So your internet connection is what exactly 10ge? Multiple gig over a 10ge interface.. Multiple smartjacks... How exactly is this isp connection with multiiple IPs presented to you? Is it a 802.3bz into a switch and you want to run multiple gig interfaces into the same switch on the same L2 to be able to leverage the higher than gig connection?

Unless your bandwidth is higher than what your interface can handle at the physical layer - there is zero reason not to use just a vip or a vlan, etc.

I have 100mbps internet with /24 for ips - why would I need multiple physical interfaces to use all those IPs if I have gig interface?

What does UBNT mean when they say "VLAN aware" mode.

Tag the VLANs on a port on the XG-7100 switch.

Tag the VLANs on a port on the UBNT switch.

Cross-connect them.

@bnelsonjax i'm kind of new to pfsense but you setup a gateway group for your failover right? wan1 tier1 wan2 tier2 then you made a firewall rule for all traffic to that gateway group right?

If so you just make another gateway group but this one is wan1 tier2 wan2 tier2 then when you make the firewall rule you specify the source as the voip device and assign it to the new gateway group you added.

Edit: oh and you put the firewall rule above the old one of course on the list.

To answer my own question, I had to create a Virtual IP (IP Alias) with the single static IP address that the DNS record points to. Then, under VPN -> IPsec -> Mobile Clients -> Edit Phase 1, under 'Interface' the Virtual IP created is given as an option.

I also changed the way the pfSense firewall/router obtains its IP address. The WAN interface now has a static private IP address (192.168.2.1) which is seen by my ISP's gateway device, along with the Virtual IP. (The gateway device is, of course, set properly so that traffic to pfSense isn't filtered or blocked).

So now my IPsec VPN works with one of the static IPs, and traffic from the computers behind pfSense is seen as coming from the DHCP address assigned by my ISP, as I need it to.

I think i solved it .. from what you were saying and the helping and the how the rules go
and then you mentioned thats normal goes to wan and also the vpn that got me thinking i need to block it
it seems to be working i have VPN for my computer and bypass for the xbox and its open.. ill test more tommorow and get back to you but this is what i did seems to do the trick
0_1534551239191_PP2.JPG

@Derelict @jimp thanks for that feedback. I'll will try as you suggest and report back.

I had another conversation with a friend last night and came up with 3 other possible solutions as well.

Ask the ISP for addresses in the same block with the same gateway(preferably in our original address space). I asked this yesterday day and waiting for a response. This is as @Derelict said.

If the above isn't possible, can they tag the new gateway and I could at a vlan sub interface on the wan. Not sure this is possible in pfsense as I haven't had time to investigate.

Add a dumb switch in front of my firewall and split their connection into 2 connections and use another interface on my box for the new gateway and ip's.

While senerio 1 is the most desirable, anyone see problems with 2 or 3?

We've had our public IP for over 10 years and while I could just get a block of them all together we would like to keep our existing.

That being said since our existing is a 173 in a 24 block and the new ones are 208 in a 24 block is oblivious that our ISP is trying to conserve IP's by using 24's and not splitting the blocks up into smaller 28,29 or 30's. Why make 30'and limit the customers they can handle to 64 instead of 254... So I'm thinking or primary IP block is probably full which makes me think I'll be looking to solution 2, 3 or the above as jimp stated.

And the no particular reason we would like to keep our existing IP, other than we've had it a long time...

Do you mean a HA setup with primary/secondary firewalls, or just a dual WAN configuration?
If you mean a dual WAN, your question has two parts-

You could add a rule to policy route 2.2.2.0/24 via the Failover connection gateway. If you have the primary on tier 1, and the secondary on tier 2, it will only use the secondary when the primary is down.
Or I may have misunderstood. Please add more details. Maybe a diagram.

Me and my family are around 6 members with heavy usage. With all their devices connected one of the wans shows 0-3KB/s constantly while only one wan is being used to full. Maybe it's the same gateway issue, I'll try and repost here. As for MLPPP I think they do. Also The videos on youtube show that you can get combined speeds on speedtest and some people I asked say you can and some say you can't, it's conflicted opinions. As for things like steam and IDM that use multi threaded downloads to same server you should get combined speed.

Thank you Steve
I found this Youtube video:
https://www.youtube.com/watch?v=CXFzDfxa0mg
non-English but very good demonstration of the same idea

I already built it all in HW (no VirtualBox) : my home router allows me to set different subnets on each LAN port. So I just built a test pfsense box with 3 interfaces and hooked LAN side to the rest of my home network. That way I got a "Dual-WAN" setup ✌
Everything work fine: I'm able to test Policy routing and manual NAT rules.

0_1534116449641_Dual-WAN simulation.png

Thanks - that makes sense and helps me plan upgrades

I understood. However the recent setup was a static NAT translation to the private IP on the three devices on the LAN with ACL controls. Ideally we'd have a different setup and we'll certainly be changing the network topology (and reconfiguring the affected servers) in the future, but we just needed to quickly replicate the existing router setup to meet immediate needs and address the sanity of the network design as time goes on. The Cisco could not support our new 1G fiber connection and the XG-7100 handles it with ease. Sure, it's not the best setup. But it's working.

why would you want that? What is the win10pc going to do with such traffic? Just to go back out the internet on same interface to get to abc.com?

I would for sure get the details of what device they are going to put in to provide this connectivity... Or its just like wifi router marketing hype... You know the ones that say N300, but only have 10/100 interface..

And your like where exactly does the 300 come in? ;)

Or how they currently add up the 2.4 and 5ghz bands to give you some number like 1200 or 1750.. All marketing nonsense.. No client can use that together so you should clearly label with the 2.4 can do PHY and what the 5 can do PHY..

And if you were going to be really honest - what can the user actually expect in real world speeds because users do not understand what PHY is..

Sure are system can do 1.5 but we only have a 1ge physical interface for you to connect too -- DOH!!!

@viragomann

Thank you!
Oops my bad. I am able to add multiple gateways to the same interface now. Guess I must have made some silly mistake earlier when I tried the same thing and got an error.

I don't understand what you meant by "You will get asymmetric routing issues with that.". But it seems to be working now.

Thank you once again.

Can I use the 2.3 XML config file if I upgrade to 2.4?

dns has nothing to do with ports..

If the server your trying to connect to is using a different port then the correct way would be in your ssh conf for this host..

Even if you were going to do some odd ball vip thing with nat your vip would be on the same network as the interface ie your 192.168.188 or your client would send that to its gateway IP since it would be off network.

The correct solution to your problem is to just use your ssh conf for easy access to servers.. You can put all the info you need right in this file.. Nothing would have to be done on pfsense, and you can take that file with you no matter where you go, etc.

example here is config I put in for a box uc.local.lan

host client
hostname uc.local.lan
IdentitiesOnly yes
user user
IdentityFile /home/username/.ssh/id_ed25519

0_1533825836971_config.png

that is exactly what you are trying to do - and takes all of 30 seconds to setup and cvan put in all the info you would need to make connection simple and easy.

Here this will help
https://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/