-in multi-wan-loadbalancing scenarios you avoid balancing https sites or use stick connections. When I use this scenario cited by you, I face problems with some websites, pro example, there is a site that is dropping connections, stating that I am using two simultaneous connections, even using stick connections. Note: I'm doing this balaceamento "System: Gateway Groups", with two links marked as Tier 1.

@rubic: You can not have two gateways to the same destination due to FreeBSD  internal routing table organization, wich is trie. ECMP implemented in 8.0 is rather an exeption than a common practice. Not impemented in pfSense. Why do you need that? I mean, what disadvantage is to have one working path to the destination? In case you need something like failover, use dynamic routing protocol like OSPF. Hi, thanks for the concise answer. Well we're working on a particular deployment where dynamic routing is not an option due to certain limitation with the routers we're using. This will get fixed but as of now, we can't use routing protocols. The thing is, we need the 2 redudant paths either on ECMP or Active/Standby. What about my second question, any insight about that? Thanks again.

Thanks for the reply.  I'm not sure.  I setup a span on the switch and connected it to another NIC on the server and set that Virtual machine on that specific NIC.  The problem I will have now is that I'm not sure how to bridge the two vSwitches, so I can access pfSense on by the web.

@filipemotta: Hi All, I have two links and any vlans that I separated then selecting the gateway on the LAN rule firewall. i.e: gateway IPv4 * 192.168.0.0/24 * * *           *       IPv4 * 192.168.4.0/24 * * * WAN_DSL_PPPOE These rules actually are using NAT to navigate on the internet, that is each vlan uses the specific link. My problem is that when i enabling squid + squidGuard all vlans use the default gateway. How can i solve this? Thanks a lot !! To help others professional around this solutions I found this in the pfsense document page: By default, traffic using a proxy such as Squid will bypass policy routing and use the default route for traffic at all times. It also bypasses expected outbound NAT and leaves via the WAN IP address directly. Policy routing traffic from the firewall itself is not currently possible, and as such, load balancing is not possible. Failover can be achieved in many cases by using default gateway switching under System > Advanced on the Miscellaneous tab. So, It is not possible. I will try to install squid external pfsense and than pass the traffic to pfsense after proxy filter.

Still playing here and decided to shortcut it a bit running another LAN connection from the modem to the PFSense box and only allow telnet/ssh to the modem.

Also, in general does anyone have an opinion on this plan? Buy a device with three LAN Ports or NICs or try out a USB to LAN adapter, but this often ends up then with more trouble then help, so it would be more a workaround and not a solution. Alternatively you could use them both as WAN Ports and then connect only over the WiFi system.

Screenshot attached. Tried to hide some names, hopefully the idea is still clear. [image: screenshot.png] [image: screenshot.png_thumb]

Here is how I'm setup.  BTW, having issues with CIFS…  ;D DHCP server is configured for each LAN as: em2 - pfSense IP 192.168.2.99, DNS 192.168.2.99, GW 192.168.2.99 em9 - pfSense IP 192.168.9.99, DNS 192.168.9.99, GW 192.168.9.99 em12 - pfSense IP 192.168.9.99, DNS 192.168.12.2, GW 192.168.12.99  (This is an AD segment so I use DNS within AD, but DHCP from pfSense) NICs are configured with NONE as the upstream gateway So I have two rules for em2/LAN, the anti-lockout, and the IPV4*, sourced from em2. em9 and em12 only have one rule, the IPV4*, sourced from em9 and em12. I disabled Squid, and ClamAV, and Darkstat. I then checked it out, it now seems to be working and routing.  I've removed all but one NIC from my host, the em2 is enabled, and em9/em12 disabled.  I can now route.  I went to a host on em9, and I can route back to 192.168.2.0.  H U R R A Y ! ! ! So I re-enabled Squid and ClamAV.  All seems to be in order.  I'm not sure why, but it appears that Squid/ClamAV may have played a role, but for the life of me, I don't know how.  I will eventually re-enable Darkstat and we'll see what happens. But now, I'm as happy as a pig with lipstick... Thanks a lot for your help.  I think your suggestion of bringing the config back to as close as zero first, helped.

