Yes.

@tim.mcmanus Thank you!  You screenshot was very helpful.  I was missing the Gateway in the FW Rule.  :)

So to do it this way I have to specify the IP address of the pfsense box to use as the proxy server in the intenet options right? Yes.  This is easiest if you only have a handful of clients.  If you have a lot, or random, then you need auto-detection of proxy via WPAD. When I set it up between connections I didn't have to setup anything extra. You were probably running it in transparent mode where all port 80 traffic is silently redirected to squid.  That won't work in this new scenario.

have implemented the gateways on the respective network cards home points to the office ip and the office to the home ip all is fine there remote desktop, file sharing all work fine tho, the office cannot see the gateway on the home and gets an offline when trying to ping the lan side, all traffic seams to be one sided favoring the home connection, i cannot ping from the office lan to the home lan tho i can ping the home lan to the office lanyet the rules are identical

I'm having exactly the same issue here on 2.2.2 (and incidentally also on 2.2.3) about the SMTP notifications not working on the failover connection. I would like to have it solved if possible as I don't have other means of monitoring the connections on the WAN side of this firewall. I was thinking the "DNS Consideratons" on the docs page (https://doc.pfsense.org/index.php/Multi-WAN) got something to do with it but I doubt this is the case. I've set a specific WAN connection for each manual DNS server listed (which are all addressable from any of the WANs) but still no luck. When I bring down WAN1 manually from the interface, the failover works and does send me an email over WAN2. When I, however, simulate failover by pulling the network cable of WAN1, the system log mentions it cannot reach the smtp server (through WAN2). I have no specific firewall rules setup on SMTP at all so that can't be it either. Any suggestions, anyone? Thanks in advance, Walter

Post the fierwall rules screenshot!

@heper: gateways should, imho, never be used for known networks …. then you use routes (even if you have to add a lot / or use a routing protocol to handle them) Ok, I guess here is the clue. Totally agree, when it is a known network you don't want a gateway. But (it might not been have clear all the time) I am talking about addressing networks not direclty known to pfSense. Without gateway, there is no routing possible towards those networks? Wetter you do this by static or routing protocol, you need a gateway. You go and try to add a route in pfSense. (System:Routing:Routes) There are 2 mandatory entries, I'll leave it open for discovery for every reader of this topic what those are. @heper: pbr (ie policy based routing) is not even required when dealing with plain routes as pfSense doesn't support multiple routes towards the same destination. you can failover when using a routing protocol. No going to step in here about the need, IMHO that is outside the scope of the topic. I don't even understand what his setup is or what he's trying to acomplish (gave up after a while)… @heper: the only reason where you would want to mess with gateways for "known networks' is when you'd want to loadbalance …. but honestly http is almost the only protocol that doen't give issue's with loadbalancing, everything else fails miserably (including https/smb/ftp/....) Is that so? Haven't needed it up-to now, but seems good to know. Tnx for sharing…

@KOM: Sounds like you've got a user who needs a reduction in his permissions. [image: Bofhbate.gif]

Sorry to be late on reply, but was out for work. :( Attached the Firewall Rules for the LAn and the Gateway . Thanks [image: FW_rules.jpg] [image: FW_rules.jpg_thumb] [image: Gateway.jpg] [image: Gateway.jpg_thumb]

Hi SaschaITM, how do you setup the routing, so PFsense B tries to reach A first on WAN1 and second tunnel on WAN2? I am working currently on a similar setup but use two one connections on both sides and IPsec/GRE (but also having troubles) best regards Thomas

@jimp: Try adding a port forward for L2TP (udp/1701) to localhost (127.0.0.1) on the other WAN rather than connecting directly. That will allow pf's reply-to function to send the response back out the second WAN as expected (assuming the second WAN has a proper gateway set or is a dynamic type WAN) It's not working recipe (pfSense 2.2.2). Replies to incoming L2TP via WAN2 are going out via default gateway on WAN1 (https://forum.pfsense.org/index.php?topic=95908.0)

Thank you very much for the detailed assessment of my situation and options. You guessed correctly that there are only a few clients, and they are moving a lot of data across a single TCP/UDP connection. I really like your idea of purposely creating a kind of manual load balancing, but after some thought, I don't think this would work until the states expired. I really need to shuffle states, because all traffic goes out of very long lived connections, like Tor and VPN. In both of those cases, either the IP is already intentionally expected to be changing randomly, or it doesn't matter because it will be masked by the VPN which presents the same IP to servers that might complain about the changing IP. So, I guess there really needs to be a feature that shuffles states around. Is this possible somehow? I'm thinking about how to make a feature request that makes sense, and is actually doable. What do you think?

Post a network map.

Afraid "it didn't work for me" is not exactly a useful problem description…

There are no "routes" in that sense for directly-connected interfaces. The interface will no longer have any IP address/subnet mask configured on it and the routing table will automatically not have any entry for that subnet. So there is nothing to clean up in the routing table. Of course if you had bonus stuff like static routes that pointed to downstream routers somewhere on old interfaces, then those need to be removed.

If the WiFi access point has 2 physical ethernet connectors and can do 2 separate SSIDs that go to the separate ethernet connectors then all would be easy - connecting to both switches to be in both LANs but traffic segregated by SSID. But I guess the WiFi AP does tagged VLANs. In that case you have to have some device that can have multiple physical ports and do tagged VLANs on some port/s and untagged on others - a VLAN (smart) switch. Just 1 smart switch would be enough. If you do not need many ports on each of your LANs then you might be able to even get rid of your existing LAN switches. On the smart switch define 2 VLANS (say 10 and 20). Tag them on the port going to the WiFi device. Make other untagged ports, some in VLAN 10, some in VLAN 20, to connect LAN and Guest devices. 1 untagged port in each VLAN will go to pfSense LAN and OPT1. Or you can do VLANs on pfSense also and make a tagged trunk port with VLAN 10 and 20 going up to pfSense. Even easier - buy a second WiFi device and dedicate 1 to each subnet :)

If you want to do this directly on pfSense then you need a physical place to plug in the Wlan to the hardware running the pfSense VM. If possible, connect a Wlan device LAN port (not its WAN) to pfSense and assign it a new interface (OPT1) with IPv4 address in 10.0.10.0/24. Turn off DHCP on the Wlan device, turn on DHCP on the pfSense OPT1 interface. Now the Wlan device is being just a dumb WiFi access point. Alternative is the the Wlan device can disable its NAT and can be set to pass all incoming traffic on its WAN. Then it can act like a downstream router to pfSense - add a gateway in pfSense pointing to the Wlan device WAN IP. Add a static route to point to that gateway for the 10.0.10.0/24 subnet.

Please, start with this: https://doc.pfsense.org/index.php/Multi-WAN What you are doing there makes no sense. You need a gateway group set up for failover and use that GW group on your LAN(s). NOT WAN(s)!!! Remove the INT_GW from INTEGRA and nuke the allow any rule, your firewall is nonexistant at the moment!