ok, i think it may have fixed it myself. I've just tried adding two firewall rules for outbound LAN traffic to the specific IPs and it appears to be working.

Good morning, I had just the same problem! I solved it using the following guide: https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN Cheers, JBR

When an interface has a gateway set on it it is considered to be a WAN. That means that all connections (states) coming into that interface get reply-to back to that gateway. It also means that all outbound connections get route-to to that gateway. What you need to do is place a floating rule on WAN outbound for the networks on the other side of the IPsec gateway with no gateway set. Any inbound rules on pfSense WAN should use the advanced option to disable reply-to. Not setting a gateway on the WAN interface would also be an option. That should work until Multi-WAN interfaces are involved. In that case you need reply-to and route-to to override the default gateway/routing table.

@andipandi: speeding up 1 single down- or upload is a lot more work like not possible. If you combine two links you won't get added speed. 1+1 is not 2, it stays at 1+1.

@ccmks: @zdoc: ccmks, thank you so much for your reply! I thought for sure the trick was going to be the firewall LAN rule, but I modified the gateway to my gateway group and it still isn't switching. I know the router sees the 3G connection as active as the update checker on the main dashboard can always check for updates, but none of the devices connected to the router wants to switch over to the back-up ISP. I know this worked way back on 2.1, so I'm really just baffled as to what I'm missing. Again, thank you for your reply on this! At least I feel like I'm potentially getting closer to figuring out what I'm missing. Did you setup the gateway monitoring like I mentioned on previous post? You need to have ways for pfSense to know when the gateway will be considered down. Otherwise, it won't do the switch if the pfSense still see the gateway online. I hadn't before and I just now got a chance to try it again this weekend. I had left them blank previously (there was a note that it defaulted to a certain value, so I assumed that was good enough), but I put in actual values this time. Still no change on my end - when pulling the plug on WAN1, neither my 3G nor my satellite back-up fail into its place. Again, I know the router itself is using the internet from one of those two other ISPs, as it's able to still check if it's on the latest version of software. Something else I noticed: as soon as I plug my WAN back in (even while it still shows the status at Offline or Packetloss within pfSense), I can ping google.com again from my desktop. To me that tells me pfSense isn't even switching gateways on its end, otherwise there should be a delay before I start receiving responses again. If there are any other screenshots or bits of information I can share (and you're still willing to help), please let me know. And thank you again for taking time out of your day to help me with this! I greatly appreciate the help you've given me thus far. @naztek: Currently having the same issue on 2.3.2 Our 4G gateway shows as active and online and I can ping the ISP DNS server through that gateway (DHCP). After the gateway goes down and comes back up, it gets a new IP from the ISP and shows as down under Status > Gateways The ISP DNS is still pingable but the failover is not working. The failover is determined by Probe Interval. We had our failover working in 2.1.3 but the same setting no longer work. Sounds similar to what I'm seeing. It once worked, but I can't get it to go now. I'm assuming you did auto-upgrades from 2.1.3 to current? I know that's how I've upgraded. I'm wondering if I need to just purge config and start clean. I have a spare router, may try doing that one weekend to see.

because you have identical gateways for multiple interfaces … this is a bit of an issue. search for terms like "multi-wan same isp" / "multi-wan identical gateway" posts

my router IP is 72.44.192.36/29, ISP said 72.44.192.48/28 and 74.206.101.16/28 routing by 72.44.192.36, and 72.44.192.48 and 74.206.101.16 those usually is gateway can use by NAT.

Look under Firewall - Virtual IP. https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses Usually IP Alias is what you want.

You can use aliases for this. Firewall > Aliases > IP. Add an alias, call it e.g. DirectToWAN and add the ranges 192.168.1.10-192.168.1.50 and 192.168.1.100-192.168.1.254 to it. Add another one and call it e.g. DirectToVPN and add the range 192.168.1.50-192.168.1.99. Use these aliases for sources (single host or alias) in your firewall rules.

pfSense deals with static IP addresses just fine. Maybe you did not properly program a default gateway on your switch? A switch in layer 2 mode is usually managed by the address on its management VLAN. Set its default gateway to the pfSense interface address on the same VLAN.

Got it.  Turns out Watchguard distributes its global DNS server addresses to all DHCP clients, even if you have others configured on that interface.  I just left the global ones blank and configured them on a per-interface basis.  Thank you so much for your help!

I have this exact setup, and the same logging issue. A Pace 5268AC router on AT&T Gigapower on a Netgate 2440 with pfSense 2.3.2. I am setting the AT&T router in DMZPlus mode, which passes all traffic to the selected internal device (in my case pfSense 2440). This makes the DHCP server in the AT&T router assigns the WAN port of the 2440 the public internet IP from the AT&T router (oddly enough). As mentioned by the OP, this is causing this system log error in pfSense: arp: xx:xx:xx:xx:xx:xx is using my IP address n.n.n.n on igb0! xx:xx:xx:xx:xx:xx is the arp address of the lan port on the AT&T router, and n.n.n.n is the public internet IP. Its passing traffic fine in this configuration. I guess I can also understand why the error would get logged, but would love to understand how this setup works, and if I should be concerned enough to change it. The goal with the setup is to put the AT&T router into as a close of a bridge mode as I can. .

Thank you! I thought there had to be something intrinsically wrong with making those parallel connections. I could see the scrolling errors on the bridge interface after making just the second connection. Glad someone smarter than me could talk me down. Thanks again!

Dpinger results are based on the average of all probes within the time period (default 60 seconds). Dpinger itself only has one set of thresholds for latency/loss, which are generated from the "high" thresholds in the UI. These are used to determine gateway down types of situations (errors). The warning state is based on the "low" threshold values, and is determined by the higher level logic when it polls for current latency/loss values.

I already added the rule(s) on my LAN Interface… I configured the advanced options under gateway settings but it still doesn't work...

if you force a gateway, be it default or a group or whatever.. You have to allow rules above that if you want your clients to talk to other networks off pfsense that are not reachable through that gateway your forcing traffic through.  Is that simple!