Sorry for wasting everyone's time. The system has now made a liar out of me. Everything seems to be working as it should today. I haven't changed anything, which has confused me even more, but while it works, ill go with it

There was a pledge to program this feature so it would work well. It's obviously very difficult to do, as no open source firewall can support dual wan with many capacities - it created problems for load balancing, distributed downloading, secure sites blocking connection when detecting multiple IP's, etc.  I believe only some sizable pledge by many people to create a larger project would ever get this done… perhaps as a part of some other larger project, such as OpenVPN, or IPTables, would be the way to get this done for once and all...

Ok… So with help from a modified bridging script, kindly provided by Darth Android on post http://forum.pfsense.org/index.php/topic,19231.0.html I’ve finally got a working solution. Step-by-step instructions for those who may need them: Install pfSense, specifying your IP connection providers settings (in my case this was a /29 subnet w/gateway IP) pfSense: Diagnostics -> Edit File: /usr/local/etc/rc.d/wan_bridge.sh. No point in pressing load, as file doesn’t exist yet. Files in this location get run after booting, installing the bridge and reloading the configuration each time. Paste in the script at the bottom of this post, changing the LOCAL_IFACE to your WAN adaptor and the VIRT_IFACE_MAC to something different from your WAN adaptor & press save. pfSense: Diagnostics -> Command: chmod 755 /usr/local/etc/rc.d/wan_bridge.sh. This makes our script file executable. Reboot. pfSense: Interfaces -> (assign), press the + in the bottom-right of the screen to show the new adaptor (should be ngeth0) pfSense: Interfaces -> Optional x Enter a name, your public IP range settings (in my case a /26 subnet), an IP for the interface in this range, enable & save. Reboot. Setup some CARP IP’s in the public IP range. Setup your NAT’s and rules to use WAN as the incoming interface, and specify CARP IP’s in the public range. Manual Outbound NAT’s can also be setup, using the CARP IP’s as the translation IP address, making outbound traffic appear from your public range. Script below, thanks again to Darth for the main body of the script. The main modification was the addition of a few lines of PHP at the bottom, which reloads the pfSense settings after setting up the bridge. Use at own risk!!! #!/bin/sh #A simple virtual interface script - USE AT OWN RISK #Creates a virtual interface and bridges it with a physical interface. #Author: darthandroid@gmail.com #User Variables - Modify these to suit your needs. Both need to be customized for the current system #This is the name of the physical interface device. Look it up in `ifconfig' if you don't remember the name from when you configured pfSense "WAN" is most likely NOT correct. LOCAL_IFACE="eth0" #This is the mac address of the new virtual interface. It should be different from the physical interface VIRT_IFACE_MAC="00:00:00:00:00:00" Non-User code BRIDGE="bridge0" #create the bridge ngctl mkpeer ${LOCAL_IFACE}: bridge lower link0 || exit 1 ngctl name ${LOCAL_IFACE}:lower ${BRIDGE} #restore packet flow to the physical interface ngctl connect ${BRIDGE}: ${LOCAL_IFACE}: link1 upper #create virtual interface ngctl mkpeer ${BRIDGE}: eiface link2 ether #set virtual mac address and bring the interface up ifconfig ngeth0 ether ${VIRT_IFACE_MAC} ifconfig ngeth0 up #make sure we can read packets from the physical interface directed to the virtual one and #that we can write packets out without the virtual mac being overwritten ngctl msg ${LOCAL_IFACE}: setautosrc 0 ngctl msg ${LOCAL_IFACE}: setpromisc 1 #do some php and reload some stuff echo "" | php -a

It works! I have to check 'Bypass firewall rules for traffic on the same interface' on System->Advanced That means that some rules are missing in the firewall. Using this option they're not needed. Thank you!

@blak111: This is possible by using a failover group in the DMZ firewall rules. The hard part will be making sure DNS gets updated if the main connection goes down. You will need to have a dynamic DNS client on the web server or some computer in the DMZ. When the connection switches to the backup connection, clients will still be trying to connect to the primary connection's IP address without dynamic DNS. Thanx for a reply But can you please tell me the step by step method or some url solve my project

@hefferbub: I am preparing to add a second internet connection to my site, and am about to replace my M0n0wall software with PFSense, so I can make use of the Multi-WAN capabilities. I'm using V1.2.3 RC1. I know that there is no comprehensive traffic shaping capability that covers both WAN links, but I am wondering if the Traffic Shaping will work correctly on one of the links (I assume the WAN link).  Is that the case, or is traffic shaping completely out of the picture? Bump.  I'm using 1.2.3-RC3 and would love to use the traffic shaper as well.  Any news/insights into when (if at all) traffic shaping will work with loadbalancing?

