CARP on WAN interface

  • Trying to use PFSense as my development network gateway/firewall.

    Currently I have 2 ESX hosts running ESX 4.0 using shared storage.

    I have two PFSense guests (router01 and router02) they are both running PFSense 2.0-BETA1
    Each PFSense guest has 6 vNICS that connect to different virtual distributed switches.

    Physically each ESX host has a WAN NIC that is connecting the WAN vSwtich.
    This is the same for the LAN interface/vSwitch. These WAN and LAN NIC’s connect to different physical switches, this PFSesne is doing the routing for these.

    Currently everything is working as expected. All development guests (inc. routers) can ping each other and the production hosts on local and remote subnets.

    I've got 1 problem at the moment that the WAN vIP is not ping-able or accessible from anything. Except ROUTER01 from its self (console)
    Pinging the WAN vIP updates the ARP table on production PC’s which indicates that it’s found the host? but the firewall is blocking ICMP?

    I've configured an ICPM allow rule under WAN and floating neither seems to have an effect for this issue. The option for block private networks is not enabled on any interface for ROUTER01 or ROUTER02.

    I’d like to use this vIP from my production router to pass 1 pubic subnet (/29) via 1:1 NAT.

    I would appreciate any suggestions on how I can get this vIP to respond on the WAN side of things?

    Thanks in advanced.


  • You're either missing a firewall rule to allow that, or possibly your vswitch(es) aren't configured to allow multiple MACs.

Log in to reply