Thanks a lot for the information

i've done a Plan B, i've configured NAT in the Firewall for traffic from 192.168.3.0/24 intended to PfSense LAN address

So it's an IPSec VPN. You should have mentioned this.
I'm not familiar with IPSec on pfSense, but there is a special topic in this forum: https://forum.pfsense.org/index.php?board=16.0

Hi,
in the last days i did some tests and research. I got another Astaro ASG220 Apploance for testing and there i made the following
experience. On our Appliance we had pfSense embedded installed on a 4GB USB2.0 Stick.

On the borrowed one i installed pfSense on a spare HDD that was connected on the Appliances OnBoard IDE Port.
I reinstalled the current releae and imported the config of our faulty Appliance. After correcting some Interface Assignments
i switched over to this Appliance and on All Ports we got the correct Internet Speed.

Then i plugged another spare IDE HDD in our faulty Appliance and reinstalled pfSense. Then i reimported the current config
and corrected some assignments like in the borrowed Appliance. I switched back and i got the full Internet Speed with our Appliance, too.

The only Difference is, that now pfSense does not boot up from USB-Stick (embedded Version) but from HDD (classic Install).

But why has the USB-System such performance flaws, when it boots up in RAM?

Thanks for your help! The problem itself is solved now!  :D

Hi Tim,

Yes I did build and test it out.  The main 'issue' I have is that the connectivity and vpn out the device 'pf_internet' from 'pf_internal' is used for other services too.

If, on the device 'pf_internal' 192.168.166.x interface, I set a gateway of pf_internet (192.168.166.x) but with a monitor of an IP across the tunnel, I believe yes, this would work.  However, if only the tunnel to that remote IP being monitored goes down, I run the risk of causing failover for other services, even when the rest of the connections are up.

– I hope you understand what I mean?

My workaround for the moment is to have static routes, specific for the remote IP, disabled on pf_internal.  In the case of failure of ther tunnel, the static routes are simply enabled.

--- Yes, I know....  Manual intervention like this is not ideal, I'm just not seeing any other way around this scenario.

You really cannot make an inside interface wwith public addresses with a single /29 on WAN. The best you can do is 1:1 NAT addresses to inside hosts. Some people bridge WAN so they can put hosts on public IP addresses. Not a fan.

If they were to route another subnet to an address on that /29 you could use that subnet on an inside interface, use VIPs on WAN, or basically do whatever you want.

Easiest way would be to just create separate Guest and Secure vlans.

Leave Guest at your Linksys, and route Secure to your core.

You want a slow booter, the 3850's are like waiting for a pot to boil while watching it..

You need to bypass policy routing when you set the gateway groups. That means, for instance, a pass rule on LAN_1 that passes traffic to LAN_3 that does not set a gateway (meaning it's set to the default gateway).

After that you can place the rule that passes traffic to any (the internet) and sets the gateway group.

Traffic routed to a specific gateway, or policy routed, is sent to that gateway with no further checks.

https://doc.pfsense.org/index.php/What_is_policy_routing

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

On 2.3.2 64-bit. Similar problem as GoldServe. Whenever Wan1/2 failover occurs I get hit with 3 pairs of the same log messages in succession.  Any way to have PfSense log just one entry pair?  Does it log for every gateway with monitoring enabled even though it's not included in the failover tiers?

2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover
2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover
2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover
2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover
2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover
2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover

@heper:

there is no direct reason to 'cascade' failover rules below balancing rules if they are meant to match the same traffic …. pointless waste of time.

Great, thanks for your insight.

thats odd. do you have a dns server set for each wan? (general settings)
no clue if this is a known issue or something specific in your situation, never encountered it myself

Yes, i have DNS servers for each Wan under general settings. I will try and dig some more.

The order is correct. Make sure you do the same thing on LAN2 so the LAN2 traffic can pass to LAN1.

I found the solution now: it had been a problem with "inline mode" in suricata.

I changed it back to legacy mode and now everything is as it should be: it blocks under certain conditions, makes a log entry and cuts the connection to the offender (not the whole network).

Yeah its pretty easy.  I assume your going to double nat, unless your planning on using that new vlan as transit network?

Hello everyone,

i am new on the pfSense World. I worked until now with Kerio. But for my new projects are kerio a little bit too expensive.

So i have to know and i hope that someone have experience with them.
Is it possible to make a Load Balancing on pfSense with 6-7 Gigabit WAN?

regards
Toma

everything is possible, the source is available. no such option exists.

as jimp said: run a routing protocol. that takes 5 minutes, what you are asking will take much more time, effort & money

Hi all,
I'm still struggling on that issue. I've looked for all sort of possible solutions and came out with *almost nothing.

*there was something related with BGP but that will have a major impact to our current BGP configuration