@moo82 said in During transition of default gateway, pfsense is irresponsive for various seconds: In any event, the J1900 CPU doesn't appear to support AES-NI, so you need to look into a replacement router or CPU upgrade before upgrading to pfsense 2.5. It will possibly be released at some point this year? That requirement has already been discussed and lifted for 2.5 as it will most likely not getting the REST API. But again, it wouldn't hurt to upgrade before stepping up to 2.5 either ;)

thanks for your help. actually, in my case, the easier way is to let pfsense create automagic associated rules. i was hoping to separate and delegate the nat rules to other people while managing the firewall rules which is why i wanted this feature. that's a no-go until/unless i create a rules generator. let's turn it into a nice feature request ;) there is no reason why pf would not be able to store the router's mac and incoming interface and reply-to accordingly ^^ ( i used this setup on some hacked config some years ago with a single interface but multiple gateways which was very convenient. i recollect on an ipfw+ipf based setup on bsd 7 and i actually though it would be builtin pf ) see you around

OK Fixed it. All workiing perfectly now! I had forgot to include OPT2 in DNS resolver's LAN interfaces.. Thats why clients on OPT2 couldnt reach the web, they couldnt resolve sites.

There will always be traffic from gateway monitoring (two pings per second by default) unless it is disabled. If it is disabled you will have to do without knowing if that gateway is up or down.

What are your LAN subnets? Does your WAN have a public address or is it behind another router?

@johnpoz thanks for the reply. i didn’t really think i could but was confused/intrigued. i appreciate the clear answer

@SergeCaron This is the result of a configuration error. Mine, of course! The "Disable Gateway Monitoring Action" option was checked on the Tier 1 Gateway on Box #1. Clearing this option, everything is working as expected on both boxes. Regards,

Thanks!!

@Bruno27live said in pfsense redirect sites through different links: could anyone teach me how I can target sites by the desired link? ex: link1 = all sites - not youtube link2 = balancing with link1 all sites -not youtube link3- youtube only I really need to know how to do this I do not understand much about nat the youtube site is just an example and I also intend to use it in aliases for more than one site. If you are able to match the traffic in a reliable way, then it's just about setting a specified gateway (link3) for this traffic. For some multiple connection protocols like passive FTP or external services using some content delivery system, it may be hard or impossible to do without some application detection layer in-between. link1 and link2 in load balance mode, remove link3 gateway from this load balance group if it's in there. Let's say link3's gateway is called link3GW Let's say the service in question, named 'ex1' uses TCP at ex1a.example.com:8855, ex1b.example.com:8855, and ex1c.example.com. Your entire local network is on LAN port. You could then make a port alias for 8855 named 'ex1_ports', and an IP alias named 'ex1_sites' listing ex1a.example.com, ex1b.example.com, and ex1c.example.com. On the LAN tab, above where this traffic is allowed out now, you set up Pass, type TCP source: * destination: ex1_sites destination port: ex1_ports In the advanced section, you go to Gateway and set this to link3GW. This rule will then show an icon in the rules list to let you know you set an advanced option. Let's say the next service in question is named 'ex2' and uses UDP at *:8080-8099. Make a port alias for 8080-8099 named 'ex2_ports' and on the LAN tab below the ex1 rule you add Pass, type UDP source: * destination: * destination port: ex2_ports In the advanced section, you go to Gateway and set this to link3GW. This rule will then show an icon in the rules list to let you know you set an advanced option. If a single computer or set of computers in your LAN use some service on random sites at TCP:443 which should use link3GW, then you make an alias for these computers (ex3_lan_servers) and set them as a source alias, with the rest of the setup same as before. All other eventual HTTPS traffic from these computers would then also use link3GW unless you use another rule to match some of that traffic to the load balanced GW. If the external service is an FTP server then you would make an alias for the host(s) and just not set a destination port. The random port data connection would then also be matched to link3GW. We use the FTP_Client_Proxy for this, and I think it may work if it doesn't add it's rules to the top of the ruleset, above your redirect rules (I think the default is to add to the bottom). If there aren't any identifying characteristics of the source or destination you won't be able to match the traffic, and can't set a specified gateway. There must be some identifying feature to divert the traffic this way.

@SergeCaron (Sheepish grin) I figured out the "cannot uninstall cleanly" caution in Patch Manager. I installed the patch and Patch Manager happily reports it can be uninstalled cleanly. Unfortunately, I can no longer reproduce the disapearing Gateway issue: even if I force a complete disconnect of Tier 1, the Gateway Group does not switch to Tier 2. So, I will close this issue for now.

ou can tag all you want - doesn't mean anything if your switch doesn't support vlans

@jimp Thank you! Works perfectly as you described. Regards,

@Syrio-Forel said in Increase "Member Down" time: Under Routing -> Advanced -> Weight is 1 the highest priority or is say 3 higher than 1 ? Weight only matters with Multi-WAN and load balancing gateway groups (all gateways on the same tier), and higher weights receive more traffic. The weights setup a ratio. For example, if you have one gateway set to 1, and the other set to 3, then the gateway set to 3 will receive 3/4 of the traffic, and the remaining 1/4 will go to the weight of 1. Which is the option to trying pinging for 30 seconds instead of 10 before marking interface as down ? Read the entire Additional Information section under the advanced options for the gateway. It explains everything. Is there a way to tell / display an alert when an interface is down in the dashboard ? The gateways widget.

@LeiShen said in 2 Networks, 2 Gateways, same Router. Routing Question: -A POSTROUTING -o eth0 -j MASQUERADE Well, it looks like that was the problem. I don't know why it was in there. I don't know what taking it out might break, but now I can get to 3.x devices from the 2.x network! I'll have to look through my notes to see why it was put in there to begin with... Cheers!

@Syrio-Forel What I did was use the router I am using as a WiFi Access Point (pfSense is not suitable for this due to poor WiFi support in FreeBSD) running OpenWRT and plug my phone into that. I then setup one of the switch ports as a vlan and bridge usb0 to that port, plugging that port into its own on my pfSense box where its setup as DHCP Client. It then allows me to add that interface to the gateway group and I monitor Google DNS 8.8.8.8 to detect if the gateway is up or down. OpenWRT seems to handle USB0 going up and down without any issues, although it can take pfSense a while to pickup DHCP again if it does.

Just because you have a hub, ie your HQ doesn't mean your remote (spokes) need to talk to each other through it, or even have to be allowed.. You don't need to setup site2site if all you want is remote to log into HQ, but if you want to be able to get to the spokes from hq its much easier to setup site2site. etc..