It turns out that access a CRM system the company (SugarCRM), the user's session is terminated under 10s, and the system reports the following error: "Your session was terminated due to a significant change in your IP address.". Someone has gone through this problem and know how to solve? In normal or usually if this might be commercial based work, the network admin will create a VPN tunnel over IPSec, L2TP/IPSec or OpenVPN and the complete CRM data will go only through this VPN tunnel then, this might be better to targeting such a traffic. Perhaps this might be something also for you and the SugarCRM company? I'm having problems with the use of two Internet links set to tier 1 in "groups". With two Internet links you could do proper load balancing for well, but you must decide your self for one of the three main versions of load balancing to go with; policy based routing (would be good for you) session based routing (only good for servers) service based routing (would be also matching your criteria) The source was shown in this older thread here: Here's what you need to do, under system -> Routing -> Gateway Groups Create a first group with description name "BALANCE", And set Tier 1 for both "wan's" and Trigger level to "latency or packet loss" [this for load balance]" Create a second group, description name "Wan1 Fail Wan2 Use"  and priority set wan1 to Tier1 and wan2 to Tier2, set "Trigger level" to member down. Create a third group, description name "Wan2 Fail Wan1 use" and priority set wan1 to Tier2 and Wan2 to Tier1, set "Trigger level" to member down. Now Coming Firewall Rules –> LAN, you need to create a three new rules, LIKE 1) BALANCE RULE Interfaces: Lan Protocol: ANY Source: LAN SUBNET Destination ports: ANY Gateway;BALANCE 2) FAILOVER RULE 1 Interfaces: Lan Protocol: ANY Source Address: ANY Destination ports: ANY Gateway;Wan1 Fail Wan2 Use 3) FAILOVER RULE 2 Interfaces: Lan Protocol: ANY Source Address: ANY Destination ports: ANY Gateway;Wan2 Fail Wan1 use Make sure to place them on top of the lan rules! This is more them enough for fail-overs.

Policy routing is a per connection action, not a per-packet action. Once a state is made the decision has been made and stored in the state, you can't take different action on reply packets. Although what you're suggestion wouldn't really work even if that were possible. What exactly are you attempting to accomplish?

-in multi-wan-loadbalancing scenarios you avoid balancing https sites or use stick connections. When I use this scenario cited by you, I face problems with some websites, pro example, there is a site that is dropping connections, stating that I am using two simultaneous connections, even using stick connections. Note: I'm doing this balaceamento "System: Gateway Groups", with two links marked as Tier 1.

@rubic: You can not have two gateways to the same destination due to FreeBSD  internal routing table organization, wich is trie. ECMP implemented in 8.0 is rather an exeption than a common practice. Not impemented in pfSense. Why do you need that? I mean, what disadvantage is to have one working path to the destination? In case you need something like failover, use dynamic routing protocol like OSPF. Hi, thanks for the concise answer. Well we're working on a particular deployment where dynamic routing is not an option due to certain limitation with the routers we're using. This will get fixed but as of now, we can't use routing protocols. The thing is, we need the 2 redudant paths either on ECMP or Active/Standby. What about my second question, any insight about that? Thanks again.

Thanks for the reply.  I'm not sure.  I setup a span on the switch and connected it to another NIC on the server and set that Virtual machine on that specific NIC.  The problem I will have now is that I'm not sure how to bridge the two vSwitches, so I can access pfSense on by the web.

@filipemotta: Hi All, I have two links and any vlans that I separated then selecting the gateway on the LAN rule firewall. i.e: gateway IPv4 * 192.168.0.0/24 * * *           *       IPv4 * 192.168.4.0/24 * * * WAN_DSL_PPPOE These rules actually are using NAT to navigate on the internet, that is each vlan uses the specific link. My problem is that when i enabling squid + squidGuard all vlans use the default gateway. How can i solve this? Thanks a lot !! To help others professional around this solutions I found this in the pfsense document page: By default, traffic using a proxy such as Squid will bypass policy routing and use the default route for traffic at all times. It also bypasses expected outbound NAT and leaves via the WAN IP address directly. Policy routing traffic from the firewall itself is not currently possible, and as such, load balancing is not possible. Failover can be achieved in many cases by using default gateway switching under System > Advanced on the Miscellaneous tab. So, It is not possible. I will try to install squid external pfsense and than pass the traffic to pfsense after proxy filter.

