number of states we are running.  We had been setup (by default I think) for 388K states.  As we were running as much as 350K states I changed the systems to support 800K states - that seems to have made the problem a little worse.  I cannot see a way to configure my way out of this issue, I believe the hardware and physical layer are working properly (can't find any problems there).  Any other thoughts from the community are appreciated.

@jimp:

Ah, the 'carp' bit was probably left over from 1.2.3 and not updated. If you just use "vip" it may work also.

That file isn't written from the GUI, it's just there on the install. It would be overwritten during an upgrade, but it's left alone otherwise.

That explains a lot.

I use explecit vip1 because we also have a vip2 and that may not trigger the bridge port to UP or DOWN.

That should work exactly as you describe, though you will need to make sure your firewall rules on that interface will pass traffic from the new subnet.

I've done that several times

@network1:

What i've done is gone to Virtual IP's > Created a new IP Alias and Assigned it to WAN CARP interface. This has replicated over onto my other box so presume this is the way to do it?

assign a valid ip on each wan interface
configure sync between pfsense boxes(use a dedicated interface for sync or a vlan)
go on firewall-> virtual ip and add a carp ip(not an ip alias) with the same subnet you configured wan interface

Performance isn't relevant to VIPs. It's best to have the bigger subnet routed to an IP in your smaller subnet, but VIPs generally fine too, though that gives you less flexibility on using the second subnet.

Should work fine in Player since it's the same as Workstation from the hypervisor perspective.

i see.. okay, thank you very much…

Taking a second look through everything, turns out I had the problematic vlans assigned to the wrong interface in pfSense. Once I got that straightened out, everything started working.

facepalm

Thanks again for the help.

Hello jimp,

Luckily i am running 2.0.1 so that is all good.  I double checked the IP's and found i was using the failover interface address and not the address of the backup in each VLAN.  I have changed this and all is now working.

Cheers

Alan

I responded to the thread on 1. Easy to get that config wrong.

As for 2, without seeing your exact list of outbound NAT rules it's impossible to speculate what isn't configured right there.

I was able to connect to my PCs' internet addresses from begin the firewall once I went into Advanced > Firewall/NAT and checked the box labeled: Automatically create oubound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.

In other words, when connected to a PC on my LAN, with that box checked, I can now connect to machines using their internet addresses instead of being forced to use internal, LAN IPs.

@repa:

currently only one to test it.

Firewall is LAN -> WAN "Default allow LAN to any rule "

Outbound NAT is "Manual Outbound NAT rule generation" with no entry.

When using manual outbound, you need to specify outbound nat.

Change it to manual to test and then Back to manual.

Perfect… Thank you so much for the sparring. :)

Hey,
  with 2.0.1 the NAT is not a problem anymore. If you still have the problem, maybe could be a "traffic shaping" queue. I mean, the CARP traffic can be dropped under heavy traffic, and this can bring to an inconsistent CARP status between the master and the slave box.

I am not sure, I figure out that could be a traffic shaping problem today… this is my post:
http://forum.pfsense.org/index.php/topic,45045.0.html

Ciao,
Michele

Hello,
anyone that can pls confirm this? Now it's 3 days, 6h that the two firewalls are working and everything is going great!

The problem was:
WAN Interface: x.x.x.x/24
2 CARP VIPs (on 83) were: x.x.x.x/32

The question is: Can this misconfiguration bring to an inconsistent CARP status (half of VIPs Master on one firewall, the other half Master on the other firewall)?

Thanks a lot,
Michele