pfSense

pfSense version 2.1.1-RELEASE (amd64).

Hardware: HP DL380 G5 server with on board Broadcom nics and additional HP NC364T quad port nic.

I have the following setup; (see diagram)

dmz1 -> nat -> wan_vip (x.x.x.44)

external -> wan_vip (x.x.x.44) -> dmz_host

dmz2 -> nat -> wan_vip (x.x.x.45)

lan -> nat -> wan_vip (x.x.x.42/29)

This works fine, until I edit (don't even need to change) a firewall rule, at which point outbound NAT from DMZ-1 to x.x.x.44 stops working.

The inbound mapping stops working too.

Outbound NAT (though x.x.x.42/29) still works fine under these conditions, as does outbound NAT from DMZ-2 (which also goes out via x.x.x.42).

I am able to ping x.x.x.44, so the VIP is still up (and this is indicated as such in the CARP status).

However..

If I edit the CARP entry for .44 (not making any changes) - upon saving it, everything works fine again.

In summary:

1) Start an outbound ping from DMZ-1
2) Edit a firewall rule (no need to make any changes)
3) Save the rule, and click "Apply changes"
4) Ping stops almost immediately
5) Go to CARP, select the outbound CARP VIP for the DMZ
6) Edit, change nothing and save.
7) Ping begins responding again.

I have attached a diagram of our installation.