@marcosm said in Failback state killing with "Automatic" failover?: When you use an IP for gateway monitoring, a route is created for it via the gateway. Got it. I switched the secondary monitoring address to 9.9.9.9 since I don't use Quad9 for DNS resolution. The extra states on the secondary, while the primary is up, disappeared. Thanks! [24.03-RELEASE][admin@pfSense.home.arpa]/root: pfctl -i igc1.95 -s state igc1.95 icmp 192.168.95.2:24256 -> 9.9.9.9:24256 0:0

@not-a-bot2024 Why do you bother with the ISP DNS if it doesn't work reliably? The DNS Resolver on pfSense requests the DNS root servers directly, unless you're using the forwarding mode.

@johnpoz Thank you!

@Stee7ic So you have double NAT situation at all your sites? As in Public IP -> Modem -> 192.168.100.1 -> pfsense -> LAN IP So I'm assuming when you say pfsense is 10.120.10.254, that is the LAN IP? It shouldn't matter what the pfsense WAN IP happens to be, which would be unique for each site as well (at least the public IP). I'm assuming with double NAT that the modems are set up to do port forward of ports 500, 4500 or whatever you use for IPSec?

@samweli https://docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html https://docs.netgate.com/pfsense/en/latest/routing/gateway-groups.html

@byusinger84 But the fact that pfsense may not like have multiple WANs going to the same gateway shouldn't have anything to do with the ISP not seeing the individual MACs. How do you connect the ports towards the ISP? I just placed a managed switch in between but I suppose any dumb switch would do. Which in fact is what the other thread had... And in both cases all the IP's are DHCP, although mine never change and my ISP needed to register the MACs...

@chpalmer said in Multiple WAN with Static IPs DHCP assigned from ISP: This would only be true if they were trying to utilize multiWAN failover or load balancing.. 1:1 NAT should work fine, which I believe is the intent here. Ok, so then there are no other steps necessary than getting things upgraded to 10Gig...

@viragomann thank you ... greatly appreciated! The initial configuration will be basic. Simple failover and no policy routing.

@mdonner Perhaps some pictures of your setup might help, from the Routing / Gateways and Gateway Groups pages. Pfsense isn't really involved in traffic between devices on your LAN, so it's really strange that you would see this happening?! Apparently you are able to access pfsense UI from a client, so do you have internet access when on the failover connection? And do the servers have internet access? Are you using VLAN's to separate your servers from your clients??

@kashs said in Added second WAN but no traffic: Correct. I had to remove the bridge mode and set it to DHCP in the TOM box. Ok got it.. WAN2_5G is setup as static IP 172.16.1.2. No way to avoid double NAT but so far no issues. For simplicity, and for further testing, I'd keep pfsense as DHCP. It really doesn't matter what IP it gets from the TMO box, and you have already created a static entry in the box based on pfsense MAC. Here is what the traceroute shows: [image: 1723672417183-7dda35d3-ecc7-4425-95f1-6c69b2e1f76a-image.png] None of these are my static IP or the ISP Gateway IP. When you log into the TMO box, you should be able to see the settings there, for "internet". So you would see what IP and Gateway it has received from TMO. Also, entry no 5 seems to start with 72.xx which is the same as the static IP you have been given by TMO? The static IP is correctly assigned to the WAN2_5G interface, but the WAN2_5G_GW does not get an IP. If I set it manually to the ISP GW IP, no traffice and Offline status. When I tried the static IP in the GW, it shows it as Online, but no traffic. What Inseego router is it that you have? I did some googling and found someone having similar problems on an FX2000and all that was required would be the following. Unplug everything on LAN side of Inseego and reboot it Set pfsense WAN2_5G back to dhcp Connect to the Inseego https://www.reddit.com/r/tmobileisp/comments/11x7mgy/how_fx2000_in_bridge_mode_with_5g_business/

@viragomann said in Multi ISP without failover: pfSense routes incoming traffic just to the destination IP. If the packet is destined to a LAN2 IP it will be routed to it, no matter if both LANs are defined on the same NIC or on different ones, and no matter, on which WAN NIC the packet as entered. Ah, now I understand. Thanks :)

@viragomann It’s a Cisco Meraki the router Site A! But, i’m thinking now: The traffic should be routed to 192.168.100.222, not for the gateway 192.168.100.1 (this is the router with the VPN tunnel). In the 100.1 router have static routes for route the traffic specified throught the 100.222 Is it the same solution (change phase 2 to 0.0.0.0/24)??? Thanks again

Another thing worth mentioning is that I've tested with an old Cisco RV320 router this same setup and it worked without any issues. The only things I did on that RV320 were configure the WAN with the same parameters as the pfSense, a static route and a resolver for the FQDN of the PBX server. Hope someone can give me a hint.