Of course you can connect routers that way.
In your scenario it could be much easier with one centralized pfSense and 4 NICs.

Where in your picture is the pfSense and which subnet do you need to figure out?

Yes this should be possible.

Even if your IP is dynamic, the gateway should stay static.

When you create a balancing pool, you enter this static gateway.
Then you use the balancing pool in the firewallrule on the interface you want to balance.

BUT:
The two WAN's have to be in separate subnets
–> not able to have the same gateway on both interfaces.

If you have such a case you need another cheap router in front of one of the two interfaces which NAT's so it seems for pfSense as if you have a different iprange in front of one of the WANs.

When you can ping from 192.168.1.0/24 to 10.0.0.0/24 the the traffic is able to flow into both directions.
Otherwise you'd never get a response to your ping.

Oh, you right. I don't even think about it like this :-)

Do you see anything in the firewall log as blocked?

No, firewall log is empty (not counting some port checking from internet of course).

My current firewall rules for LAN looks like that:

Proto  Source  Port  Destination  Port  Gateway

So it basically should allow for all transmision in both directions.

I've played around with this in meanwhile and after I checked "Bypass firewall rules for traffic on the same interface" in System/Advanced, situation reverses, i.e. now from pfSense LAN (10.0.0.0/24) I can ping 192.168.1.0/24 hosts, but from 192.168.1.0/24 then only 10.0.0.0/24 address I can ping is 10.0.0.1 (pfSense Box). When I try to ping 10.0.0.3 there is no response. Traceroute from 192.168.1.104 to 10.0.0.3 looks like this:

1 192.168.1.1 (192.168.1.0/24 gateway)
2 192.168.1.248 (pfSense alias-type virtual IP for LAN interface )
3 *  * *

and tcpdump running on pfSense box

tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
10:27:51.208662 IP (tos 0x0, ttl 127, id 27839, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.1.104 > 10.0.0.3: ICMP echo request, id 512, seq 47625, length 40
10:27:51.208734 arp who-has 10.0.0.3 tell 10.0.0.1

So transmission reaches pfSense box, but it's not forwarded to 10.0.0.0/24 subnet…

Best Regards,

motzel

Hey guys,

Just wanted to let you know I did end up building a box:

http://forum.pfsense.org/index.php/topic,12270.0.html

and finally got it working:

http://forum.pfsense.org/index.php/topic,12286.0.html

The box is now in production, and replaced the cisco router, sonicwall firewall, and dlink NAT router successfully.  Plain and simply, pfSense rocks!

-Rich

hi, i solved my problem already.
the round robin does work, but when i check on the sticky connection, the round robin will not run, why ? :-\

I suppose I could "fix" this by forcing those protocols over one of our two links.  However, if that link fails, then those protocols will just die instead of failing over to the other WAN link.

You dont have to use a balancing-pool. There are also failover-pools.
Instead of forcing it to one of the links you can create a failover-pool and set the gateway for these protocols to this pool.
The source-IP will only change if your primary link fails.

Because the VoIP gateways are using the VIP of the WAN interface as their default gateways. The VoIP gateways are connected to the same switch as that of WAN interface. When I sniff the traffic, I only find broadcast ARP requests from VoIP gateways for the MAC address of the VIP interface, but the VIP interface does not reply back.

Unfortunately there is no option of setting a static ARP entry in the VoIP gateway, otherwise I could have tried that.

This should work.

Search the forum for VIP (virtual IP)

Try 1.2.1 it does not have the slbd problems with multi-wan and should behave better.

Not sure i know what you mean.
1. Don't enable sticky connection
2. On sites like http://ipnr.dk/ your ip should change every time you refresh.
3. For faster download you will need a download manager like https://addons.mozilla.org/da/firefox/addon/201
3. Maybe http://speedtest.net/ will show the combined speed

have a question here, as i also having same problem problem.
but my DNS server is set insid my local LAN
but the pfsense can resolve mine domain name if i browse to my domain name from outside i cannot found my website.
Including received mail from other mail server, its seem cannot find the domain.

this is my configure diagram

LAN -> PROXY + DNS + EMAIL -> Pfsense -> WAN 1 Public IP
                                                            WAN 2 Public IP

anyone can help on this?
thanks in advance

I have used it for internal server pool balancing and failover. For anything other than the most simple applications I've found it sorely lacking. For connection balancing it definitely makes sense, but for server balancing it's really hard to beat something like haproxy. In my environment I control all configuration with puppet, and being able to quickly/easily push changes to my lb config and ensure the state is a big plus as well.

In the past I have set pfs to failover external connections. This worked well but proved problematic to get working right. Ultimately we wound up upgrading to a newer version of pfs and simultaneously switching upstream providers. Never was sure which part made the difference but after that event it worked flawlessly. To be fair the new providers also were vastly improved and the number of events requiring a failover action were practically nonexistent.

The best is to test.  ;D

So I did the test this morning using virtual machines.  1 pfsense with two WANs, one pfsense as each Wan router, my PC as client, and two linux virtual machines as web servers, one in each DMZ of the multiwan pfsense. All networks being isolated via virtual network groups. NAT disabled on every box.

Result : It works. Like dotDash said, nothing to do. Routed trafic that comes in through one interface goes back through the same interface. Magic !

FreeBSD (and pfsense of course) is definitively awsome. When you think to what has to be done to achieve the same goal on linux….you laugth...and then you cry...

Have a look here:

http://forum.pfsense.org/index.php/topic,7808.0.html

To start with, you could add an ip adresse on top of the default rule using the 2nd gateway.