Everybody from this forum clicked the link trying to help and the server was brought down ;)

CARP works with private addresses too. Did you see my 'solution' at the bottom of this thread;

http://forum.pfsense.org/index.php/topic,15393.msg81475.html#msg81475

I had to run the modem as a 'router' and have the PPPOE endpoint there. You won't be able to run it as a modem and have PPPOE running at the same time on each firewall. Well, that is not quite true….. my first attempt was exactly that, PPPOE running on each firewall and it worked in so far as each PPPOE session could establish the link to the ISP, but traffic would only flow over the link that was 'first' to connect. I remember in the 'early days' of xDSL that people were successfully running multiple PPPOE sessions. Obviously, some ISPs don't want users to do that now.

here is an ifconfig on my primary firewall;

em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:25:a5
inet 10.18.200.1 netmask 0xffffff00 broadcast 10.18.200.255
inet6 fe80::250:56ff:febe:25a5%em0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:11:dc
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:56ff:febe:11dc%em1 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:5a:54
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::250:56ff:febe:5a54%em2 prefixlen 64 scopeid 0x3
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:2c:78
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::250:56ff:febe:2c78%em3 prefixlen 64 scopeid 0x4
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
enc0: flags=0<> metric 0 mtu 1536
pflog0: flags=100 <promisc>metric 0 mtu 33204
pfsync0: flags=41 <up,running>metric 0 mtu 1460
pfsync: syncdev: em3 syncpeer: 224.0.0.240 maxupd: 128
carp0: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 10.18.200.99 netmask 0xffffff00
carp: MASTER vhid 1 advbase 1 advskew 0
carp1: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 192.168.2.99 netmask 0xffffff00
carp: MASTER vhid 2 advbase 1 advskew 0
carp2: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 192.168.1.99 netmask 0xffffff00
carp: MASTER vhid 3 advbase 1 advskew 0

secondary;

em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:74:e5
inet 10.18.200.2 netmask 0xffffff00 broadcast 10.18.200.255
inet6 fe80::250:56ff:febe:74e5%em0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:26:94
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:56ff:febe:2694%em1 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:3d:87
inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::250:56ff:febe:3d87%em2 prefixlen 64 scopeid 0x3
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:50:e3
inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::250:56ff:febe:50e3%em3 prefixlen 64 scopeid 0x4
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
enc0: flags=0<> metric 0 mtu 1536
pflog0: flags=100 <promisc>metric 0 mtu 33204
pfsync0: flags=41 <up,running>metric 0 mtu 1460
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
carp0: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 10.18.200.99 netmask 0xffffff00
carp: BACKUP vhid 1 advbase 1 advskew 100
carp1: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 192.168.2.99 netmask 0xffffff00
carp: BACKUP vhid 2 advbase 1 advskew 100
carp2: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 192.168.1.99 netmask 0xffffff00
carp: BACKUP vhid 3 advbase 1 advskew 100

Notice the IP addresses are all private.</up,loopback,running></up,loopback,running></up,loopback,running></up,running></promisc></up,loopback,running,multicast></pointopoint,simplex,multicast,needsgiant></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></up,loopback,running></up,loopback,running></up,loopback,running></up,running></promisc></up,loopback,running,multicast></pointopoint,simplex,multicast,needsgiant></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast>

:'(

Sponsor it!

Packeteer is simply a traffic shaper.  It's a good traffic shaper, but its just a traffic shaper.  pfSense is a full-featured firewall which incorporates a traffic shaper.  It's not the best traffic shaper in the world, but its very effective for many tasks.  Also, its free, which packeteer definitely isn't.

Sorry, i didn want to fight anyone …
sorry if looks like i want :(
i was thinking about this, and as i said will block port 25, only i need some transition period.

thanks for advices ;)

I do not know why it seems to have a tunnel to itself. I do not see that in the setup.  I did finally get traffic to the 10.25.22.0 subnet and now the phone traffic is traveling thru the IPSec tunnel to the 10.25.18.0 subnet to the pbx server.

I had to reboot both systems and something kicked in and now I can access the phones webgui and the phones registered with the server.

What does the systemlog say when you try to connect?

Thanks. It seems problem with my CentOS server, because when I tried to setup a Windows workstation with the IP address I stated on the OPT1 and connect it to the switch coonnected to the OPT1 interface it works. But when I tried connecting my CentOS it does not work. But at least I know that pfsense is working and my configuration is good.

Now I have to deal with my CentOS server. It's kind of puzzle because when I tried to connect my CentOS server directly to my ISP switch it works, but if I connect it to the switch connected to the OPT1 interface it does not work.  ???

He means using a cellular data broadband card (like G3 or GSM) as a WAN connection.
This was kicked around a while ago and there was a bounty open. The parts are slowly coming together, but I haven't heard details of a successful setup yet. It could be very handy for a backup connection when options are limited or for temporary setups (eg- construction site).

So how was your experience?

This is extremely common on modern networks as a result of Path MTU Discovery. Most TCP packets on modern networks will have the DF bit set. For example run a tcpdump -v on your network and you'll find that pretty much every TCP packet has the DF bit set.

The problem is almost certainly something else.

My suggestion would be to create an opt1 interface on the pfsense box.  Call it 10.10.0.1, make your access point 10.10.0.2 or something like that.  In my experience, this setup will work with Squid transparent proxy bound to both the LAN and OPT1 interfaces.  Also, traffic between them should pass unless you block it with a rule.  If you need them bridged, that should work too.

How about this old age saying….

If it ain't broke don't fix it.