After suggestions from pf2.0nyc and cmb,  I have upgraded to 2.3-Release, and failover is working as I need it to.  I even got lucky, and this morning the problem WAN failed, so everything is actually going out on the default WAN! One addition of pf2.0nyc's posting.  If you use Dynamic DNS,  you may want to change the gateway it connects to.  Connecting to a dead WAN isn't as useful as connecting to your new Gateway Group. Attn pf2.0nyc:  Unfortunately,  my testing isn't likely to help you any.  In my situation,  I'm trying to fail over one WAN to another (default) WAN.    Because the default WAN doesn't need to change,  I can't add any useful information to your problem.  My only suggestion would be to upgrade to 2.3-Release, and see if that changes anything.  Thank you again for your detailed forum posting. Final Update…I had the Wizard create my first network configuration.  It created two interfaces, where there is only one.  The first interface is 'name' and the second interface is 'name-DHCP'.  While 'name' is my default WAN,  it doesn't work as a failover interface.  The second failover interface has to be 'name-DHCP'.    I can't explain it, but it works this way, and didn't work when I selected the default WAN as the second failover interface.

As per CMB's reply,  the upgrade to 2.3-Release has solved the problem. Thank you very much CMB!

closing this as I realised it's my lack of knowledge causing the issues. Seem lan one is is someone diverting back through it's own interface and ignoring the proxy.

Hi all, I just solved my own problem  ;D, It just simple thing that I miss look which is static route. I set my wan interface as default gateway then I add new static route for my juniper e0/2 interface from gateway LAN 1. now I able to ping from both end

@PF64: I get quite a few: send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 10…. Triggering coincides with your ISP lease-renewal ? That's what I see at my place (via PPPoE). Dpinger 2.3.

Thanks! It solved my problem.  :)

"All ports in switch are untagged for 10.0.1.0/24 (vlan1 and default vlan); tagged for 192.168.1.0/24 (vlan 2.)" How do you have the ports set??  And how did you create your vlan.. You assigned this vlan to your physical lan interface right?  See attached, I have multiple vlans on em2, and it also has its native (untagged) network wlan.. On the switch the port connected to em2 trunked where those the vlans are tagged and the native vlan is set to 20 (untagged).  Notice the ge10 interface is native or PVID is set to 20, ports that are directly connected to a device don't need to be tagged.  Only interface that connect to say another switch or interface with vlans on it need to have vlans tagged.  Ports that connect to end user device, say computer for example normally are set to be untagged in the vlan you want that port/device in.  If your tagging that traffic, then you would have to set the interface on that device to understand the tag.. Or its going to be using the untagged.. You stated that you have all ports untagged for vlan 1 (default vlan) and then also have tagged traffic on it.. That is not how I would normally do it for sure.. So in my case pfsense em2 is native on vlan 20, it then has the other vlan interfaces assigned to it 100,200,300  So any untagged traffic it sees is assume to be going to the physical interface.. Any traffic that is tagged will be seen with the vlan interface that its tagged for. As to connectivity between normal untagged traffic on interfaces and vlan interfaces be it on the same physical interface or different ones just require firewall rules to allow the traffic you want.  To be honest when first setting it up use of any any rules makes it easy that you actually have connectivity..  Keep in mind any software firewalls running on the different vlan/network segment most likely will be blocking traffic from another network.  Windows machines for example would block pings coming from a different network other than the network they are on.. So if they are on say 192.168.1.0/24 and you ping them 192.168.2.0/24 they would not answer until you setup their firewall to allow that. [image: vlans.png] [image: vlans.png_thumb] [image: tagging.png] [image: tagging.png_thumb]

Sorry for the confusion…. I have two site as stated above. Each site has there own 100/100 fiber internet connection. There is a 1GB fiber link between sites. I need SITE  1 to be able to access site 2 over the fiber. All vlans 10,20,30,40,50 are at each site on different subnet (currently I am using IPSec Tunnels over the Internet) What will be the best way to make the two sites route traffic over the fiber.. It created VLAN 224 at site 1 ip 10.0.0.253/24 on pfesense  and trucked the vlan on the port from pfsense to the switch. And on the switch port that connects the fiber to the other buiding and at the other site I did the same with VLAN 225 and interface ip 10.0.0.2/24 Do I need to create routes on the switch or just on pfsense

@kapara: You need to say allow any but from source network.  If you mirror the default lan rule on the second interface but use the correct source you should be fine So means that I need to allow from WAN (source) to any(destination) rule for both LAN_10 and LAN_192?

Send screenshots

If the latter you are going to need a third router. One that has both WAN subnets on interfaces and freely routes between them. It would be taking the place of "The Internet."

Hi Derelict, Thank you so much. It works. Cheers

when either 1 or 2 of the 3 wan is/are down, still the remaining wan should work

Will do  Derelict, thanx very much for your Expert Help…....  :)

Do you have any 1to1 nat setup?  If you assign that gateway to a pc and do a whatismyip which gateway shows up.  You really need to provide a detailed representation of your setup if you want someone to help.  People are not going to waste their time playing 20 questions.

It will be even the best method to ask one thing and then the next one, that all things would be able to be clear as possible to all users here in the forum. To ask all questions in one thread would be nice to in some situations but often it makes things more complicated for everybody that is involved except your self. Only my 2 cents. If you have three WAN interfaces and one LAN interface and you would not lead the LAN clients over specific WAN gateways, auth. by their MAC addresses, this will be two different things in my eyes, but able to realize for sure, but what I not understood is the following, why you want to filter at the WAN interface the MAC addresses coming from outside? As I was understanding it you will be identifying your LAN clients by their MAC addresses and route them then over a specific WAN interface or gateway. Can you please tell something more about that. In normal you will be setting up pfSense as the following for that actions in my eyes; create three WAN interfaces and gateways chose a proper load balancing method for that – Policy based routing -- service based routing -- session based routing Install Squid with user auth. and create for each user an account and set up there the MAC address. (alternatively you will be able to deal with internal static IP addresses, thats also able to do) set up the failover rules (please note, if both other WAN connections will be stopping their work all your traffic will be running over the last one and also the Apple TV over the SAT connection if this will be last working one) I would try out policy based routing in your case and then over MAC auth. and then if one or more WAN connections are failing all the clients would be able to route over the last one, that will be not able to do if the MAC address is bounded to one specific WAN interface as I know it. sample rules for load balancing and fail over (over the forum search function) nice HowTo for a multi WAN setup (little bit old but good explained with many pictures)