Disabled gateways aren't listed, by design. Can be a bit odd, but if you do edit and save a gateway group with a disabled member, the disabled member will be removed.

In 2.3, you can't disable a gateway that's a member of a gateway group, which prevents getting into that situation.

It was a BT issue. I shouldn't doubt myself so much haha!

@johnpoz:

When they say vlan 0 do they just mean native vlan with no tagging?  Only time I have seen vlan 0 called is like in esxi this is the setting that just means no tagging.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004127

Type a value of 0 or NONE in the VLAN ID field. This indicates that VLAN Tagging is off.

That is exactly what they mean. Thank you for clarifying.

Will I need a 5th physical interface? Or can I just create an interface using the LAGG0 parent as the untagged "LAN?"

Hello,

so I go with NAT because I cannot control the GW in the 192.168.1.0/24 net.

Thank you for your help. You saved me quite some time  :D :D

Markus

I feel the need to chime in here because I had the exact same situation that persisted for the past year. I have 3 3mb DSL lines to my house (ATT Business), and prior to my hardware upgrade Speedtest would show upwards of 9-10mb on the downstream and 512kb up.  Since my hardware change I barely get above 3.5mb and usually 256k up.

Maybe you guys are right and we are moronic and totally wrong but all we can say is what we experienced.  My routinggroup was set just like the OP's to all T1 and packet loss or latency as a trigger. With 8+ devices, a kid streaming youtube, myself Netflix on the Roku the onyl time I ever had buffering was while torrenting (which is a bad thing you should never do). Now? I get buffering if I cough loud enough. Traffic graph peggeds out at between 3 and 3.6mb/s.

I have a separate thread about my issues that is being ignored because my original box appears to have gone tits up.  But the OP for this thread is not crazy because my old 2.2-release worked like that.

@jimp:

That's your gateway. If it wasn't in your ARP table, you wouldn't be able to send out any packets through it :-)
Unless it's DSL or a similar PPP-based line, but in that case your own MAC wouldn't show there, either.

Okay yeah it makes sense to me now. I am just so rusty since I don't do this every day like I need to. My ARP table holds entries for not just my local private network, but also stuff on the external network. I have the entry for my public address which is associated with my WAN card and then I have the entry for it's gateway which is the path out to the greater network/internet.

Ok, so the DNS rule worked like a charm.

The second I added the dns allow rule between the lan network and the firewall, I got an instant connection.

Thanks for the help!

Oh, and I'll be sure to read over that link.  Its entirely probable I'm mis-using the rules.

@kamran:

**Just disable NTPd  time sync daemon.

apinger wil become stable.**

That might help if you're running pfSense in a VM, but the problems with apinger are nowhere near that simple to solve.

apinger has been replaced by dpinger in pfSense 2.3. Though 2.3 is still in beta, the core functionality is now very stable and it has a lot of worthwhile enhancements and fixes over 2.2.x.

Packages are still a mixed bag on 2.3 - some have been converted, some are available but haven't had a proper GUI conversion and others are not available at this point.

If you want to try 2.3, I strongly recommend backing up your configuration and making sure you have working 2.2.6 install media to hand before upgrading. That way, you can revert easily to 2.2.6 if necessary.

Each pfSense to router link should be a dedicated interface. I link routers to a switch and use vlans on the pfSense to switch links.

For those who are looking at this thread, I'm still plugging away at this experiment of mine.

I figured out all the ports to leave open, and put rules for them on the WAN interface.  Everything not covered by rules on that interface gets a deny, correct?

Do I have to put these rules on the Lan interfaces as well?  Because right now, the only rules on that interface, are leaving ports 80 (http), 443 (https), and port 1433 (sql port).  As well as a forwarding rule that says anything coming in gets sent via rdp protocol to a specific machine.  But each lan interface has the default allow all rule (you guys helped me understand that rule, thanks again for that!).

Edit: if I changed those rules on the wan interface, to floating rules.  Would those rules apply to everything the firewall does, instead of individual interfaces?

Thank you the easy way worked didnt thing of that at all..

First of all, thanks for your reply.  :)

It is not.

This is the info page on the affected WAN interface:
https://www.dropbox.com/s/j9mjy2iyr0ggdk4/Screenshot%202016-01-27%2010.40.21.png?dl=0

Only thing missing is the name and the checked "Enable Interface" box.

I've been thinking though. Maybe I'm looking at the problem from the wrong end - PFSense can't talk to the router behind the interface, sure, but maybe it's just that the router there doesn't answer. Which would be weird since that one does not have a firewall (or really any other capabilities) enabled, but it's definitely something I will have to look into.

@kabrutus:

Does failover work with that many WANs?

Sure. 20 WANs is no diff from 2 in that regard.

Thanx everyone! As a newbie on pfSense this is most helpfull for me. For a couple of years i've been poking around with 2 wans and the right solution to shape traffic.
Recently i was pointed in the pfSense direction, and since that i've been reading and reading on how to implement it in my household. Like Derelict said; better read the manual before turning on the machine!

Again, thanx  ;)

Worked perfect. Thanks again  :D