@Syrio-Forel said in Increase "Member Down" time:

Under Routing -> Advanced -> Weight is 1 the highest priority or is say 3 higher than 1 ?

Weight only matters with Multi-WAN and load balancing gateway groups (all gateways on the same tier), and higher weights receive more traffic. The weights setup a ratio. For example, if you have one gateway set to 1, and the other set to 3, then the gateway set to 3 will receive 3/4 of the traffic, and the remaining 1/4 will go to the weight of 1.

Which is the option to trying pinging for 30 seconds instead of 10 before marking interface as down ?

Read the entire Additional Information section under the advanced options for the gateway. It explains everything.

Is there a way to tell / display an alert when an interface is down in the dashboard ?

The gateways widget.

@LeiShen said in 2 Networks, 2 Gateways, same Router. Routing Question:

-A POSTROUTING -o eth0 -j MASQUERADE

Well, it looks like that was the problem. I don't know why it was in there. I don't know what taking it out might break, but now I can get to 3.x devices from the 2.x network!

I'll have to look through my notes to see why it was put in there to begin with...

Cheers!

@Syrio-Forel

What I did was use the router I am using as a WiFi Access Point (pfSense is not suitable for this due to poor WiFi support in FreeBSD) running OpenWRT and plug my phone into that.

I then setup one of the switch ports as a vlan and bridge usb0 to that port, plugging that port into its own on my pfSense box where its setup as DHCP Client.

It then allows me to add that interface to the gateway group and I monitor Google DNS 8.8.8.8 to detect if the gateway is up or down.

OpenWRT seems to handle USB0 going up and down without any issues, although it can take pfSense a while to pickup DHCP again if it does.

Just because you have a hub, ie your HQ doesn't mean your remote (spokes) need to talk to each other through it, or even have to be allowed..

You don't need to setup site2site if all you want is remote to log into HQ, but if you want to be able to get to the spokes from hq its much easier to setup site2site. etc..

Looks like i'd have to root the Google Wifi's to do that. I might give it a shot and see how it goes.

also if you want to segregate the wireless users, you will need a WAP which supports VLAN-based SSID's as well.

Have you restarted the browsers? Already opened connections are not blocked when adding a block rule.
You may also kill the states on pfSense.

Static routes on the SG-1100 are only needed if the downstream routers do not do outbound NAT / masquerading on the upstream interface.

To add static routes go to System > Routing > Gateways and add a new gateway:
interface: LAN
Gateway: 192.168.5.10 (RT-68U)
enter a proper name
Also add the ERX IP as gateway to OPT1 interface.

Then switch to the "Static Routes" tab and add a route:
Destination network: 192.168.1.0/24
At Gateway select the RT-68U GW

Add additional static routes for all the networks behind the ERX with Gateway: ERX GW

My first suggestion would be to upgrade to 2.4.4-p2, but I don't think that alone would solve your problem.

I would set this up with a default gateway group using the 1Gbit gateway as tier 1 and the 10Mbit gateway as tier 2. This would ensure new connections use the prioritized 1Gbit gateway if it's up.

As pfSense is stateful it won't drop connections unless it has to, so existing connections won't jump over to the faster line as soon as it's back up by default.
If this is your wish, you should enable the setting on System->Advanced->Networking named Reset all states I guess. I have never tried that setting myself.

**Reset All States** Reset all states if WAN IP Address changes This option resets all states when a WAN IP Address changes instead of only states associated with the previous IP Address.

You should look at System->Routing->Gateways to see if the default gateway does switch back to tier 1 when the 1Gbit gateway comes back up.

@jimp
Thank you for your reply. You are correct, I didn't enable that because of the documentation warns about doing so on LAN interfaces.
In my case, this interface gives me access to some LAN subnets so I was counting on static routes. It didn't really cross my mind to add an upstream gateway as a potential WAN interface. I confirm your solution resolved the issue.

I really appreciate the work you guys put in this software and the time you take to answer questions in the forum. Thumbs up!

