Hi, in the last days i did some tests and research. I got another Astaro ASG220 Apploance for testing and there i made the following experience. On our Appliance we had pfSense embedded installed on a 4GB USB2.0 Stick. On the borrowed one i installed pfSense on a spare HDD that was connected on the Appliances OnBoard IDE Port. I reinstalled the current releae and imported the config of our faulty Appliance. After correcting some Interface Assignments i switched over to this Appliance and on All Ports we got the correct Internet Speed. Then i plugged another spare IDE HDD in our faulty Appliance and reinstalled pfSense. Then i reimported the current config and corrected some assignments like in the borrowed Appliance. I switched back and i got the full Internet Speed with our Appliance, too. The only Difference is, that now pfSense does not boot up from USB-Stick (embedded Version) but from HDD (classic Install). But why has the USB-System such performance flaws, when it boots up in RAM? Thanks for your help! The problem itself is solved now!  :D

Hi Tim, Yes I did build and test it out.  The main 'issue' I have is that the connectivity and vpn out the device 'pf_internet' from 'pf_internal' is used for other services too. If, on the device 'pf_internal' 192.168.166.x interface, I set a gateway of pf_internet (192.168.166.x) but with a monitor of an IP across the tunnel, I believe yes, this would work.  However, if only the tunnel to that remote IP being monitored goes down, I run the risk of causing failover for other services, even when the rest of the connections are up. – I hope you understand what I mean? My workaround for the moment is to have static routes, specific for the remote IP, disabled on pf_internal.  In the case of failure of ther tunnel, the static routes are simply enabled. --- Yes, I know....  Manual intervention like this is not ideal, I'm just not seeing any other way around this scenario.

You really cannot make an inside interface wwith public addresses with a single /29 on WAN. The best you can do is 1:1 NAT addresses to inside hosts. Some people bridge WAN so they can put hosts on public IP addresses. Not a fan. If they were to route another subnet to an address on that /29 you could use that subnet on an inside interface, use VIPs on WAN, or basically do whatever you want.

Easiest way would be to just create separate Guest and Secure vlans. Leave Guest at your Linksys, and route Secure to your core.

You want a slow booter, the 3850's are like waiting for a pot to boil while watching it..

You need to bypass policy routing when you set the gateway groups. That means, for instance, a pass rule on LAN_1 that passes traffic to LAN_3 that does not set a gateway (meaning it's set to the default gateway). After that you can place the rule that passes traffic to any (the internet) and sets the gateway group. Traffic routed to a specific gateway, or policy routed, is sent to that gateway with no further checks. https://doc.pfsense.org/index.php/What_is_policy_routing https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

On 2.3.2 64-bit. Similar problem as GoldServe. Whenever Wan1/2 failover occurs I get hit with 3 pairs of the same log messages in succession.  Any way to have PfSense log just one entry pair?  Does it log for every gateway with monitoring enabled even though it's not included in the failover tiers? 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover

@heper: there is no direct reason to 'cascade' failover rules below balancing rules if they are meant to match the same traffic …. pointless waste of time. Great, thanks for your insight. thats odd. do you have a dns server set for each wan? (general settings) no clue if this is a known issue or something specific in your situation, never encountered it myself Yes, i have DNS servers for each Wan under general settings. I will try and dig some more.

The order is correct. Make sure you do the same thing on LAN2 so the LAN2 traffic can pass to LAN1.

I found the solution now: it had been a problem with "inline mode" in suricata. I changed it back to legacy mode and now everything is as it should be: it blocks under certain conditions, makes a log entry and cuts the connection to the offender (not the whole network).

Yeah its pretty easy.  I assume your going to double nat, unless your planning on using that new vlan as transit network?

Hello everyone, i am new on the pfSense World. I worked until now with Kerio. But for my new projects are kerio a little bit too expensive. So i have to know and i hope that someone have experience with them. Is it possible to make a Load Balancing on pfSense with 6-7 Gigabit WAN? regards Toma

everything is possible, the source is available. no such option exists. as jimp said: run a routing protocol. that takes 5 minutes, what you are asking will take much more time, effort & money

Hi all, I'm still struggling on that issue. I've looked for all sort of possible solutions and came out with *almost nothing. *there was something related with BGP but that will have a major impact to our current BGP configuration

Seems your isp doesn't like it.. Or maybe google doesn't like it from where your coming from?  Or network between you and google and opendns doesn't like it and drops it.  Maybe there are network problems currently between you and them and those packets are being dropped because of min effect on overall traffic, etc. Could be many reasons for it.  Hard to say where the issue is since you do not have control over the other side.. You could try sending zero sized icmp to somewhere you have control over and see if they get there.  If they do and answer then you can rule out your ISP blocking/dropping them. How good is your isp, maybe you can open a ticket with them about it and they can provide some insight?

when putting multiple gateways in a group with the same TIER they will balance. When one of the gateways goes down, it'll continue to work over the remaining gateways. you seem to be misunderstanding how policy routing works. as you can see in your screenshot of your LAN rules: only the MULTIWAN-rule is being triggered,  the ones below are useless. rules are processed top–>down, first match wins. https://doc.pfsense.org/index.php/Troubleshoot_Outbound_Load_Balancing_Issues

If it's just one client, load balance all traffic from that client.