I have noted a high ping ms there - this is due a bit load. It can be as low as 20-30 and still 'fail' with 'correct' config'. Each GW is fed into a switch then to the pfSense box - no more than 3 feet total distance from each other, tested with different switch and routers - will sit at this figure under load. Pinging 74.125.230.100 (google svr) via a pc routed through the pfSense box will result in a 18ms ping. Pinging the same IP via pfSense diags results also in an 18ms ping Rather oddly - pinging a GW via the digs results in a 0.5ms ping - so why in the 70's range with the LB tool? More 'oddly': As I type this, I tried half/half. First 5 having unique external IPs to ping. The first being the pfSense gateway, 200, is now responding with a 20ms ping. The following 3 are 100% loss. The fifth 100% loss but 217ms ping. Last four 'live' as still pointing to themselves. Changing the pfSense GW to another IP makes the first in the list go offline - with 19ms ping. Some randomness, with some changing state with no correlation to ping ms.

@Metu69salemi: okay.. What you want to allow that is something what you need to decide. But now i assume that you want to allow anything You may want create network alias to help out this rule(Firewall: Alias) goto your lan rule tab(Firewall:Rules:Lan) and create rule Action: Pass Interface: Lan Protocol: any Source: any Destination: Your newly created alias Destination port range: any Description: Write descriptive name all the advanced features isn't needed currently, if you don't need any scheduling, or different gateway etc Nope, nothing advanced, I just basically want the firewall to be absolutely transparent for everything on the LAN/WLAN side and to only really be active between the WAN and the LAN/WLAN. Does that make any sense? I'm running PFSense 2.0 now, if that makes any difference. So what exactly does a Firewall Alias do and why would I want to use it in this case? I'm just trying to understand the concepts that I'm using so I will be able to do this on my own next time. -RS

Hi, this is a simplied diagram. Bridge 172.16.0.3 are far far away from pfsense (its a PtP link with 172.16.0.2) [image: net.PNG] [image: net.PNG_thumb]

Or, if, you have problems with "sticky connections", can create a Failover GW group and use "policy routing" to direct all "problematic" traffic to that group, i think this approach is better than have all "problematic" traffic routed to one GW.

VLAN 101:  Switches, Firewalls Huh Network:  10.10.1.0 /24 Switch IP: 10.10.1.1 1. assume ur pfsense has wan ip x.x.x.b/zz and wan gateway is x.x.x.a/24 and lan ip is 10.10.1.10 2. connect lan into access port belongs to VLAN101 make sure it is not trunk port 3. create another gateway having ip 10.10.1.1 named LANGW 4. create static route of 10.10.2.0 /24 using gateway LANGW I.E FOR ALL OF YOUR VLAN 5. open firewall nat click Manual Outbound NAT rule generation and SAVE 6. after generating automatic rule add similar rule for all vlan networks hope u will get internet from lan let me know

Looks like it.

Yes it is sometimes hard to member ingress+top-to-down

Hi You resolved this problem? I have the same configuration and it doesnt work

THANKS FOR THE HELP I GOT IT WORKING!!!!

I'm still a bit confused. I took the network example from the 1.2 docs and adjusted it a bit. The red box is my small business server, it does smtp, remote web workplace and outlook web access. The blue box is what I would like to use the connection #1 which is the faster connection. I think I can figure out that much between the 1.2 and 2.0 docs. My question is, what goes in the green circle? Just a regular unmanaged switch and then I add another firewall before the dmz zone? The second image is what I was thinking originally. Would this setup work? I'm not even worried about failover or load balancing right now, I just need to get this DMZ sorted. [image: dmz.jpg] [image: dmz.jpg_thumb] [image: dmz1.jpg] [image: dmz1.jpg_thumb]

if you're having subnet of 192.168.1.1/24 then gateway must be inside of that area: 192.168.1.1 and 192.168.1.254 But if you mean, that you could use different wan gateway to internet, then yes

I already enabled it before.

If you have only one gateway, then it can be done by manual outbound nat(Firewall:NAT)

You're putting the cart before the horse buddy. Did you even figure out how to force bittorrent onto a specific WAN before tackling the schedule?

@Cino: Emarl would be the guru if its possible. Thinking a code change would be needed to allow a feature like this. Do you have access to all the clients running bit-torrent software? You could set static ports then create an alias to direct all that traffic thru the gw you want. Thats what I did for my network Well that's what I'm doing now. I basically put the before-last-rule to be that ALL traffic of the bittorrent machine (192.168.0.10) be NATed to the DSL connection. Above that rule, I put that port 80,80,443 (and a few other ports) from 192.168.0.10 be sent to the cable connection. So far it works ok, but the problem is with the trackers running on HTTP will be contacted by my cable connection. So getting incoming connections on my DSL for bittorrent is a bit slow, as the DHT and peer-sharing functions need to kick in for my DSL connection to be known to the other peers. but it works none the less and maybe I'll leave it like that since I don't want to take the chance that L7 layer filtering (if I'd get it to work) would fail one day and reship everything to the cable connection, costing me a pretty penny in overages.