To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none. Yes that was the missing piece. I added the 1) rule on the LAN1 (Bridge) and now i can ping from wifi to lan vice versa without issue. :D New Complete Firewall Rules: LAN (vr01) IPv4+6 * * * * * * none WIFI (ath0) IPv4+6 * * * * * * none LAN1 (Bridge) IPv4 * LAN1 net * LAN1 net * * none IPv4 * LAN1 net * * * Gateway "WAN" none Thanks for the help.

And the credit goes to phil.davis ! You hit it right in the center :D The problem was exactly like phil.davis said. The Load_Balance rule matched first and that "force" the gateway to search for local IP address in the open ocean. Silly me that I did not though about it, so much pfsense things that I even got confused at the end :D You bring me back on track! Thank you very much again, I will post now screenshot of how rules should be as follow! [image: load_balance.PNG_thumb] [image: load_balance.PNG] [image: lan20.PNG] [image: lan20.PNG_thumb]

Ok thanks, I figured that was the case, just thought maybe there was some magic that might have allowed this to work given the huge changes in going to FreeBSD 10.

After much suffering… the problem was solved: 1- request to providers to send me a public network "/30" instead of a private network; 2- I changed all workstations to get IP over DHCP (pfsense server). I had set fixed IP for each workstation; Problem solved, failover working fine ...

Sure thing… Broken firewall rules that fail to load are just fine. Have fun.

For block rules there is never any need/point in specifying a gateway. The traffic is being blocked, so there are zero bytes to be sent anywhere - it really does not matter which gateway the zero bytes are sent to  :D That Policy Route Negation note is for when you want to pass some traffic locally but you are also using policy routing for Failover/Load-balnce to the general internet. You might have a policy-routing rule like: IPv4 protocol any, Source LANnet, Destination any, Gateway load-balance-group A rule like that will push all traffic arriving on LANnet out the load-balnace-group which goes out some WAN(s) to the big bad internet. Even "local" traffic will get pushed out. There is nothing in policy-routing rules to look and see "hey, the destination is a local subnet on this box, I will ignore the specified gateway". So before a general policy-routing rule like that, you need to put ordinary pass rules for the local (and intranet) traffic that you want to pass locally.

Are devices in 192.168.3.* actually getting the correct gateway 192.168.3.1 from pfSense DHCP? Maybe you put something accidentally in the Gateway field of DHCP Server setup for that interface? As you say, if 192.168.3.* is somehow accidentally in one of the pfB or Adware_sites then the blocked traffic should be logged. You could traceroue out of a 192.168.3.* client and then do packet capture on pfSense to see if anything is arriving at all.

I bind WAN IP to one domain, and WAN2 IP with another domain, so if WAN/WAN2 goes down, then there should have no problem to resolve IP. So when WAN goes down, I use the domain name of WAN2, still not getting any response until I put back WAN connection, very weird….

Bump.  I'd also like to know if this worked.

No. Sticky relies on pf state/session tracking, it does not inspect the contents of packets, and likely has no bearing on squid whatsoever. If you need balancing help with squid, check the Cache/Proxy subforum under Packages.

Some users here are using external usb cellular modems. Like the Verizon jetpack, No drivers needed. Also sierra makes a commercial modem the Sierra Airlink GX450. I recently bought modules from this guy and they were already DirectIP working in pfSense. I can't guarantee they all are DIP mode. . You also need to deal with your carrier for valid sim/plan http://www.ebay.com/itm/321727864133?

I don't know that one but have worked with TL-SG3210 successfully in the past.

Ok. Would it be possible to use loadbalancing when there is only 1 PBX and 1 SIP Provider?

sorry for the late response but it's working now :))) thanks a lot !!

Post your firewall rules, alias definitions and full details of what works and does not work. There has to be some little setting that has been overlooked somewhere.

If you only want to load balance LAN traffic, then put the policy-routing rule on the rules tab. Personally, I would only put an "in" rule on the floating rules if it is a really generic thing that applies to every interface and I have a lot of interfaces. If there are only a few interfaces then I would repeat the rule on every interface anyway, because then it is easy to see all rules for an interface listed together. It can be easy to forget floating rules. But I'm sure others will an opinion…

Yeah something's not adding up.