First of all, you do not need to setup separate gateway groups for failover as well as firewall rules for the same. pFsense automatically uses the gateway currently online. Secondly, you did not select 'LAN net' in Source in LAN rules. Still need help ? Just give a quick reply.

xinetd is not switching anything to do with WANs. It's only handling the local TFTP proxy. That message doesn't indicate anything to do with which wan is preferred or default.

No that is not how it would be done.. Even if you wanted to use multiple pfsense, that is NOT how it would be done.. Completely agree with Derelict, this would be much easier with just 1 pfsense and multiple segments.  If have spare hardware setup a carp, etc.

Yes. Put it on an available OPTX interface. The point is to NOT perform NAT for those addresses, Not to add a NAT rule.

NAT on router #2. Don't on router #1. There isn't going to be anything resembling "seamless" failover. All existing firewall states on Router #1 will be useless. No inbound connections will be possible into router 2.

Why would the number of users matter??  It matters how much bandwidth their sessions are pushing..  While yes at some point the number of sessions could come into play.  That is not going to be your issue.  Your isp limits you to 1 gig.. Connecting multiple devices because they gave you a switch is not going to get you above 1 gig..  If you think that is the case give it a try connect multiple devices and all load them up do you get 2gig, 3gig, 4gig all the way up to the number of your ports?

@rogeriosilva: We tried to use 2.3.2-p1 version on Windows Server 2008 R2 Hyper-V, but this PFSense version does not recognize this virtualizer IDE virtual controller. We also tried some previous versions, but we also had some problems on PFSense installation. What do you mean by "not recognize"? Could you provide a screenshot? And by the way, with 2008 server you should use only fixed size .VHD, not dynamic one.

Added the rules, works now. Thanks!

I have a simular question, I just want to use both at the same time and have both access each others LAN (both have the same multiple VLAN interfaces)

Well i wanted to get around double NAT (some of my server do not like this) and have only servers and such that are on that server to route on there, everything else goes to the main. Main reason i want a router there is that it would be done on the CPU

I think I've gotten a bit closer… added a virtual interface for the OpenVPN tunnel in question, which should open the door to doing failover in the usual way. The OpenVPN connection would always be up (as opposed to started when needed), but I can live with that. Will see if I can feel my way through it. I'd still appreciate hearing from anyone who's done this before, though!

Anyone ?

Better use Squid and Squid Guard for the purpose.

This much of information regarding your issue is not adequate to give a solution. Post your firewall rules for LAN and WAN (both), 'General Setup', 'Routing' ('Gateway' and 'Gateway Group').

Hi Johnpoz, Forgot to mention that this pfsense is a VM on a xenserver host. Regards. Thanks.

Thanks for the suggestion - tried it.  As soon as I assign the WAN (DHCP, or anything else) interface to the PPP group, it flips the WAN interface back to PPPoE and all the credentials are back in there.  Checking the logs, 4 logins again. No Joy.

I have changed that and I think that the problem come from the wan interface or the router config. This logs can be helpful? Oct 3 15:06:42 dpinger WAN_PPPOE 192.168.144.1: Alarm latency 0us stddev 0us loss 100% Oct 12 09:50:42 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.144.1 bind_addr 88.12.18.122 identifier "WAN_PPPOE " Oct 12 09:50:44 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.144.1 bind_addr 88.12.18.122 identifier "WAN_PPPOE " Oct 12 09:50:47 dpinger WAN_PPPOE 192.168.144.1: Alarm latency 0us stddev 0us loss 100% Oct 12 10:36:49 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.144.1 bind_addr 88.12.18.122 identifier "WAN_PPPOE " Oct 12 10:36:52 dpinger WAN_PPPOE 192.168.144.1: Alarm latency 0us stddev 0us loss 100% Oct 12 10:37:07 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.144.1 bind_addr 88.12.18.122 identifier "WAN_PPPOE " Whay do you think? Oct 12 10:37:10 dpinger WAN_PPPOE 192.168.144.1: Alarm latency 0us stddev 0us loss 100%

lan gateway firewall rules was all i had to change