First, I'm not sure why you would keep two gateways on a single LAN, but then there's a lot I don't know. What do you mean by "use the draytek as a secondary"? In the simplest scenario you replace the Cisco with pfsense and configure it the same. Nothing changes from the user's point of view. Is there any way I can have a WAN2 that points to the draytek box even though it's on our internal LAN? Are you doing that now with the Cisco? I believe you can set a static route in pfsense to use the Draytek as a gateway, then configure load balancing, failover, or policy routing as you would with a second LAN. As far as I know there's no problem having pfsense route between multiple hosts on the same network as long as your gateways, NAT and firewall rules are set up correctly. Then again, I haven't tried it.

cmb, thank you, that's both problems solved!  ;D I'm now on 2.0 and with the setup functioning fine, although I did need to set "Disable DNS Rebinding Checks" on the second router for DNS resolution to work after the upgrade to 2.0 biggsy, no problem, I'd ask the same! It's actually because I'm bound by physical interfaces on the first ESXi server. Now that I've had a good look, I can't get another NIC in there, so I'll have to move this second router VM onto another box which does have enough NICs. Plus, I'm trying to investigate some NFS usage over time and am quite interested in the RRD graphs on the second router (keeping them separate from the ones on the first router, which should only be doing internet routing) Thanks again, Chris

i have a problem setting this up for single wan, single lan and single OPT… what are the main keypoints when setting up this transparent firewall? thanks...

@Metu69salemi: How is your firewall setted up? How many lan nic's etc I have 4 interfaces: LAN STRONGVPN VPN WAN LAN and WAN are physical interfaces. My outbound is this: WAN  10.0.0.0/24 * * * * * NO LAN STRONGVPN  192.168.50.0/24 * * * * * NO Phone

well im not trying to get back the values. i just dont want other people to be able to so maybe i should change values in the rng every round, and seed it every round, and only use 1 output number?

@Metu69salemi: I assume that pfsense is already doing loadbalancing on wans, but it still select first one and not the other one Correct it is doing loadbalancing and I current have the working WAN with a lower metric.  When I ping from the firewall over the second wan connection to the wan's gateway.  I get really high times.  Again this is not the case when I bypass the firewall and setup a computer with the same settings.

Add a firewall rule on the LAN interface to allow 20.0.0.0/24. Why are you using 20.0.0.0/24 for a LAN?

Hey guys, I ended up in enabling NAT-PMP. In some test connections to echo123 it then gave me udp status local: good. I also thought about adding port forwardings, but we have much and also changing clients. Can anyone of you maybe tell me useful restriction rules, so that only Skype (more or less) could create NAT-PMP entries?

Ping is ICMP, and your rule has a protocol of only TCP. Change the rule to allow any protocol, or add another rule for ICMP, and then you can ping.

pfsense 1.2.3 had no true concept of weight, using 2.0 with the weight the same would be identical to 1.2.3 with one entry for each WAN in the gateway pool. Neither 1.2.3 or 2.0 consider the actual bandwidth for load balancing - the balancing is done in round-robin style based on connections. The only thing that would be limiting bandwidth would be traffic shaping/limters, and those would have to be setup separately.

Do you have ppp connections with them?  T-1 or ethernet circuits?

Thanks For the Reply Let Me Try The Mentioned Options

thank you…I will try and return with my result...  I appreciate the time you took from your life to answer mt silly question.,

