Thanks, i'll tried that and if i run into trouble i'll give you guys a shout.  Thanks again.

Everybody from this forum clicked the link trying to help and the server was brought down ;)

CARP works with private addresses too. Did you see my 'solution' at the bottom of this thread; http://forum.pfsense.org/index.php/topic,15393.msg81475.html#msg81475 I had to run the modem as a 'router' and have the PPPOE endpoint there. You won't be able to run it as a modem and have PPPOE running at the same time on each firewall. Well, that is not quite true….. my first attempt was exactly that, PPPOE running on each firewall and it worked in so far as each PPPOE session could establish the link to the ISP, but traffic would only flow over the link that was 'first' to connect. I remember in the 'early days' of xDSL that people were successfully running multiple PPPOE sessions. Obviously, some ISPs don't want users to do that now. here is an ifconfig on my primary firewall; em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:25:a5 inet 10.18.200.1 netmask 0xffffff00 broadcast 10.18.200.255 inet6 fe80::250:56ff:febe:25a5%em0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:11:dc inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::250:56ff:febe:11dc%em1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:5a:54 inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 inet6 fe80::250:56ff:febe:5a54%em2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:2c:78 inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 inet6 fe80::250:56ff:febe:2c78%em3 prefixlen 64 scopeid 0x4 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 enc0: flags=0<> metric 0 mtu 1536 pflog0: flags=100 <promisc>metric 0 mtu 33204 pfsync0: flags=41 <up,running>metric 0 mtu 1460 pfsync: syncdev: em3 syncpeer: 224.0.0.240 maxupd: 128 carp0: flags=49 <up,loopback,running>metric 0 mtu 1500 inet 10.18.200.99 netmask 0xffffff00 carp: MASTER vhid 1 advbase 1 advskew 0 carp1: flags=49 <up,loopback,running>metric 0 mtu 1500 inet 192.168.2.99 netmask 0xffffff00 carp: MASTER vhid 2 advbase 1 advskew 0 carp2: flags=49 <up,loopback,running>metric 0 mtu 1500 inet 192.168.1.99 netmask 0xffffff00 carp: MASTER vhid 3 advbase 1 advskew 0 secondary; em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:74:e5 inet 10.18.200.2 netmask 0xffffff00 broadcast 10.18.200.255 inet6 fe80::250:56ff:febe:74e5%em0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:26:94 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::250:56ff:febe:2694%em1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:3d:87 inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255 inet6 fe80::250:56ff:febe:3d87%em2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:50:e3 inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255 inet6 fe80::250:56ff:febe:50e3%em3 prefixlen 64 scopeid 0x4 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 enc0: flags=0<> metric 0 mtu 1536 pflog0: flags=100 <promisc>metric 0 mtu 33204 pfsync0: flags=41 <up,running>metric 0 mtu 1460 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 carp0: flags=49 <up,loopback,running>metric 0 mtu 1500 inet 10.18.200.99 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 100 carp1: flags=49 <up,loopback,running>metric 0 mtu 1500 inet 192.168.2.99 netmask 0xffffff00 carp: BACKUP vhid 2 advbase 1 advskew 100 carp2: flags=49 <up,loopback,running>metric 0 mtu 1500 inet 192.168.1.99 netmask 0xffffff00 carp: BACKUP vhid 3 advbase 1 advskew 100 Notice the IP addresses are all private.</up,loopback,running></up,loopback,running></up,loopback,running></up,running></promisc></up,loopback,running,multicast></pointopoint,simplex,multicast,needsgiant></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></up,loopback,running></up,loopback,running></up,loopback,running></up,running></promisc></up,loopback,running,multicast></pointopoint,simplex,multicast,needsgiant></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast>

:'(

Sponsor it!

Packeteer is simply a traffic shaper.  It's a good traffic shaper, but its just a traffic shaper.  pfSense is a full-featured firewall which incorporates a traffic shaper.  It's not the best traffic shaper in the world, but its very effective for many tasks.  Also, its free, which packeteer definitely isn't.

Sorry, i didn want to fight anyone … sorry if looks like i want :( i was thinking about this, and as i said will block port 25, only i need some transition period. thanks for advices ;)

I do not know why it seems to have a tunnel to itself. I do not see that in the setup.  I did finally get traffic to the 10.25.22.0 subnet and now the phone traffic is traveling thru the IPSec tunnel to the 10.25.18.0 subnet to the pbx server. I had to reboot both systems and something kicked in and now I can access the phones webgui and the phones registered with the server.

What does the systemlog say when you try to connect?

Thanks. It seems problem with my CentOS server, because when I tried to setup a Windows workstation with the IP address I stated on the OPT1 and connect it to the switch coonnected to the OPT1 interface it works. But when I tried connecting my CentOS it does not work. But at least I know that pfsense is working and my configuration is good. Now I have to deal with my CentOS server. It's kind of puzzle because when I tried to connect my CentOS server directly to my ISP switch it works, but if I connect it to the switch connected to the OPT1 interface it does not work.  ???

He means using a cellular data broadband card (like G3 or GSM) as a WAN connection. This was kicked around a while ago and there was a bounty open. The parts are slowly coming together, but I haven't heard details of a successful setup yet. It could be very handy for a backup connection when options are limited or for temporary setups (eg- construction site).

So how was your experience?

This is extremely common on modern networks as a result of Path MTU Discovery. Most TCP packets on modern networks will have the DF bit set. For example run a tcpdump -v on your network and you'll find that pretty much every TCP packet has the DF bit set. The problem is almost certainly something else.