Just connect a client behind the pfSense and access the internet. If you've set up your pools and rules using the pools correctly, you will see the traffic balanced on both WANs.

@GruensFroeschli: I doubt that the problem lies with the DNS forwarder itself. The DNS forwarder just forwards DNS requests to the DNS-server you configured. What DNS-server did you configure for the pfSense? Did you check the box "Allow DNS server list to be overridden by DHCP/PPP on WAN". Yes, DNS forwarder is just forwarding DNS requests but like I've mentioned previously something weird is happening. I've already tried a number of DNS servers already i.e. ISP's DNS, OpenDNS, Google's DNS, the result is the same, also unchecking/checking "Allow DNS server list to be overridden by DHCP/PPP on WAN" did not help.

@iclebyte: bump - 75 views and no comments? A lot there to digest.  :)  Network design over forum doesn't tend to get a lot of responses as it's a lot to go through, especially in a network that complex. Everything you've listed looks to be feasible. Shaping in a network that complex will be difficult or impossible pre-2.0, though this may be reasonable to deploy on 2.0 in the near future. Lots of things involved there, more than you'll probably find detailed help with gratis. Some time with one of us could go a long way to help with the deployment (see link for support in my signature).

Just don't check the "Disable FIB updates" box on the Global Settings tab.

Exactly. I just got a response from a list from a friend who has configured this before so I will work with his settings and if that works I will post the information back here for anyone else that has this situation in the future.

If you do not want the DNS to be overridden in that way, go to System > General and uncheck the box for allow DNS override. Then the servers you put in that page manually will be respected.

The issue turned out to be "Block private networks" must be disabled. As far as I can tell, this can only be done on the WAN port so I had to reconfigure how the firewall was being set up, but now it works.

At last I did it! I used another switch, with the same configuration, so I tagged on each vlan the port to which the pfsense box is connected, and untagged each port belonging to each vlan, and it works. So I guess it could have been not only a misconfiguration problem, but a switch one. Thanks a lot for the help.

Scenario 1 would work. If all three lines are connected to pfSense, you can make firewall rules to match the traffic you want, and direct them to the appropriate Load Balance Pool, Failover Pool, or directly to a given gateway. Scenario 2 could work, but would not be ideal. The LAN side of the load balancer and the WAN side of pfSense can be in the same subnet, yet, but the LAN side could not be unless you bridge it to WAN, which would make some features unusable.

Just wanted to let you know that now my Things sync and also the Apple Remote App for iPhone work again with the pfSense beta1 build from 05/04/10…

Just add the faster link to the load balancer pool multiple times, roughly equivalent to the bandwidth ratio. If WAN is T1 (1.5) and OPT1 is 3, you probably just need a 1:2 ratio, so just put opt1 and its monitor IP into the pool twice. In pfSense 2.0 you can weight the gateways appropriately to get the same effect.

Hi, Just got it to work, added a static route for the pbx, changed the siproxd to use the opt1 interface for outbound traffic and changed the firewall rules so sip traffic is allowed :) Pritty easy actually

Did some  forum searching, seems like I should have that rule? Firewall: Rules: Lan = Default Lan >any Maybe the Gateway should be "Loadbalance" instead of "Default"? I see a lot of errors in firewall log, not sure what they are. But Loadbalance seems to be working. [image: 12.png] [image: 12.png_thumb]

The shaping might work on WAN, but not on OPT WAN, and your total download speed would be limited to the bandwidth given for WAN. I've heard of people doing shaping that way with a shaper box behind an LB box, but you should have NAT completely disabled on the shaper box. How well it works, I'm not sure.

You can also look at things like Pound reverse proxy. For pretty cheap, you can use pound on a low-end (like old deskpro en) pc and direct traffic from pfsense to the reverse proxy. The reverse proxy forwards to your internal IPs based on domain name, so you can use one public IP to many internal IPs. Do a web search; Pound is not the only reverse proxy available–-squid works, too.

I'm not sure I understand your statement about the 2 network drops in the same vlan /30.  are you refering to the WAN network /30? If your ISP is providing switched infrastructure (VLAN) for your WAN, you'll need them to give you more than a /30 for CARP.  CARP will have an IP overhead with at least one unique IP address per device that plans on sharing the VIP.  You'll need to have at least a /29.  You'll also have to make sure they are not using packet filters or other firewall between your two VLAN access ports, if your interfaces lose communication across their switch, CARP will not work. Your subject line mentions BGP, are you planning on running BGP between the PFSense and your ISP? About your interface shutdown, you may have to manually disable one of the ports initially while the first port is configured and WAN established.  It could probably be configured as the CARP interface and you can add your second interface to the group whenever you are ready.  If you establish the seocnd interface without switching connectivity or before WAN is ready, you may run into problems because both interfaces will think they are "Master" interfaces.  I'm not sure if that answers your question.  Please elaborate. Although I have not done a setup like yours, I can probably suggest that you could set up NAT after you re-IP to the new IP range, as long as the ISP is willing to maintain routes to your gateway for both old and new prefixes while in transition. Hope this helps –Ja

Gordon, Thanks again, As you stated.I did not have my LB Pool set up correctly, I went through the 1.2.3 LB setup again. Now I had the LB,,name,,, as an option for gateway. It appears now both nics are sending/receiving about the same amount of data!,,,,yyyeaaahhh! Going to pfsense ip.php the ip address changes as it should! Now,,I can not get a ping response from any of my created VIP's/Typep-ARP to forward ports for internal mail server to public. That'll be a post to VIP section forum Getting closer! Regards, Barry

No, you cannot use them both directly if they have the same IP address. Your ISP can't change that at all? It's really crazy that they are forcing you to use their device for NAT. That also means you could never accept any incoming traffic unless they added port forwards on your behalf.