Well i wanted to get around double NAT (some of my server do not like this) and have only servers and such that are on that server to route on there, everything else goes to the main. Main reason i want a router there is that it would be done on the CPU

I think I've gotten a bit closer… added a virtual interface for the OpenVPN tunnel in question, which should open the door to doing failover in the usual way. The OpenVPN connection would always be up (as opposed to started when needed), but I can live with that. Will see if I can feel my way through it. I'd still appreciate hearing from anyone who's done this before, though!

Anyone ?

Better use Squid and Squid Guard for the purpose.

This much of information regarding your issue is not adequate to give a solution. Post your firewall rules for LAN and WAN (both), 'General Setup', 'Routing' ('Gateway' and 'Gateway Group').

Hi Johnpoz, Forgot to mention that this pfsense is a VM on a xenserver host. Regards. Thanks.

Thanks for the suggestion - tried it.  As soon as I assign the WAN (DHCP, or anything else) interface to the PPP group, it flips the WAN interface back to PPPoE and all the credentials are back in there.  Checking the logs, 4 logins again. No Joy.

I have changed that and I think that the problem come from the wan interface or the router config. This logs can be helpful? Oct 3 15:06:42 dpinger WAN_PPPOE 192.168.144.1: Alarm latency 0us stddev 0us loss 100% Oct 12 09:50:42 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.144.1 bind_addr 88.12.18.122 identifier "WAN_PPPOE " Oct 12 09:50:44 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.144.1 bind_addr 88.12.18.122 identifier "WAN_PPPOE " Oct 12 09:50:47 dpinger WAN_PPPOE 192.168.144.1: Alarm latency 0us stddev 0us loss 100% Oct 12 10:36:49 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.144.1 bind_addr 88.12.18.122 identifier "WAN_PPPOE " Oct 12 10:36:52 dpinger WAN_PPPOE 192.168.144.1: Alarm latency 0us stddev 0us loss 100% Oct 12 10:37:07 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.144.1 bind_addr 88.12.18.122 identifier "WAN_PPPOE " Whay do you think? Oct 12 10:37:10 dpinger WAN_PPPOE 192.168.144.1: Alarm latency 0us stddev 0us loss 100%

lan gateway firewall rules was all i had to change

[root@pfsense]/root: netstat -r Routing tables Internet: Destination        Gateway            Flags      Netif Expire default            d5101.static.t.org UGS        em0 ... ...

Seems like something at layer 2 such as RSTP might be more appropriate in that case. You are changing layer 1/2 - not 3. There are HA and failover capabilities included. That they do not fit your particular use case/ISP method is secondary. This thread is woefully short on details from the ISP regarding what is really going on.

Hi Team, I have done dual wan connection in pfsense using load balancing but i cant use both network at a time.If wan1 is down after that only i am able to access 2nd wan. Is any idea for this to resolve.

What sort of traffic is it? You are better off not policy routing (rules on gateway set to "default", not a specific gateway) in these cases. Though routing on WAN can be complicated sometimes due to how the outbound WAN rules have route-to on them. Maybe try an floating rule, outbound, quick, on WAN, matching the destination network and without a gateway set on the rule. You might also have to add a "do not NAT" type rule so that your private-to-private traffic does not get source NAT applied. If the two internal networks are on separate VLANs within the same switch setup, also consider using a tagged VLAN as a means of handing off traffic between the firewall rules to avoid using WAN.

@Derelict: Does the "main VLAN" have public, routeable IP addresses? If so then you want to disable outbound NAT on WAN for traffic sourced from those IP addresses. https://doc.pfsense.org/index.php/How_can_I_use_public_IPs_on_the_LAN If not, I'm not sure what you're asking. ~~Thanks for the answer Derelict! Yes, I have public IP routeable on that vlan and I have nothing set in Firewall > NAT, Outbound. Only this is enough or I need to create a rule?~~ EDIT: SOLUTION http://www.eliaspereira.eti.br/2016/10/filtro-tcp-no-gw-principal-outbound-no.html ;D I made a rule in "Firewall: NAT: Outbound" with the following settings: [image: nd8lBea.png]

Thanks a lot for the information i've done a Plan B, i've configured NAT in the Firewall for traffic from 192.168.3.0/24 intended to PfSense LAN address

So it's an IPSec VPN. You should have mentioned this. I'm not familiar with IPSec on pfSense, but there is a special topic in this forum: https://forum.pfsense.org/index.php?board=16.0