That's not even the way to do failover, you would use Gateway Groups for that. ;) In my understanding, your disabled rule would never be executed (even if it's enabled) as it matches exactly the same pattern as the rule that comes before. When you say "physically disconnect the Fibe cable", do you really mean the fibre cable or actually the cable between the pfSense box and your modem? I could imagine that your global routing configuration is somehow in a way that WAN_DSL_PPPOE kicks in as the default gateway. I maybe wouldn't expect that, but I could imagine, that when you physically remove the network cable (which is not the typical real-world outage scenario) from the pfSense box (so that the network interface changes its whole state to disconnected), that the gateway WAN_FIBRE_PPPOE gets removed from the system in a way that it has the same effect as if it wouldn't exist at all and the then active default gateway (WAN_DSL_PPPOE) is used. Just a theory. ;)

Could you please tell a bit more about your setup how exactly you have configured everything (without too personal information of course ;) )? As you mention xDSL, I assume you are using PPPoE? If this is the case, please consider that the IPs/subnets you configured is only to access the management interface. PPPoE (as the name already says) works on Ethernet level (not IP level) and I'm not sure if this works over the same physical interface (not only in theory but also with real equipment), have never seen that.

@akuma1x That was it!!! Thank you very much for your help and @DaddyGo as well! [image: 1602441753231-laggconfiglacp.jpg]

@shararaus You’d need to create rules based on the ports the applications use then create a firewall rule to push the traffic out the gateway. It’s in the pfSense manual.

Simply plug in the "secondary" router into a LAN port of your existing network. Could be directly on the pfsense box, then you'll need to fire up an additional interface. Or, it can even be on your LAN switch. All you have to do is give the "secondary" router a different subnet than your pfsense LAN network.

@monocleitsolutions FYI - Just to be clear Policy routing has yet to actually work at all.

That can be done with outbound NAT in pfSense. Firewall > NAT > Outbound By default it is working in automatic mode. To apply manual rules, switch into hybrid mode first and save it. Then add a new rule: interface: OpenVPN (or a specific one you may have assigned to that OpenVPN instance) source: the clients IP (CIDR) or the clients network destination: the servers IP translation: interface address

And this computer was flooding the network with broadcast? Lets see this broadcast please via a pcap.. So can load it into wireshark. But how would have anything to do with pfsense? Just set a pc to use that IP thernet adapter Ethernet 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller #2 Physical Address. . . . . . . . . : 00-13-3B-2F-67-62 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 128.0.2.50(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Enabled No flooding.. Pfsense has no control or say in what a client puts on the network..

@pfrickroll said in Dual WAN Failover doesn't failover back to WAN 1 [Resolved]: It all works now but I have now new problem, IP Phones. I would suggest you start a new thread on this one.

well we solved the problem by this way , first create a script to check if the default route is still exists or no then if does not just add it :) I add a cronjob for this though fixgw.sh : HOSTNAME="$(hostname)" if ! [ $(route -n show 0.0.0.0 | grep gateway | cut -d ":" -f 2 | cut -d " " -f 2) == "10.10.10.1" ]; then route add -net 0.0.0.0/0 10.10.10.1 ; fi [image: 1601930467476-fixgw-pf.png] fixgw.sh.txt

@jonefc said in 3rd and 4th Lan Ports for internet: Any ideas. I think you need to understand first that these are separate interfaces...(OPT1 / OPT2) they do not depend on the LAN,...... just because it has Internet access by default (the LAN) forget your "bridge" idea - you presented above set each interface separately and give them a "default allow rule" as shown on the LAN (copy is good ....because fast) review the DHCP setting and cable connections... say review the DHCP logs and connect your cable to the ports step by step

Good to know, Thanks for the reply!

It has 6 independent ports so you should be fine. Each interface has its own firewall rules (or there can be floating rules). For multi-WAN see https://docs.netgate.com/pfsense/en/latest/multiwan/index.html

Feature request for this: https://redmine.pfsense.org/issues/4881

Looks like the installation was broken. I had some messages of libreadline.so missing or something like that, at first was only php but then I found unbound wasn't starting because of that. Upgraded to 2.4.5 (reinstalled, to be more precise) and not the firewall rules appear to work as expected.