I'm trying to get a similar thing working. I want workstations on LAN A to be able to use the WAN connection on pfSense B if the WAN on pfSense A goes down. (And vice-versa) I'm still working on it, and I'll let you know if I make progress. At the moment we have two WAN connections at each of the two buildings. I hope to be able to get rid of one connection at each building and maintain redundancy with the WiFi link. [image: 1539253594977-bf9069ef-839c-4fa9-a44b-a5b6a65b8c16-image.png] Edit:- OK, so this "just works" if I follow viragomann's instructions. (Thank you!) I made the WiFi link as a subnet connecting OPT1 on each pfSense giving each OPT1 an IP address in that subnet. Then on each pfSense make a new gateway in system -> routing which points to the other pfSenses OPT1 IP address. Don't forget to fix up the OPT1 interfaces' firewall rules, of course. Then I also added a static route using the new gateways so that workstations on LAN A and see workstations on LAN B (and vice versa) via the WiFi link. Now, if I pull the WAN on one pfSense, traffic then goes via the link and out to the WAN on the other. Works like a charm. Next I'll try load sharing.

@derelict did a Google search for netgear dual wan and one of the links was to this forum))) It crossed my mind that it's probably a wrong place to ask for help with my issue but I decided to give it a go anyways)

Yeah. As long as the network is routed to the CARP VIP you're good.

You can 1:1 NAT or do something ugly like bridging. But bridging will get even uglier with multiple VLANs like that. I get that you don't want to NAT. Get the ISP to route another subnet to your address on the /29.

I might have found my answer: "State Killing on Gateway Failure".

Concur a larger transit sure doesn't hurt ;) and yup a /29 gives you a few address to work with if doing HA, etc.

Hello, This has been fixed by Steve Beaver. I have tested the changes on my firewalls and this solves the issue for me. Many thanks. https://redmine.pfsense.org/projects/pfsense/repository/revisions/dac4cd09699bdafa5bcf1cf7b699438e5f669b26 (check the diff file)

Yes, it is. But I've figured it out :) What was happening is that when I made the failover gateway group, I also added a firewall rule to route all LAN traffic through this gateway group. Since WAN-1 is healthy, all traffic (as per this rule) is routed to WAN-1. But inserting a new rule whereby I allow traffic to the single host that I want to connect to and only on the protocol that I want to use (http) solved the issue! Thanks for the rapid fire back and forth, much appreciated!

@dbinoj I'll try that as soon as I get home. Thanks :)

This is to have all possible combinations just in place if you need them. I can recommend the Multi WAN Hangout: https://www.youtube.com/watch?v=svZ6PKqGdtg Very good walk through and explanation as always done by @jimp :-) -Rico