@markn455: I have this same need. Additionally a way to limits the maximum amount of data allowed to use the second WAN port. I have a satellite link with a max monthly limit which also as unlimited data between midnight and 0600 each day. I know little about pfsense and just starting my research. I have installed on a VM and starting my learning process. While it does not have a "spillover" capability I am wondering if a combination of gateway groups, traffic shaping, and schedules might not get me there. Mark I know there is a settings inside the firewall where you can configure scheduled based policy and select the appropriate gateway. @heper: implementing a spillover (if at all possible) would be a pretty big effort, with probably less 1% of the community that wants/needs it. (i'm making up numbers as i go here) unless the demand goes up or someone contributes the required code to get this working, i don't see this happening any time soon. It would be a nice feature for all those with metered connections(=sat/3G/dailup), but time is limited for the developers. Unfortunately, I live in developed country where the unlimited ISP is far from acceptable (yes, either you are getting crappy speed due too many user or you are paying amount of $$$ that is equivalent to number of Gigabit speed, I meant you are paying thousand grand to get good connection basically). I have to rely on using 3G/4G connection which is hard capped. As far as traffic sharper, it only regulates the bandwidth. But it doesn't regulate to use which WAN link like Spillover would do. Thank you

Having multiple VPNs assigned is fine, and doing the policy routing works as well. Your problem lies in the "geoiplookup" requirement. You might be able to use pfBlocker country lists to aid in that, but there isn't a way to do such a lookup dynamically. In order to policy route you have to be able to match the traffic in a firewall rule, which can't wait on an IP lookup from an external database.

Glad to hear it.

I've seen this happen a few times and in every case either the modem was not configured correctly or the ISP gave the user incorrect information. A very simple test would be to plug a laptop directly into the modem and enter your static info.  If it doesn't work (and I suspect it won't), you will have to call your ISP.

One more shot, I can't be the only one doing this. :) So let's say I have my tunnel set up, be it IPSEC, GRE, whatever.  I have a block of IPs routed over the tunnel TO the pfsense box.  How do I in turn make those IPs usable in both a 1:1 NAT setup AND make some available on another interface (ex. on a VLAN on the LAN side of the pfsense box)?

Could be Dual-WAN & policy based routing & Failover the answer to solve this out right? Link

Thanks for you Time johnpoz ! First - i extendet my Drawing: [image: pfsense_network.png] So are you natting with pfsense or not?? At the Moment yes. Really need to understand how you have pfsense configured here.. Actually, at the moment this isnt working at all and i just tested around. No NAT Rules Set. i Just test it with Down-nat (no outbound - its automatic) Also test with ANY-ANY Rules on WAN side. But let my describe this Scenario from the beginning - The Internet Uplink is a 100Mbit directional radio from Mountain to Mountain. (i live in Austria) The Cisco Network / Switches provice several Networks for each individual Customer on this Mountain. (Hotels, ski lift Stations, flatlets, and so on) So its Come in on One Point and is distributed via Fiber (from 100 to 500 meters) to differnt locations. Cisco Switches are 48Port. Each Customer has 4 Ports on these Switches with their Own VLAN provided. Mine is - 10.3.17.0/24 They Router/Gateway for my Network is 10.3.17.254. So Basically it isnt a Transit Network - i Just Used it as one. I will call this 10.3.17.0/24 Network for now "Cisco Network". Cause you can easly "hack" (and by hack i mean just plug a network cable into the Switch - cause they are easly to access) and my Customer said he dont Trust the other Customers who use the provided Network/Switches - i build the Pfsense Network for my Customer with his own Network 10.3.16.0/24 and the DMZ 10.13.16.0/24 for the Guest-Network. Classic WAN-LAN Network. As mentioned there is also a OpenVPN Tunnel to a Branch Office. (the Branch office has a Public IP - the Main Office hasnt …) Until one week everything worked just fine. Now my Customer bought a Fancy KNX System from an Electrican and control several things. (Light, Heating, ..) No Problem in my Own Network. The KNX Server is is 10.3.16.21 The Server also Use Multicast for some controls. My Customer was so Happy with this System he decided he want to control more ! And the More are Other Locations in this Cisco Network. (wich are conected via Fibre) And the Struggle begans - cause i didnt designed the Network for that Purpose. The Customer already had Clients in the Cisco Network - but Only for Internet Usagage - not to communicate with Clients in the secured 10.3.16.0/24 Network. Use the 10.3.17.1 (Pfsense WAN) as my Gateway was just a plain stupid idea and i just realized it while i was starting this topic here. I ran into this Idea cause if i set 10.3.17.1 as Gateway on my Laptop i could ping 10.3.16.1 without a problem - and thought - easy cheezy i got this. Another Idea is - To Hook up my LAN Side with the Cisco Switch - but i think this will also bring trouble since VLAN is designed just for one Broadcast adresse. I dont know how the Cisco Switche are configured. I cant test it - but its not clean. If i cant get this to work there is a Worst Case Solution for the Problem - There are Several free Pairs on the Fibre Cables. So i can build my own new Network wich is in the 10.3.16.0/24 Network (with new Switches on each location) but the best way would be to get this working with the pfsense. Cause it gave me headache thinking about to build another Network since there is already one. Hope this helps you understand my "Scenario" Tryed my best.

Look at the rules that are automatically generated on LAN. Duplicate them on OPT1 (Changing all instances of LAN to OPT1 of course). The installer creates a rule for you on LAN but when you add another local interface you have to create the rule yourself. NAT should be taken care of automatically.