@GruensFroeschli:

The openVPN Server "should" listen on all interfaces.

What exactly do you mean with you couldnt connect with openVPN?
Do you mean you could establish the connection, but couldnt access anything?

I suppose you use policy routing and failover/balancing pools.
@http://forum.pfsense.org/index.php/topic:

If you are using MultiWAN and your local LAN should be able to connect to the clients connecting to your network:
you need to have a rule above your default rule (which has as gateway the loadbalancer)
with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.

the Ovpn listen on all interface, but when the default gateway goes down we cannot connect to the server :(
i need to setup a static rule for my home IP to route the traffic

yes you do need to use the public ip you got - you do not need any extra ip addresses. you are probably confusing the load balancer with CARP/failover.

the function of the loadbalancer is to decide where to send an incoming connection. it doesnt need extra ip addresses for that.

I am familiar with newsgroups, it is based on multiple connections.  In fact it is one of the criteria one uses when searching for a newsgroup server (one with the right amount of 'connections').  I think GoldServe has the right idea.

With 10 connections I get 1.6-1.7mB/s on a 15mbit connection.  Use that as a guide when purchasing, maybe go for 15.  If you are getting troubles I recommend you take off sticky connection and don't use SSL in your client.

This way you disable all firewalling as well. If you want to keep firewalling but shut down nat just go to firewall>nat, outbound nat. Then enable advanced outbound nat, save. Delete the autocreated nat items at the bottom of the page, save and apply. Now you have firewalling capabilities without any nat at all. Btw, pfSense is routing between all directly connected interfaces by default. For remote subnets you can add gateways at system>static routes.

I believe I got it!
Thanks for the great advice.

@jmischel:

Is there a HOW TO on switching kernels?  If not, maybe a hint on where to get a little more info?

I a little hesitant to change things, as it appears to be working.  Even though those CPU spikes are a little bit of a concern.  And I'm really not excited about having to reconfigure everything.  Can I change kernels without having to reconfigure my pfSense settings?

Yes you can.

The new trafficshaper eri is working on in 1.3 will be superior as it will feature multiinterface shaping as well as shaping inside ipsec tunnels and maybe even other neat stuff. However to come back to your original question (failover from one wan to another when a wan fails) the answer is yes, you can do that. Create gatewaypools for this and set them to "failover" instead of "loadbalancing". This will take care of the traffic that references this pool in the firewallrules and send it out to the first available gateway in the pool. So your onw pool will have "WAN, OPTWAN" as gateways whereas the second pool will have "OPTWAN, WAN". Then just change your firewallrules to use these pools and you are done.

@quentusrex:

Let's say I have my domain pointing to one of my static ip's, and I want to use the other 6 for actually streaming the video. How would I effectively balance the incoming connections for the video over the other 6 connections from the first connection?

Code your website to retrieve videos from different server each time a user clicks on the link.  There is nothing on pfsense that will help you with that.

mr-s

Thanks again Sai

My current DSL modems will run in bridge mode but
only if the something else handle the pppoe login info
If the modem handles the pppoe connection then it stays unchangeable at 192.168.2.1

Now because I can only have the option of one pppoe connection in pf
I am sorta stuck in this situation

So I have just ordered two new DLS modems that are also routers
but can run as bridges while managing the pppoe connection too

This should resolve the configuration limitations with my current dsl modems
In case anyone is wondering my searching indicates that the

THOMSON SPEEDTOUCH 516 ADSL2+ EXT ETHERNET MODEM/ROUTER
is one of the best out there for the price plus there also is modified firmware available for it
many claim modest to 30% in increased throughput speeds over the standard bell modems
cost was 60$ each Canadian

I will post updated info when I have a chance to configure it all

Thanks again
MD

One needs to enable manual NAT rules and then remove the NAT mapping. You want a straight through router. Not a NAT router.

I am not load balancing the incoming connections. I have 100mbit downstream whatever I do. The only aspect of my connection I can manipulate is the upstream. I'm only here for the upload. ;D

EDIT:
I forgot about "my progress".
When I used only dynamic ips the NAT freaked on me and refused to forward port 80 to my webserver. After some more searching on this forum and coming a cross an experienced of pfSense on an IRC-network I learned I need one (1) static IP. I'm attaching the network layout below.

layoutV3.gif
layoutV3.gif_thumb

Why is this post read so much but not a single thought! Shall I assume that I am the only one with this issue? I think not… I do find this amusing! Please tell me my options! A Cisco 3600 should resolve most of my issues! Just run out and buy the proper equipment and another open source fan bites the dust!

I see others posting in other sections about this issue and still no clarity! Even if you approach the companies that say they can support this product they decline! Because the problems are to complex or I am not in America for what ever reason! I am getting very disappointed!

Even if I try the out of the can approach this product has issues… and with the simplest of problems one can receive NO clarity!
This is getting very sad! My only true solution is www.usedrouters.com and off the shelf approach! So I must keep the open source project for the lab in my office!

It is such a great product with some quarks that could be overcome... so sad that resolving issues is so complex!

Hi…

Just a quick update on this... I managed to do it with bridging another interface with my LAN interface and setting R-STP on switches...

At first it was not working, because you indeed have to add pf rules also to bridged interface, to allow traffic, which makes no sense networking wise, but, nevermind, it works at the end.

The problem arised with VLAN-s. No way to make it work. Not with bridged interface, then I created VLAN with same id on bridged interface, still nothing, then I bridged VLAN-s with same ID on both interfaces together, nothing...

So I gave up for now...

/jan

Thanks a lot dotdash! I doubled checked all the steps, and now it works perfect! This is my 4th pfsense deployment, and i think that I'm going to replace all of my customers linux based firewalls, because i think that pfsense deserve. cya

There is no firm ETA on 1.3. There was once a package someone had made to send email alerts floating around, but the download link is long dead. If you can hack around, you might be able to rig up a script- you would need to install a mail agent of some sort, as I don't think there is one in the base system.

Hi,
I studied a bit the patch and it seems to add sticky-address to the nat rules. But since I am not using a nat pool, it shouldn't do any difference.
How do I check is I reach limits? BTW I don't think this is the cause, because we have only 5 clients connecting to the interent. I tried setting up a quick'n dirty box with openbsd, and the stickies work flawlessly with 2 wans.
Regards
Rodolfo

*  LAN net   *    WAN2 net       *    WAN1FailsToWAN2   Make sure wan2 traffic goes to wan2     
*  LAN net   * nnn.nnn.nnn.n33 *    WAN2FailsToWAN1   Make sure WAN1 traffic goes to WAN1

I usually do routing like this using static routes, not firewall rules.

As long as the WAN gateway does not show up in the arp tables, you are not getting a physical connection and the WAN will not work. From your description, it looks like a hardware problem - maybe IRQ related. Try turning off anything not needed by pfsense in the bios. this can be audio, floppy ….if that does not help then upgrade bios.

similar problem discussed here: http://forum.pfsense.org/index.php/topic,6204.0.html