Last week i've disabled tier2 wan interface + removed the failover gw group. the arpresolve errors still occur frequently (once a week). release/renew of the wan interface solves it. Anyone have a clue ? Dec  5 14:45:48 pfsense check_reload_status: Syncing firewall Dec  5 15:25:43 pfsense dhclient: EXPIRE Dec  5 15:25:43 pfsense dhclient: Deleting old routes Dec  5 15:25:43 pfsense dhclient: PREINIT Dec  5 15:25:43 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:25:43 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:25:43 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:25:43 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:25:43 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.G Dec  5 15:25:43 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:25:43 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW ..... Dec  5 15:25:52 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:25:52 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:25:52 pfsense apinger: ALARM: WAN_TELENET(8.8.8.8)  *** WAN_TELENETdown *** Dec  5 15:25:52 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:25:52 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW ..... Dec  5 15:26:02 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:02 pfsense check_reload_status: Reloading filter Dec  5 15:26:02 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW ..... Dec  5 15:26:07 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:07 pfsense php: : The command '/sbin/route change -inet default dynamic' returned exit code '68', the output was 'route: bad address: dynamic' Dec  5 15:26:07 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:07 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:07 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:07 pfsense php: : ERROR!  PPTP enabled but could not resolve the $pptpdtarget Dec  5 15:26:07 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:08 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW .... Dec  5 15:26:15 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:15 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:16 pfsense kernel: arpresolve: can't allocate llinfo for XXX.XXX.WAN.GW Dec  5 15:26:44 pfsense dhclient: FAIL Dec  5 15:26:47 pfsense dhclient: ARPSEND Dec  5 15:26:49 pfsense dhclient: ARPCHECK Dec  5 15:26:49 pfsense dhclient: BOUND Dec  5 15:26:49 pfsense dhclient: Starting add_new_address() Dec  5 15:26:49 pfsense dhclient: ifconfig em0 inet XXX.XXX.WAN.IP netmask 255.255.192.0 broadcast 255.255.255.255 Dec  5 15:26:49 pfsense dhclient: New IP Address (em0): XXX.XXX.WAN.IP Dec  5 15:26:49 pfsense dhclient: New Subnet Mask (em0): 255.255.192.0 Dec  5 15:26:49 pfsense dhclient: New Broadcast Address (em0): 255.255.255.255 Dec  5 15:26:49 pfsense dhclient: New Routers (em0): XXX.XXX.WAN.GW Dec  5 15:26:49 pfsense dhclient: Adding new routes to interface: em0 Dec  5 15:26:49 pfsense dhclient: /sbin/route add default XXX.XXX.WAN.GW Dec  5 15:26:49 pfsense dhclient: Creating resolv.conf Dec  5 15:26:49 pfsense check_reload_status: rc.newwanip starting em0 Dec  5 15:26:49 pfsense apinger: alarm canceled: WAN_TELENET(8.8.8.8)  *** WAN_TELENETdown ***

I have the same problem, when i write default wan on two of my (cant write default on three lan) three wan it works with failover with thoose two wan i tried to take away default wan but it still remain on one of the wan. How did you write your roul in firewall? Can you post a dump?

i'm not quite sure how to set up rules to route return traffic. You can probably try out using ospf. My experience has been that ospf will change the routing table. This might help, http://forum.pfsense.org/index.php/topic,39328.0.html Let me know if you end up getting it to work with or without ospf. -E

I would go with vlans and not bother with another NIC.

thank's a lot for this constructive reply. I already search for a simple way to do this and don't find it. I hoped that you find a easy trick to do the job but you made it the hard (and the bettest) way ! It seem that it is effectively too hard and too long to port and I will have to use a simplest and less elegant way to do it.

cmb, thanks for checking things, seems i'm not so far off as i thought, LAN rules are supposed to do exactly as you clarified. I always reset states after that sort of changes. I think I figured one thing out, my client got a second router machine (lancom) as secondary gateway via win-dhcp and might have used that most of the time, took it out of the dhcp optins for now. Seems things are working fine now. Sometime you just need somebody more routined to tell you everything is right, that you can start searching elsewhere. thanks again

@michaeljk: Unfortunatly, there is no possibility to get something faster to communicate with the internet. I configured both 3 MBit WAN's with Load-Balancing which worked really fine, but unfortunately there are some services where we cannot use it (e.g. online banking and ICQ-Connection, because the IP can change on every connection). I think the answer to this is to route all outbound https traffic and/or ICQ traffic through one of your gateways. In the Firewall Rules for LAN there are advanced options below; I think one is called gateways; and you can select a particular gateway to match the rule. Then any traffic matching https would go through the same gateway everytime, even if its busy; but its a lot better than getting signed out of banking sites.