ok, there is something else wrong….... reduce down to once vpn. pfsense vpn      10.0.10.22 vpn host          10.0.10.21 vpn gateway    10.0.10.1 dpinger from box: dpinger -f -B 127.0.0.1 8.8.4.4    - no packet loss dpinger -f -B 10.0.10.22 8.8.4.4  - packet loss after 3rd ping. what am i missing?

fingured it out found a nice blog somebody has done https://blog.monstermuffin.org/create-an-ipsec-site-to-site-tunnel-between-two-pfsense-firewalls/ with a draytek router you can add phase2 [image: drayek.jpg] [image: drayek.jpg_thumb]  

Thanks for the advice Johnpoz.  I at the very least have a pretty clear understanding why its broken.  Hopefully I can convince some people to make a change.

dude run your own scan, go to canyouseeme.org..  What IP comes up in the box?  Is that your IP your domains are pointing too?  Again I scanned that IP and port 80 is not listening.. Here I just did it from another online scanner.. those 3 ports your firewall shows open 80,443,8080 all come back as filtered!!!  Ie nothing listening.. Notice no packets came back.. Starting Nmap 6.00 ( http://nmap.org ) at 2016-12-13 13:48 EET Initiating SYN Stealth Scan at 13:48 Scanning cradley.heathfield.sandwell.sch.uk (81.145.129.116) [3 ports] Completed SYN Stealth Scan at 13:48, 2.83s elapsed (3 total ports) [+] Nmap scan report for cradley.heathfield.sandwell.sch.uk (81.145.129.116) Host is up. PORT    STATE    SERVICE 80/tcp  filtered http 443/tcp  filtered https 8080/tcp filtered http-proxy Nmap done: 1 IP address (1 host up) scanned in 5.44 seconds           Raw packets sent: 6 (264B) | Rcvd: 0 (0B) I would validate that is your actual IP..  Maybe your IP changed!!  Is your reverse proxy running and listening on those ports?  Because get nothing back from that IP on those ports

Update! As for the questions: as far as i know, any service running on pfsense will bypass policy routing. So loadbalancing is not going to work as intended.

@bjaffe: You have a firewall rule above your load balancing rule (Default LAN to Any ipv4) that's taking precedence on all of your LAN net generated traffic and using the default gateway. PfSense will process the rule set from top down. Move the LAN net to any rule below the one you have configured with the specified GW group. That did it! Thank you! Completely overlooked the firewall priority law.  I changed the "default Lan to any rule" to the gateway LB and killed my own created rule. The two WANs now appear to be load-balancing but not as effectively or efficiently as I would like them to. Each WAN on its own could give me 25-27Mb/s bandwidth (speedtest.com), combined I don't get anything above 15-17Mb/s. I have been tweaking around with the weight ratio (though both have the same speed and are from the same ISP). Aside from using speedtest, I thought downloading a large file via IDM could be a better venue for testing the actual bandwidth speed, but IDM appears to be using only the default gateway (for instance I set the IDM to use 8 connections, and set the weight ratio to 4-4 on pfsense, but IDM is only talking through the default gateway, while the second gateway is idle with no traffic activity). On some youtube videos I have seen people easily aggregating the two bandwidth (illustrated as before and after on speedtest), but so far my attempts have been semi-fruitful (if that's even a word). I will try to research more on this matter on my own, but as always any help that could save me time, frustration, and energy, would be greatly appreciated! Also, you can't use the ping or traceroute tools inside of pfSense to test your load balance configuration because it's considered firewall generated traffic. The rule you configured for specifying your load balancing GW group won't apply when the traffic is generated using those tools on pfSense. It will only apply to "inbound" traffic to that specified interface (LAN). Also, multi-WAN load balancing entails individual connections being balanced in a round-robin fashion, so traceroute wouldn't be the best test here. Try running a speed-test and then checking the traffic graph in pfSense looking at both WANs and making sure activity is taking place on them. I did not know that. Thank you for clarifying the matter for me. UPDATE: So, I tested load balancing only with the  two DSL lines, and now it appears to be I'm getting the aggregated bandwidth of 15 Mb/s (7Mb/s from DSL A + 8Mb/s through DSL B). Another thing that is a bit puzzling with regards to the TD-LTE lines is that when I start downloading a file one of the two connections' RTT begins to hike up very rapidly (from 130ms  to 650ms  where offline state is triggered) while the other one remains pretty stable.  ??? Also at all times the two connections seem to have about 60 to 70ms RTT difference!

You may also achieve that by running a VPN server and connecting your mobile to it. https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

Managed to resolve the problem - Although I had deleted the gateway and made a new one - pfsense "remembered" an old gateway-group - so was still trying to use old (non-existent) gateway within the group. Added new gateway to gateway group - all working perfectly.

Finally  :D :D It was the gateway that caused this problem. I deleted it and turned back the automatic outbound rules. Then it worked as it should Thanks a lot viragomann!!

Must the second company's firewall connect to yours? If it's two IP addresses in the same WAN subnet, don't bother chaining them. Put a switch on WAN and let them keep their firewall entirely separate.

Was the openVPN client connection established when this screenshot was taken?

Awesome thanks I will give that a shot!!!

Very strange.  Glad you got it working.

Two WANs to the same ISP are a problem on its own. Usually you get the same gateway from you ISP for both connections which makes it hard for your router to route different way. And two WANs will NOT sum up to double speed, e.g. you will not be able to download a singe file with 20MBit/s. With load-balancing you can get 2x 10MBit for pulling different data. A single 20MBit/s line can use the whole pipe with a single download or such.