@rubber_duck13

What @johnpoz says is correct, as usual. I did have to get some mimo antennas to make it actually work. The antenna ports were non standard and need some adapters.

@viragomann

ok thanks....

@johnpoz thank for the reply. No I have a Raspberry Pi running as a NAS separate from the firewall on our lan. I am also running development mode. There is only pFsense firewall packages on the Netgate. Yes I was sure I saw 445 natted it is gone now. I will check again and get a screenshot of it. I set the DNS back to local 127 loopback first.

@viragomann Thanks for this.
I have already ordered the switches to set this up.

I made a bit more testing on this though and I have found the following:

If I have VDSL and 5G on different Tiers in the Gateway groups all works well.

If I switch them to the same tier then things start to collapse - I can't even ping other devices that are connected physically to the same switch.
Restarting, unplugging the 5G modem sometimes fixes it but I need to have them on separate tiers to get a stable connection.

Does the above behavior still point to the ARP issue?

If you want to buy aws without your free credit card on amazon then i suggest you to try real credit card generator.

@mcmurphy said in WAN changeover:

Is it possible to make Port2 (new ISP) the default WAN port

Yes. Configure the WAN2 interface accordingly with static or automatic IP settings. If static don't forget to set the upstream gateway.

To set the new WAN as default go to System > Routing > Gateways > Default gateway and switch to the new gateway.

and have pfSense use Port1 (old ISP) if Port2 fails to work?

For failover you have to add a gatway group.
System > Routing > Gateway Groups
Set WAN2 as "Tier 1" and WAN1 as "Tier 2" and set a name for the gateway group.
Then set the gw group as default gateway instead of WAN2 gw.

@steveits exactly - I think this is more just a routed public IP network?

https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

@stinkfly123 said in Dual WAN - Speed Test Different over WiFi than Ethernet:

@kevindd992002 thank you
I am using ookla speedtest (pretty standard)
yes connected to WiFi via AC (laptop web browser and iPhone App)
Local file transfer speeds are almost wire rate (900+ Mbps) on 1Gb links
Going to do some internal network troubleshooting

Thanks for your feedback, appreciate it

Right. When I say local file transfer though, I was pertaining to local file transfer speeds when using this wifi client. I'm sure that won't reach 900+ Mbps for Wifi so I'm curious as to what speeds your wifi client can reach when doing local file transfer from/to it.

Do you have a public port on the internet?

What services does your pfsense run?

So it was routing those pings to 1.1.1.1 through the wrong GW because of the "dns server" setting on "general setup" for that GW, after changing it to 1.0.0.1, I was able to use the default gateway while doing a ping for that IP from tier 2 GW, as expected.

I've wasted like 5 hours digging in this ...

@tomatonoheta said in Policy based routing disconnect rdp session but icmp is fine:

firewall rule option "state type" to sloppy,

Not a good fix, temp work around until you fix the asymmetrical

Your other thread blocked out the IPs.. Were those public? the private ones, which direction was that in - where is opt1 and lan in your drawing, etc. is FW another pfsense or something else? etc.

@kevindd992002 Traffic from one host ( PC ) to another ( router ) will only flow over one link.

Suggest you look at the LACP documentation:-

https://docs.netgate.com/pfsense/en/latest/interfaces/lagg.html

"Traffic is balanced between all ports on the LAG, however, for communication between two single hosts it will only use one single port at a time because the client will only talk to one MAC address at a time. For multiple connections through multiple devices, this limitation effectively becomes irrelevant. The limitation is also not relevant for failover."

"Using a LAGG does not necessarily guarantee full throughput equal to the sum of all interfaces. In particular, a single flow will not exceed the throughput of a LAGG member interface. Traffic on a LAGG is hashed in such a way that flows between two hosts, such as this firewall and an upstream gateway, would only use a single link since the flow is between a single MAC address on each side.

In networks where many hosts communicate with different MAC addresses, the usage can approach the sum of all interfaces in the LAGG."

Your previous test is irrelevant if you connected the gateway devices directly to the 2.5 and 1 Gbps prots on the client.

@stephenw10
Many thanks for the explanation Steve. I can’t tell you how relieved to hear that. I expect that this issue is covered in the pfS document somewhere, but I don’t recall seeing it.
Bruce.

@stephenw10

It does seem to work, something else was getting in the way.

I was doing my initial testing with ssh port 22, when that is set to WANGroup (instead of wan1,wan2,etc) it seems to want to go to the ssh server on the router.

Instead tested it with something else (that pfSense wouldn't have its own port listening) and that works okay.

This is on 2.5.x, it does not work on 2.4.x.

@t__2 said in Multi WAN Failover - DNS Queries and Open States Causing Traffic to Failover WAN:

Looking at this in more depth today. I turned on logging for that floating rule and then filtered the logs with the source IP of the Netgear modem. So what it looks like is happening is the Netgear modem is sending UDP packets to seemingly random IP's on port 53 (DNS) out our main WAN! I have no idea why that would even happen. Anyway I looked at the IP's and used whois to find out where they are going. Most of them are going to IP's owned by Microsoft. Some to Amazon. Others to other large US companies and others to foreign companies.
I also disabled the floating rule and did a packet capture on the higher traffic that happens. I can see it still doing DNS queries at large companies.

I recently hit the same issue on a brand new MR5200. putting on my tinfoil hat here, it's probably some tracking code in the firmware, what for or why, is anyone else's guess.

https://community.netgear.com/t5/Mobile-Routers-Hotspots-Modems/Netgear-Nighthawk-M5-MR5200-WAN-issue/m-p/2175323/highlight/true#M20286