Hello. Mr. Perry. Thank you once again for your kind respond. OK as you said tonight i will follow your advice. But tell you honestly when ever i try to put DNS(My ISP DNS) Ip As a monitor ip. I saw its Delay time much more than Default Getaway(Modem) Ip. Thats why I select Modem Getway ip as a monitor ip. But i will try to check this as you said. Thank you very much. God bless

Hello, Have you solved your problem because I have the same switch ? Best regards.

Hi, Thanks for the reply. The pfsense box are dual core and 2 GB memory. Maybe I try again my config. I think the issue are related on DNS part. Thanks for the reply.

If you have proper port forwards setup on all WANs, they all work independently of one another.

@seanbdesign: Hi Perry, Thank you for the fast response, my datacenter said to use Layer 3 routing, they routed the subnet to me.  They told me I will be the gateway meaning I could specify the gateway in the subnet I want to use.  I don't see anyway in pfSense to do that. Thanks, ~ Sean Your 'gateway' would be the LAN address.  i.e. the servers in the subnet behind the pfsense will have the pfsense LAN address set as their gateway.

If their concern is only QoS, Siproxy and PPTP, you can notify the Voip company that your pfsense box will do all that and do a darn better job than DD-WRT on the 54GL. I started off on this hobby with HyperWRT & DD-WRT on a WRT54GS (8% faster processor, double the ram & flash of 54GL) to begin with so I should know. Make overtures to them and see if they're willing to accept that and clone the HFSC curves (if any; most just set a flat service curve) onto the pfsense box instead.  Makes things simpler to a certain extent anyway.

sir do mind if i get a screenshot of ur config,i follow this set up but still my fail over is not working but my load balance is ok

Go virtual and set the scenario in ESXi…. Then use fault tolerance to enable heartbeat between the PFSense box'es. Thereby you wont need 3 external IP's provided by your ISP. CARP on the PFSense needs 3 external IP's to start with. By std. it cannot operate with only one external IP address.

Ah, well then that is a little different. You should have mentioned that up front. I believe there are some other examples of configuring what you're after with DHCP on the forum here. I don't recall the specifics, but it wasn't an ideal situation.

No. You would need to have both WANs connected to both units for failover to work in that way.

Anything show up in the system logs around the time of the failure? What does Status > Load Balancer show? You might also give a 2.0 snapshot a try, you can upgrade in-place. Be sure to make backups first, of course.

Do not reply to your own topic just to get it put back at the top.  If someone can help you, they will.  Jimp's answer is about as definitive as its going to get for now.

Also your default allow rule at the top is going to work before any of the other 3 rules are hit, so they are superfluous.  Remember that pfSense works on first match wins.  Kill the rest of those firewall rules and on the default LAN allow rule change the gateway to reference your load balance rule.  Keep in mind that certain protocols do not play nicely with load balancing (SSL, SSH, RDP) so your clients using HTTPS will have issues.  Create a failover load balancing scenario (see the documentation) and create a firewall rule above your default allow rule with source any, destination any, destination port TCP 443 and use your failover pool as the gateway.  You can repeat this scenario so that WAN1 fails to WAN2 and WAN2 fails to WAN3.  Similarly, you can do this same thing for SSH or RDP if those are needed by your clients.

jimp, just wanted to let you know,the two rule example you provided for blocking all outbound port 25 traffic,other than the actual mail server did the trick. we are no longer getting black listed on spamhaus. i am still running virus stuff on all the workstations,and as stated before,i do not see anything obvious in the states,as one source to many destinations connections. i even tried doing tcpdumps and watching and can not track down A pc,in particular, Thanks again for the help! Take Care, Barry

The way I do it is to have an alias with ports 22,80,443,1935,6667 For that port alias create a rule using the default gateway below that, change the default rule to use wan2 gateway So no need to specify an lan ip. IMO if the above it's good enough then change the network to. wan –---          ---- lan             pfSense wan2 ----          ---- lan2

You should be able to create an OpenVPN interface based off the OVPN client connection.  Add that connection to your loadbalance pool and assign the metric accordingly. However, you must realise that the additional connection is still limited by your WAN2 speeds (the WAN3, so to speak, still rides over WAN2's link).

Sorry for the late reply, been on holiday. :) My hardware is a Atom N270 with 256Mb RAM, 2 RT GbE nics (http://tinyurl.com/3aclpoe) and a Intel Pro 100S, using the CF card slot to boot from, although, I'm not using the embedded version.

can someone lend a hand, its kinda important