Still playing here and decided to shortcut it a bit running another LAN connection from the modem to the PFSense box and only allow telnet/ssh to the modem.

Also, in general does anyone have an opinion on this plan? Buy a device with three LAN Ports or NICs or try out a USB to LAN adapter, but this often ends up then with more trouble then help, so it would be more a workaround and not a solution. Alternatively you could use them both as WAN Ports and then connect only over the WiFi system.

Screenshot attached. Tried to hide some names, hopefully the idea is still clear. [image: screenshot.png] [image: screenshot.png_thumb]

Here is how I'm setup.  BTW, having issues with CIFS…  ;D DHCP server is configured for each LAN as: em2 - pfSense IP 192.168.2.99, DNS 192.168.2.99, GW 192.168.2.99 em9 - pfSense IP 192.168.9.99, DNS 192.168.9.99, GW 192.168.9.99 em12 - pfSense IP 192.168.9.99, DNS 192.168.12.2, GW 192.168.12.99  (This is an AD segment so I use DNS within AD, but DHCP from pfSense) NICs are configured with NONE as the upstream gateway So I have two rules for em2/LAN, the anti-lockout, and the IPV4*, sourced from em2. em9 and em12 only have one rule, the IPV4*, sourced from em9 and em12. I disabled Squid, and ClamAV, and Darkstat. I then checked it out, it now seems to be working and routing.  I've removed all but one NIC from my host, the em2 is enabled, and em9/em12 disabled.  I can now route.  I went to a host on em9, and I can route back to 192.168.2.0.  H U R R A Y ! ! ! So I re-enabled Squid and ClamAV.  All seems to be in order.  I'm not sure why, but it appears that Squid/ClamAV may have played a role, but for the life of me, I don't know how.  I will eventually re-enable Darkstat and we'll see what happens. But now, I'm as happy as a pig with lipstick... Thanks a lot for your help.  I think your suggestion of bringing the config back to as close as zero first, helped.

@markn455: I have this same need. Additionally a way to limits the maximum amount of data allowed to use the second WAN port. I have a satellite link with a max monthly limit which also as unlimited data between midnight and 0600 each day. I know little about pfsense and just starting my research. I have installed on a VM and starting my learning process. While it does not have a "spillover" capability I am wondering if a combination of gateway groups, traffic shaping, and schedules might not get me there. Mark I know there is a settings inside the firewall where you can configure scheduled based policy and select the appropriate gateway. @heper: implementing a spillover (if at all possible) would be a pretty big effort, with probably less 1% of the community that wants/needs it. (i'm making up numbers as i go here) unless the demand goes up or someone contributes the required code to get this working, i don't see this happening any time soon. It would be a nice feature for all those with metered connections(=sat/3G/dailup), but time is limited for the developers. Unfortunately, I live in developed country where the unlimited ISP is far from acceptable (yes, either you are getting crappy speed due too many user or you are paying amount of $$$ that is equivalent to number of Gigabit speed, I meant you are paying thousand grand to get good connection basically). I have to rely on using 3G/4G connection which is hard capped. As far as traffic sharper, it only regulates the bandwidth. But it doesn't regulate to use which WAN link like Spillover would do. Thank you

Having multiple VPNs assigned is fine, and doing the policy routing works as well. Your problem lies in the "geoiplookup" requirement. You might be able to use pfBlocker country lists to aid in that, but there isn't a way to do such a lookup dynamically. In order to policy route you have to be able to match the traffic in a firewall rule, which can't wait on an IP lookup from an external database.

Glad to hear it.

I've seen this happen a few times and in every case either the modem was not configured correctly or the ISP gave the user incorrect information. A very simple test would be to plug a laptop directly into the modem and enter your static info.  If it doesn't work (and I suspect it won't), you will have to call your ISP.

One more shot, I can't be the only one doing this. :) So let's say I have my tunnel set up, be it IPSEC, GRE, whatever.  I have a block of IPs routed over the tunnel TO the pfsense box.  How do I in turn make those IPs usable in both a 1:1 NAT setup AND make some available on another interface (ex. on a VLAN on the LAN side of the pfsense box)?