When a link goes down, traffic will still go out over the link that is up.

A static route is automatically installed for the monitor IP. So the pings will go out the correct interface.

Too tired to explain :) But it's how I do it.

HTPC_Rules.JPG
HTPC_Rules.JPG_thumb
opendns.JPG
opendns.JPG_thumb
StaticRoutes.JPG
StaticRoutes.JPG_thumb

yes it is supported. each firewall rule can have a gateway specified.

In order to use trafic shapping you would have to place the proxy in between the pf1 and the pf2. I would use ubuntu server with latest squid.

SP1 –-- WAN1 ----
                          |                Ubuntu Server
                          |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
                          |     
                          |
ISP2 ---- WAN2 ----

I recommend always using the WAN interface as the interface containing the system's default gateway. That may mean you'll have to shift things around and put the WAN on your LAN, but that's the way to do it. There are areas of the code that can break your gateway when you rely on defining it in this manner. Just move WAN to where your default gateway is.

This is semi-related to this issue, added a link here so we'll look into this as well when we're looking into that one.
http://cvstrac.pfsense.org/tktview?tn=1726,33

There is a feature request open on it. Doesn't mean it'll ever be implemented, but it is something we would like to have. No work being done on it at this time.

Feel free to start a bounty if you would like to contribute towards this development (if someone agrees to do it).

Because when you direct traffic to a failover pool, it bypasses the normal routing table. Thus the traffic destined for the FTP helper will get shot out to the balancer pool and won't reach loopback.

I'm not really sure what I did wrong, but decided to start again from a virgin install.  Now it seems to work OK.  I must have fat fingered something non-obvious the first time 'round.  I'm using this version:

1.2.1-TESTING-SNAPSHOT
built on Sat Jul 19 07:13:48 EDT 2008

Best,

@oracleofmacon:

I also have written a rule concerning the WAN interface to pass any to any with any protocol. This should open me up.

You probably don't want to do that. You only need rules on the WAN tab for services on the LAN, etc that you want to be open to the Internet. Say a web server. If you create a port-forward, these will be auto-created.

As for LAN working and not the OPT interfaces- check your NAT, Outbound. If you have enabled AON, you need to copy the auto-created rule, changing the subnet to the subnet of the OPT interface.
The firewall rules on your OPT interfaces should be similar to the default LAN rule, but with OPT1 subnet instead of LAN subnet, etc.

http://pfsense.trendchiller.com/transparent_firewall.pdf  might help

It is connected to the 2nd DSL modem and I'm using a straight cable for this, same with my other pfSense boxes. It is the same cable I used for the 2nd pfSense box that serves as our manual failover (I know it's an ugly backup)

i solved my problem putting a router befor my wan2 nic.
the problem seems policy based routing and the routing table

even if i have a rule in my lan tab on the firewall,
Proto  Source  Port  Destination  Port  Gateway
*        Notranji  *      *              *    x.x.x.161      (Notranji is an alias for all my servers internal ips)

all the traffic that should go to isp2 is not routed by this policy but according to the routing table,
here is mine before putting the router inforont of WAN2 nic

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default                    x.x.x.161    UGS        0      165    vr0
x.x/16                link#1            UC          0        0    rl0        <–here all my trafic is routed to the WAN2 gateway but according to my LAN rule it
x.x.0.1        00:90:1a:a0:14:01  UHLW        1    1533    rl0    121                                        should go to WAN1 gateway
localhost          localhost          UH          0        0    lo0
192.168.0          link#2            UC          0        0    re0
192.168.0.3        00:01:6c:af:04:ed  UHLW        1      508    re0  1162
192.168.0.21      00:17:08:37:a1:f3  UHLW        1    23638    re0  1176
192.168.0.26      00:19:db:c8:68:a9  UHLW        1    7108    re0  1123
192.168.0.27      00:18:8b:7e:e7:a3  UHLW        1    10306    re0  1199
192.168.0.31      00:19:db:d5:aa:15  UHLW        1  375631    re0    898
192.168.0.40      00:1d:92:01:f4:f7  UHLW        1    2617    re0    932
192.168.0.52      00:01:6c:3c:fd:12  UHLW        1      803    re0  1176
192.168.0.86      00:0f:fe:3f:02:5c  UHLW        1    7580    re0    955
192.168.0.90      00:13:d3:d6:55:bb  UHLW        1    19875    re0  1195
192.168.1          link#3            UC          0        0    re1
192.168.1.3        00:14:2a:2b:0b:cb  UHLW        1    4439    re1    949
192.168.1.5        00:11:5b:ef:6e:6f  UHLW        1    9650    re1    969
192.168.1.132      00:12:a9:56:1a:76  UHLW        1    3830    re1  1134
192.168.1.137      00:13:e8:75:3c:79  UHLW        1    6254    re1  1196
192.168.1.148      00:16:ce:20:10:44  UHLW        1    24456    re1  1101
192.168.1.150      00:18:de:0f:9c:1c  UHLW        1      542    re1  1119
x.x.x.160/27              link#4            UC          0        0    vr0
x.x.x.161                  link#4            UHLW        2    2923    vr0
x.x.x.162                      x.x.x.162    UH          0        0  carp0
x.x.x.163                      x.x.x.163    UH          0        0  carp1
x.x.x.164                      x.x.x.164    UH          0        0  carp2
x.x.x.165                      x.x.x.165    UH          0        0  carp3

is there another way to solve this,
coz I'm planing to have some more IPs from the other isp?
thanks

please check this thread out
http://forum.pfsense.org/index.php/topic,10069.0.html

ermal, I'm confused. What information do you need that is not in the thread? I think we've been really descriptive.

@GruensFroeschli:

Can you show a screenshot of your OPT-setup-page?

What you describe is what happens if you dont set the gateway on this page.
Are your gateways all in the same subnet?

I am not sure why, but I just decided to re-install onto the hard drive and try from scratch.  Now things are working as expected.  Gremlins?  I am testing it now.

Best,

Yes it's possible.
You should start by reading the stickies and the docs.

http://forum.pfsense.org/index.php/topic,7001.0.html

Hi there,

Thanks for informing us of this issue. We're currently investigating the
situation and the issue should be resolved shortly. Thank you for your
patience and I apologize for any inconvenience.

Regards,

Mydhili
The YouTube Team

+1 for Google if they fix this one.  Although -1 for me and my employees in lost productivity time spent watching youtubes  :D