Thank you so much :D

@derelict said in Load Balancing Problem:

Load balancing works best when lots of states are being distributed between the various WAN interfaces.

Okay, thanks for the clearification. As it happens we do have many "small" connections, so pfsense will do its job (7 VOIP Phones, 7 PCs with Mail and Database acces, file transfers). Next step will be traffic shaping... Priority for VOIP ;-)

By the way: Until now I used ipfire. But a single WAN will be to slow and ipfire does only support failover but not Multi WAN.

If you use Routed IPsec (VTI) then you would have an IPsec gateway for each tunnel that you could use with a gateway group. Though because VTI doesn't support reply-to it may not be as ideal as it could be, the return traffic would only take one of the two WAN tunnels.

You can pull it off easier with OpenVPN (tunnel up on each WAN, assign the interfaces, use gateway groups + firewall rules only on the assigned interface tabs)

Probably you're missing the outbound NAT rule for the VLAN you want to direct over the VPN.

To get better help here, you have to provide more details about your setup:

vpn client config interface settings firewall rules outbound NAT rules

Well I can safely say that "It's not pfSense."

hi again and thanks.
i built a trunk port on Cisco then set 3 vlan on pfsense ethernet. 1 managment 2 for wan1 and 2. on the other pfsense ether i just set other 2 vlan for out put to mikrotik. on mikrotik i built 2 vlan on one of the ether.
thanks lot for helping me.

@joshuamichaelsanders said in AWS Load Balancers and AWS:

ancers with pfSense? Can anyone step me toward a b

BUMP. Curious if anyone has used ELB, either classic or the new model, with pfSense.

The PC2 will not be connected to the OpenVPN interface! The outbound NAT rule has to be on the interface where PC2 is connected to.

I dont think it is because of bug as we found no issue in Backup firewall. there must be some malfunction happened while changing the IP of WAN interface... Still searching for the root cause...

Give us an example of traffic that you are trying to pass here, actual source and destination IPs.

It seems likely that the traffic is not hitting the outer firewall at all.

Alternatively the target may not be using that as route back if the source is a public address.

Run packet captures. See what traffic is actually arriving on which interfaces.

Steve

Yes, nothing will change unless you change it. For example:
https://www.netgate.com/docs/pfsense/book/openvpn/openvpn-and-multi-wan.html

Steve

Not without a client side program to manage that.

The existing firewall state(s) will be via the WAN that went down so that needs to timeout and be re-established on the the WAN.

Steve

You have no idea how thankful I am.

This works for me perfectly (https://forum.netgate.com/topic/131412/solved-alternative-to-sticky-connection-option/2)

Thanks.

Ahh, okay.

So one static route in the pfSense:

192.168.0.0/17 via 192.168.120.2

Thanks so much for your help dotdash!

Thanks for that. I will cross post this in VPN. These are all IPSec site to site connections.

You need:

to add this second IP as IP Alias (Firewall/Virtual IPs) to add Outbound NAT rule for this VLAN ("for traffic originating from only one of my VLANS") like
Source: this VLAN net
Destination: Any
Translation Address: this Virtual IP

https://www.netgate.com/docs/pfsense/book/nat/outbound-nat.html?highlight=outbound%20nat