pfSense

you mean on the secondary, the primary, or both? What does ifconfig look like on both systems afterwards?

The config in the UI looks correct on both the master and the backup (listed as IP Alias in Virtual IPs screen, disappears from CARP status screen) but the IP address stops working immediately after you click "Apply" on the Virtual IPs screen.

To get it working again you need to go to the CARP Status screen on the first box and click Disable CARP. At this point the IP will work correctly on the second box. If you then reenable CARP on the first box so that the IPs transition back then it will work correctly there as well.

I added a CARP IP back to my systems to test (I migrated them all to IP Alias after I figured this out earlier). That CARP IP was named opt1_vip10.

The output of ifconfig changes exactly as expected at each step. As a baseline, there is an interface of opt1_vip10 with the IP address I assigned it. After switching the IP to an Alias that interface disappears from ifconfig and the address moves up as an additional on opt1_vip3. There is no difference between ifconfig at this point and again after initiating a carp failover/failback.

If there's an issue here it must be in the NAT or FW rules.

That's not something I can duplicate under 2.1 or 2.1.1 built on "Wed Jan 22 04:46:20 EST 2014".

If I change a CARP IP to an IP Alias and make the parent the actual physical interface it works right away. If I make the parent a CARP IP then it doesn't come online until after a failover.