that did the job....thanks

did just that, and it works fine.

@Derelict said in how to assign 2 IP from one subnet for 2 WAN interfaces:

Ask them for another subnet on your second WAN

Switched to dot1q mode and setup as shown below. got internet connectivity on all clients. On the unifi side of the trunk, all the vlans are tagged ( 99 for management and 1001 - 1005). And yet, the connection seems to be bouncing around the different vlans as before. See the screenshot where the mac address of the SG-3100 is shown on the home network? In a few seconds it will rotate to another of the vlans. Not sure why this is happening ... I am hoping folks here who have setup the same trunk with a unifi switch can explain this or help solve it.

Screenshot 2019-07-07 21.45.58.png

Screenshot 2019-07-07 21.46.15.png

Screenshot 2019-07-07 21.47.19.png

Screenshot 2019-07-07 21.48.33.png

@johnpoz The only load is a Nest security camera uploading at 1.5Mbits/sec. And I have nearly the same same set up at another location on Comcast with no latency problems.

I have swapped out the modem (twice) in order to get its report of signal levels closer to what the ISP technician reads on her meter. She has visited twice, verified my cable and checked connections at the pole.

The network engineer would like to think the problem is in my router.

How would I know if pfsense is disconnecting?

@timboau-0

Did you ever figure this out? I am having a very similar issue (PFsense is picking up a non-static IP via PPPoE with the modem in bridge / pass-through mode). I have been given no gateway either.

By adding a static IP did you change PF's WAN to static and then entered your static ISP IP? Or a virtual IP?

@clarifix

It turns out this worked because the old firewall is on an ESXI with 2 virtual ethernet interfaces assigned to the same physical card.
So... this turns out to be an ESXI trick and not a firewall trick.
However, since this is done in software, I am still wondering if it can be done on pfSense.

@JeGr Thank you sir I'll also try this out

A workaround could be to put a small/cheap router between one of your WANs and pfSense, aka double NAT.
As long as pfSense sees only unique Subnets you are fine.

-Rico

Hi,
I found the mistake, it was a miss configured tunnel, i had LAN net as source, changed it to 10.30.0.0/16 and now its working.

Thanks for spendig time.

Cheers

Wolfgang

You're welcome :)

@ajmaltms said in Dual ISP Speedbooster:

same gateway monitor ip...

won't work either as the GW monitor IPs are host based routes out to the corresponding interface. Configuring it twice will try to route it to both WANs and confuse routing. Just use e.g. 1.1.1.1 on one and 1.0.0.1 on the other.

Just started getting this error again. Any thoughts on cause / how to address?

It would make sense in something like a colo or metro-e environment. Or anywhere where RFC1918 is the exception not the rule. Which should be everywhere, actually.

routerA and routerB is activated dhcp server.

That's error prone. Don't use DHCP to assign IPs for a WAN-type interface if you can avoid it. Use static IPs that are not in use by the IP Pool of net A or net B and aren't in use.
Also those two interfaces need the gateways router A/B.

You should have used WAN for VLAN100 on em0 and WAN2 for VLAN200 on em0. Defining WAN without anything may result in errors as it is the default internal WAN IF.

Port forward WAN connections like this:

Destination: 38.yyy.XXX.240 port 443 Target IP 192.168.xxx.22 port 443
Destination: 38.yyy.XXX.240 port 49700 NAT Target IP 192.168.xxx.22 port 49700
Destination: 38.yyy.XXX.241 port 443 Target IP 192.168.xxx.21 port 443
Destination: 38.yyy.XXX.241 port 49500 Target IP 192.168.xxx.21 port 49500
Destination: 38.yyy.XXX.242 port 443 Target IP 192.168.xxx.20 port 443
Destination: 38.yyy.XXX.242 port 49000 Target IP 192.168.xxx.20 port 49000

Update: it got much better when I replaced the Fritz!box 7582 with a Zyxel XMG3927 this morning. Tests still in progress, but in this case it seems pfSense was not the issue at all.

[2.4.4-RELEASE][admin@pf.insign]/root: ping -c 10 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: icmp_seq=0 ttl=60 time=4.159 ms 64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=3.865 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=4.053 ms 64 bytes from 1.1.1.1: icmp_seq=3 ttl=60 time=4.342 ms 64 bytes from 1.1.1.1: icmp_seq=4 ttl=60 time=3.719 ms 64 bytes from 1.1.1.1: icmp_seq=5 ttl=60 time=3.745 ms 64 bytes from 1.1.1.1: icmp_seq=6 ttl=60 time=3.957 ms 64 bytes from 1.1.1.1: icmp_seq=7 ttl=60 time=3.731 ms 64 bytes from 1.1.1.1: icmp_seq=8 ttl=60 time=3.973 ms 64 bytes from 1.1.1.1: icmp_seq=9 ttl=60 time=4.102 ms --- 1.1.1.1 ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 3.719/3.965/4.342/0.195 ms

(until now it was around 60-100ms for any external IP).

It's not simple. It's asymmetric. It breaks TCP through stateful firewalls as you have found out.

I can't make anything out of that "diagram". I'll need more detail. Like interface addresses, subnets, etc.