You can do this with a little bit of netgraph magic. Run the following shell script at boot or shortly thereafter either from ssh or by adding it to the boot sequence. All changes are reset when the router is rebooted. It will create a virtual interface named ngeth0 and bridge it with the physical WAN that already exists. This interface has its own mac address, ip address, subnet, etc., but the packets sent/received by it still flow through the same physical interface as the WAN. Add a new OP interface for this virtual interface and configure as needed via pfsense. The virtual interface will behave just as if an extra NIC was added to the machine and this extra NIC, they physical NIC, and the rest of the physical network were connected together with a switch. Note: Running a packet capture on the WAN interface may disrupt the virtual interface. I need to test and see if it properly restores the promisc value for the interface after the packet capture. You will also want to tell pfsense to suppress ARP messages when NICs share the same physical network (under advanced settings I believe) Let me know if there are any syntactical errors or other weird output that I need to fix. #!/bin/sh #A simple virtual interface script - USE AT OWN RISK #Creates a virtual interface and bridges it with a physical interface. #Author: darthandroid@gmail.com #User Variables - Modify these to suit your needs. Both need to be customized for the current system #This is the name of the physical interface device. Look it up in `ifconfig' if you don't remember the name from when you configured pfSense "WAN" is most likely NOT correct. LOCAL_IFACE="eth0" #This is the mac address of the new virtual interface. It should be different from the physical interface VIRT_IFACE_MAC="00:00:00:00:00:00" Non-User code BRIDGE="bridge0" #create the bridge ngctl mkpeer ${LOCAL_IFACE}: bridge lower link0 || exit 1 ngctl name ${LOCAL_IFACE}:lower ${BRIDGE} #restore packet flow to the physical interface ngctl connect ${BRIDGE}: ${LOCAL_IFACE}: link1 upper #create virtual interface ngctl mkpeer ${BRIDGE}: eiface link2 ether #set virtual mac address and bring the interface up ifconfig ngeth0 ether ${VIRT_IFACE_MAC} ifconfig ngeth0 up #make sure we can read packets from the physical interface directed to the virtual one and #that we can write packets out without the virtual mac being overwritten ngctl msg ${LOCAL_IFACE}: setautosrc 0 ngctl msg ${LOCAL_IFACE}: setpromisc 1

I can't seem to get Inbound Load Balancing to work at all on 1.2.2.  I'm able to get to each server individually, but I can't seem to find a GOOD working document on how to set it up.  Can anyone help me with this?

Yep, and you can also use failover groups if you want the traffic to go over the other link if one fails.

Just a follow up, I have the following rules that work, but they don't use the Load balancers I've set up.  Is there a device path or something similar I could substituted in the rules below? Thanks, Todd #Set up our ACL for high throughput sites; acl high_throughput dstdomain .amazonaws.com .rapidshare.com .apple.com .windowsupdate.com .update.microsoft.com; #Bind high throughput to the wireless interface; tcp_outgoing_address 116.90.140.xx high_throughput; #Set up ACL for DSL always; acl DSL dstdomain .spidertracks.com; tcp_outgoing_address 203.114.178.xxx DSL;

Nevermind, found the outdated PDF, I'll remove it.

@fvter: It's just weird. I tried using the diagnostic-ping and manually ping the monitor ips but gives me 100% packet loss. so not sure what is going on. Read the note at the bottom of the Diagnostics > Ping page, and be enlightened :)

Yeah, I think a virtual IP on your LAN interface for each subnet would do the job here. You might need to tweak the rules a bit, but I think it should work fine. Like everyone else though I question why you're doing it this way. Without VLANs or separate physical segments it doesn't buy you anything. Either upgrade your switches (or rearrange them so you have a VLAN-capable 'core' and unmanaged edge) or flatten it out since all it does is complicate your setup needlessly.

Screen dump of setup would be nice…

Problems solved! The Problem was me, not pfSense, but although thank you for your reply ITCoresys. I didn't know or remind that Windows ICMP-Ping(Reply) is deactivated by default on actual Windows Machines. So there even is no "Linux, Unix,…-Ping" if you have activated Windows-Shares on machine A and B and of course opened corresponding Ports in the FW. So there is a "Windows-Ping" which only works under Windows machines in the same Subnet. The "ICMP-Ping-Reply" must be manually activated at your Windows-Machines of which you want to get an answer(for windows XP and higher i think). Maybe If you have a Wins-Server in both Subnets which are integrated as DNS-Server, the ICMP-Ping(by IP!) may work. I didn't test it, but Windows-Shares over a router only work when you've such Servers in your Subnets as I think due to my test. Even connect to a Windows-Share by IP (\%IPAddress%) over the router didn't work! I don't know why, and there are meanings that this should work! Maybe someone can get me some information for that - so for now i think i must have a Windows Server(which is solving "some" requests?) in both Subnets to use any type of Windows-Share over a Router. I've tested it with Windows732(Final) as A and Vista64 as B and as iam using Win-Server(as DNS Entry only for my Clients that are not in Domain) in both subnets there where no problems anymore - What a s***! Maybe it is also helpfull to mention that of course I've used IPv4 only. Hopefully this would help someone else which such a halfknowledge like me. Thanks to pfSense for such a great product!

So, from what i've read your problem is, that you can't access websites on the network behind your 2nd Firewall. If this is the case, this would lead me to the following approaches: 1. I would make sure that nothing blocks traffic between Network 200.x and 1.x (In this case your 2nd FW) 2. If you have a Proxy Server on Firewall #1, try using the Upstream Proxy on Firewall #2, given it the address of the first proxy of course and then try telling your clients that Firewall #2 is their new Proxy. Hope this helped. Regards, Stefan

When using the freebsd 8 openospfd 4.3, I found it necessary to symlink a library file to get it to run under 1.2.3-RC3 9/21/09 build. ln -s /lib/libmd.so.4 /lib/libmd.so.5 And that was the final trick to get openospfd 4.3 to run smoothly without issue. The 4.2 version did indeed cause the "ospfe: unknown error" issue. 4.3 solved it but needed the symlink for the lib file to complete the solution. Now the real fun part begins. Quagga's OSPFD uses Cisco like "network" statements to match prefixes/inverse masks to determine which interfaces to include in OSPF areas. OpenOSPFd uses a specific interface name declaration in the area statement of ospfd.conf. So, if say an open vpn "tun" interface now "appears", it would seem I would have to add "tun" to the area statement in ospfd.conf file manually, where quagga's ospfd would include it on the fly as long as it matches a "network" statement with a matching area for that network. Ordinarily, I would use Quagga's OSPF instead since Im partial to Cisco, but, I couldnt get Quagga's OSPFD to update the pfsense kernel routing table. After fussing with it for 2 hours, combing google to no avail, I fell back and figured out openospfd. Anyone else have this issue?