How are the two networks connected now? You can't send traffic through a gateway in another subnet like that. You need some kind of transit network. For example, if it's a dedicated circuit, you'd have that plugged into an additional NIC (or VLAN) on both pfSense firewalls, and then you'd have some other unrelated subnet to talk between them there. Then you use the address in that subnet as a gateway to reach the other.

If you have your LANs plugged together so they're all in the same Layer 2/flat network that is going to be a huge mess.

In Gateway, I created two connections in Gatewey Groups. I created a MultiWan group for two wan. I installed Tier 1 triggers, put Packet loss or High latency, Default gateway v4 set MultiWan in rules - lan / rule set my MultiWan. In General Setup registered dns on both wan. But does not work with pfsens ping ip, dns do not respond,
On the local computer, too, dns does not ping and ip, for example, 8.8.8.8 does not respond. I put in default getawey v4 instead of Multiwan for example wan2 everything works, you switch to multiwan by default it works but on WAN2 everything remains exactly in parentheses default, you reboot again the same fake.

The problem I'm hoping to solve is that my cell phones can't automatically discover devices that are on a different subnet. For instance, my NAS or my PC. With LAN and WIFI on different subnets, I have to manually enter IP addresses into Android apps to get them to work across subnets. Even with interface rules being wide open and no Windows/etc firewall in between. So I was hoping there was a way to get LAN and WIFI on the same subnet, yet keep the IP addresses distinct by using pools of 100-199 and 200-254. But that being impossible, the real end goal is to configure my network so that my phone can automatically discover the wired devices on the different subnet.

But it occurs to me now that that might be a limitation of Android, not of my pfSense configuration.

It depends on what the application is using for discovery. If the application is using broadcasts for discovery, then the issue you're having is happening by design and is due to a network standard, not an Android limitation or firewall rules.

In order for a device to access a different network, it has to pass through a router and routers drop all broadcast traffic by default.

So I was hoping there was a way to get LAN and WIFI on the same subnet, yet keep the IP addresses distinct by using pools of 100-199 and 200-254.

Unfortunately, there's no simple way to satisfy that request as written with standard gear due to multiple protocol standards. You can absolutely have your WiFi on the same subnet as your LAN and configure two different DHCP scopes, but the 2nd scope will just sit there unused until the first scope fills up. There's no way to force your WiFi clients to grab IP's from the 2nd scope in that scenario.

But that being impossible, the real end goal is to configure my network so that my phone can automatically discover the wired devices on the different subnet.>

If the application uses broadcasts for discovery, there's no way for a device to automatically discover other devices across subnets due to broadcast traffic being dropped by the router. So, you either have to enter IP's manually or hope that the application developer included a way to specify networks to include during discovery.

Your only other recourse would be DHCP reservations or configuring your wireless clients statically. Both of which would be a management nightmare.

If the main priority is keeping the functionality of apps that leverage broadcasts for discovery, then you may end up having to live with all clients mixed in on the same subnet and DHCP scope. It can make auditing and tracking things down a little more difficult, but it's not completely horrible.

Having said all of that, are there some things that can be implemented that may work in theory that involve a more advanced design and adding enterprise gear? Sure, but my guess is that spending a bunch of money on enterprise gear and added infrastructure is probably out of scope for this thread.

Derelict already explained this with his pic, but I'll add some specifics.

"System -> Routing -> Static Routes" should have a static route for all networks behind the Nexus with a gateway of 10.0.0.1 (Looks like this is done) "System -> Routing -> Gateways" should have an entry on OPT1 with a Gateway of 10.0.0.1 (Looks like this is done) Assuming you've enabled routing on the Nexus, remove the VLAN2 you created, re-configure e1/49 as a routed port then give it an IP of 10.0.0.1/30 Configure a default route (not a default-gateway) on your Nexus with the next hop of 10.0.0.2

That's it. I'm running this exact same setup at home. Just to reiterate what's on pic, all hosts behind the Nexus need to be using the IP configured on the SVI of each VLAN as their default gateway in order for the routing to work. You will also need to add helper addresses to each VLAN interface in order to provide DHCP behind the Nexus.