I think it was just an old state from before you started to configure everything. When changing firewallrules it sometimes is needed to reset states at diagnostics>states, reset states. For example if your last firewallrule (send lan traffic to optwan gateway) was present before you set up the upper rule and there already have been states initiated through that last rule only new states will match the new rule. The old states need to be closed first or time out.

You'll have to create the duplicate rules but there is something that makes copying them a bit easier. Let's say you have set them up all at LAN, hit the +-icon next to a rule, which will give you a copy of that rule. Simply change the interface in that rule from lan to lan2 and the copy of that rule will appear on the lan2 tab, unless you want to manually copy, paste, replace sections in the config.xml (which might be even faster with lots of rules).

I've remove the proxy server, and now get the full bandwith, but for this I have to setup the pfsense box as deafult gateway on LAN PCs, and thats not possible for my network structure, I still not have time to setup a new pfsense based proxy server.

ISP(ADSL 4MBPS)–----------(WAN1)-+------------+         
                                                    |  PFSENSE  |------------(LAN PCs def. gateway PFsense)---
ISP(ADSL 4MBPS)------------(WAN2)-+------------+

It will be ideal that Pfsense proxy package could support multiwan, and don't have to put any other box between LAN and PFsense.

VPN-failover is not supported currently. All you could do is script some shell magic and cron these scripts. For the multiple IP part on one of the WANs this is doable. Just create virtual IPs and use them as 1:1 nat or as combination of portforward/advanced outbound NAT.

This is currently not supported.

or "policy based routing"

doh, light bulb moment!  If all of my traffic is coming from a proxy server then I effectively have one client!  I'd enabled sticky connections the other day as well with the thought that I wouldn't have to create the rules for various protocols any longer.

thanks for another mind to bounce things off of  :)

-andy

Yes but it will share the connections evenly between the WANs. You should be able to add some simple weighting by entering the gateways multiple times to the pools. I think someone reported that this should work.

For edting files just use the built in diagnostics>edit file from the webgui on embeddeds. It will mount the filesystem writable, make the change and make it read only again.

I have a similar problem using loadbalancing.

I added the rules as stated:
AIR1 (AIR2 & AIR3 has the same rules)
Proto  Src          Port    Dest            Port    Gw          Schedule  Description
*        AIR1 net    *        LAN net        *      *
*        AIR1 net    *        AIR1 address  *      *
*        AIR1 net    *        *                  *      WAN2

Execept for the last one I used my lanloadbalance GW.
I can now ping the lan and AIR1 as well as resolve the dns but AIR1 cannot access the internet.

The lan has always worked with balancing and failover.

Well, in this case i checked typing "nslookup" from a Windows 2003 std ed. server and a Windows 2003 web ed. server with pfsense configured as gateway and primary dns.

I suppose that a previous additional install and removal of the "Dns Package" made some mess with the current Pfsense install. :(

So the dns forwarder was not able to run properly…

I reinstalled everything and remade the configuration: without static routes and of course without installing any additional component, but with the appropriate outbound nat rules.

Now it's working great, it's secure, and handling thousands of connections easily. ;D :-* :D
Since wednesday i've placed it in production without any other trouble.

Now it's time for me to go to a dual pfsense cluster solution and i think i will achieve this goal very soon. :P

I can now say that PFSENSE is a real good alternative to brand solutions and with the proper time (about 12 hours for me) needed to learn how to apply for it, i saved something like a couple thousand EURO.

The only thing that's not working is ftp service on second wan. I hope you'll find how to fix it in the next release… ???

Would like to say Thanks to sai for his assistance and to all developers that made this good job.

Greetings from Italy

Angelo

Thanks for the reply.  I managed to get everything working, although it would have been easier had I been able to see that m0n0 document.  I don't know why I'm unable to view it from here.

@hoba:

For simple loadbalancing you don't need advanced outbound nat. pfSense will nat on any interface that has a gateway set by default. If you want to use advanced outbound nat you have to setup your rules correct to make it work with multiwan as we only generate rules for lan to wan when enabling it by default.

I understand the problem now! Its working now with round robin, will test it later on with failover! Your help is apreciated! Thanks!

All services running at the pfSense itself (like imspector) will always use the main wan only. They are not (yet) multiwan capable. Something to keep in mind when using packages that interfere with traffic  ;)

VIPs

Please search the forum. GruensFroeschli posted alot about this.

Fair enough.

Thanks a lot hoba, your knowledge is much appreciated.

See http://www.freebsd.org/cgi/man.cgi?query=vlan&sektion=4&apropos=0&manpath=FreeBSD+6.2-RELEASE

Yes, for single downlads/sessions to make use of the multiwan you will need a downloadmanager. I use https://addons.mozilla.org/de/firefox/addon/201 which makes perfect use of multiwan. Packetbased loadbalancing would not work anyway without the opposite end of the connection being able to handle this (hopping between IPs). This is not possible.

I would use private IP addresses in LAN and let the firewall NAT automatically.

then use policy based routing to send traffic to correct ISP.

if you have the following rule it it will send all traffic out to WAN2
firewall Rule: Interface LAN:  source IP:  *  Desrt IP: * Dest port: *    gateway: WAN2

so just make some rules above it to send traffic to WAN1 and you are done.

if your LAN computers are accessed from outside then you need to setup NAT rules also,