I have 2 pfSense 1.2.3-RELEASE firewalls set up with CARP. Config:
the LAN has full access to initiate connections to the DMZ and everything appears to work fine. I compared the firewall rules on the primary and secondary pfSense boxes and they are identical.
I have "Log packets blocked by the default rule" turned on on both pfsense boxes.
Everything looks fine in the firewall log on the primary pfSense box, but the odd thing I see is that the non-active pfSense box firewall log is showing traffic from the LAN to the DMZ as being blocked by:
Source: 172.20.x.y (LAN)
Destination: 172.19.a.b (DMZ)
@220 block drop in log quick all label "Default deny rule"
Is this some hidden rule that keeps the non-active pfSense box from duplicating the traffic onto the DMZ? Seems like if that was the case there would be a similar rule and weird entries for the WAN interface (which I'm not seeing).