2.3.1-RELEASE (amd64) built on Tue May 17 18:46:53 CDT 2016 FreeBSD 10.3-RELEASE-p3 I can confirm this one is solved  :) Before update: MONITOR: LBGWGroup is down, omitting from routing group SCRGW After update: MONITOR: SCRGW is down, omitting from routing group LBGWGroup

personally i would have done the vlan option but some of our switches are not vlan capable. we are using dns and that's probably what is causing the issue here. im going to try and keep pushing the switch over sooner than later.

https://doc.pfsense.org/index.php/Multi-WAN

Each interface can have its own user/pass combination. If you only have 1 physical interface you might get away with vlans

You could force certain services, say HTTP, HTTP, SMTP, FTP etc. to go out WAN2 and thus leave WAN available for gamers, by setting specific LAN firewall rules to use specific WAN2 gateway under advanced –> Gateway options on each firewall rule for certain services. I know it's not exactly what you are looking for, but, it will help. You could take it one step further and create 2 gateway groups WANgamers with WANgw in it Tier 1 and WAN2gw in it Tier2 and a second gateway group called say WANgeneral with WAN2gw in it Tier 1 and WANgw in Tier 2. That way, each Gateway Group will have redundancy and failover to the other WAN, but, prefer to use a different WAN gateway normally. Then, your firewall rules will ALWAYS reference a specific gateway group, either WANgamers (which prefers to use WAN) or the WANgeneral gateway group which prefers to use WAN2. I hope that helps.

pfSense (like most other routers) does not aggregate ; it balances (hence the name). so basically, a single connection will never exceed the max speed of a single WAN. With multiple connections, a single client will be able to get the speed of both wans  (2 downloads/with torrents/ google's spdy/ …)

I tried already to create on the other site as well a firewall rule with the gateways configured. I also removed the static route. Problem is that these rules don't get evaluated because of the states for traffic coming back. I don't know if what I want to achieve is possible at all. Thanks!

Pls flowup link http://www.pfsensevietnam.com/2016/05/pfsense-install-on-vmware-esxi-as.html

Well after a few hours of reading and googling, I have come up with a way that works….. Is it right?...not sure but it works On the captive portal router,  I have set a new gateway with a non-local route (under advance settings) and address of 192.168.20.1, then i set up a static route to send all traffic for 192.168.10.18/32 thru the new non local gateway.  Finally I have set a new rule under the wan to only allow 192.168.10.18/32 ports 1812 & 1813. And poof it works. I hope this help anyone else that is trying to do something like this :-) Dickie

In my case I have a blocks that are not being used on an interface directly. Some are being used for NAT. I have a superset route that includes these blocks. If I put them in with null as the gateway, then the NATs don't work. If I don't have them in as a route then the NATs are used in the correct conditions, but in all other conditions the traffic is forwarded to the hop for the supernet. Thanks, Rhongomiant

WAN1 & WAN2 has the same GW. My servers is Dedicated and the two Internet that i have is the same. the only different is that they have different WAN IP. For the switching suggestion, i already check it. i can not fully understand the other thinks that you wrote… thanks a lot for your time...

https://forum.pfsense.org/index.php?topic=110043.0

For incoming packet on any given interface it goes like this: 1. Address rewriting, rdr or nat rules. 2. Packet filtering by the filter rules. Rules can set route-to for the packets to take different route at 3. 3. Routing if the destination of the packet (after NAT mind you) is not a local address. Outgoing is in the same order for 1. and 2. but routing has already happened obviously.

Thank you very much for the suggestions! Finally i opted for a different solution… I have created a LAGG interface for igb1+igb2 and trunk ports on cisco switch...applied the VLAN tags and everything is now working as expected!

Yes, I do! Thanks for the suggestion, hope for a quick resolution!

Thanks for the quick response georgeman! I looked up 'policy route negation rule' and the following how-to came up: https://doc.pfsense.org/index.php/Bypassing_Policy_Routing Using on the info in the above link I created a pass rule on the LAN interface where the LAN subnet was the destination. When I placed this rule first the website accessible via WAN1 became available to LAN hosts. From what I understand because the packets are destined for a NAT'd host via WAN interface and are therefore supposed to be 'reflected' back to the internal host without being routed to the Internet. Without the above rule the packets were hitting the load balancing LAN policy which sent them out the wrong gateway… Is this correct? I am still getting used to pfSense's nuances... while I am happy that it is now working, does having a rule like this somehow open a big hole in our security? Bonus Question: If I turn off NAT reflection would it be impossible for a LAN host to access an open TCP port on the WAN interface?

Thanks for the reply, but i resolved the issues with a reload of pfsense.

pfSense usually queries all the DNS servers simultaneously. If you have pfSense acting as a DNS forwarder (though dnsmasq or unbound), you cannot control in this way which server is queried depending on routing rules.