@doktornotor: This (any many others) are preventing by using properly configured "smart" switch. pfSense won't protect your from someone plugging in a rogue DHCP server either. This is true; however I wouldn't expect PFSense to save us from a rogue DHCP server for example, I would expect it to not rebroadcast packets between differing networks?

Thanks,  I"ll look into that.  It is definately nice, but unexpected.  For e.g.,  doing a large steam download tonight, single item,  both wans are at full saturation.  It never ever worked like this when I load balanced on my Asus router (rt-ac66u).  So I'm very happy  :D

After a reboot, situation changed a bit, check_reload_status is no longer pulling 100% CPU resources. Before reboot, I unplug WAN, with WAN2 plugged in, after reboot, WAN2 experiences a few times of UP/DOWN events and then…...gets DHCP offer from ISP2! And I tried to plugin WAN, alright nothing goes wrong! I thought the story should end here, but not really.... After setting up dual WAN load balancing + fail over, I did a test and.....unplug & plug WAN to test failover, working flawlessly. But when it comes to WAN2, sorry no hope, I get the same issue, em5 disconnects every few seconds, I keep tracing /tmp/em5_output, I found that it does receive DHCP offer from my ISP2 GPON, but just a few second later it disconnects without any error showing up. I keep everything plugged in and reboot again, everything comes up. Now I know that if I unplug WAN2 again, I have to reboot again.... :-\ Something I observed while system is dealing with WAN2: The pfSense GUI takes much longer time to respond to my clicks, as long as WAN2 doesn't have any link flapping issue, GUI access is extremely fast, I checked from console and do not see anything pulling system resources. Forgot to mention, my setup is a Celeron 1037U + 2GB DDR3 + 6 x Intel 82583V GbE card, plus 2GB CF card installed 2.2.1 nanobsd version.

@Nullity: My ISP did that too, but I still use that particular DSL modem because it functions normally as a PPPoE bridge. I can't got you. I am using a direct line, no modem is there in between. ISP switch room > Fiber to my office > Media Converter (Fiber to Ethernet) > PFSense. Can you please elaborate what you are guiding…

Hi all, thank you very much for the responses. Restarting the OpenVPN connection was the bit I was missing. Regards, Jens

Do not use gateway monitor with dsl.. it affects loadbalance as well as problems you are facing….

Dear nikkon, what i faced that if you set gateway monitor with pppoe connection you definitely get bad result. I dont know why. R u using the same. My two WAN loadbalance was not performing well for this. One is Lease Line of 5 Mbps and pppoe broadband of 4mbps. I enabled the gateway monitor for both. for lease line its ok. but for pppoe its not a good idea. after switching of the monitoring on pppoe, i m getting 9mbps speed now.. 8) 8).. check it.. MTU i havent set. I used default..

@badger: hi everybody… i guess you have to set the openvpn server to listen on the balanced_gw_group you set up in step 4? following this quick tutorial results in "An IPv4 protocol was selected, but the selected interface has no IPv4 address" when i'm trying to... anyone got an idea?  ::) thank you no you actually setup 2 (or more) seperate openvpn-servers in this scenario

That didn't work, however, I figured it out and am leaving here for others with the same problem. I had to mark the other two gateways as "down". Static routes still work (as I intended), but now the default gw switches straight to GSM if the primary one fails.

It sounds like a NAT reflection issue or similar? I guess you are using the public DNS name or public IP address to access systems in VLAN40, but the devices behind the SonicWall really only go in and out of the pfSense box to get to VLAN40. If you are forwarding public IPs on pfSense in to the VLAN40 devices that have private IPs in VLAN40, then try accessing the devices using the private IP addresses. That should work. Like mikeisfly mentions, you will need suitable firewall rules to make sure the traffic is allowed. Once you have that working, then make slpit-DNS on the pfSense - in the DNS Forwarder or Resolver, put host overrides for the public names that will internally resolve to the internal private IPs. That way, when you use the names from your inside network they will resolve to the internal private IP addresses and work. Users from the outside will resolve the names to the public IP addresses and also work like they do now.

Ok I'm realizing the issue now.  When I originally replaced my Verizon Actiontec router with my own router, I gave the Actiontec a 192.168.1.1/22 address and configured DHCP on it in the range of 192.168.1.150-199 (only applies to the coax connections to my STB's).  My new router was configured for 192.168.2.1/22 so they were on the same LAN network which allowed me to access the webgui from anywhere on the 192.168.2.x network.  Now that my new router is on the 192.168.4.0/24 network, it's not the same subnet so when I try to connect to 192.168.1.1 it's technically coming from the "WAN" which means I have to configure remote access to the Actiontec.

Thanks for your reply well both GW are configured with static IPs Group configured simply  as tier 1 both and packet loss or high latency  , then lan configured with that new grouped GW this is a test network so it is very  simple no vlans . just Normal Manged Switches without any network configurations. both GWs are aDSL 20 MB all SWs are Gb speed per each port today i reinstalled  pfsense and just configured the group and nothing more ( didnot install any packages ) and didnot create any FW rules , and it works fine . btw if i didnot add any packages or didnot change any FW rules , it will work without any issue . once i start creating FW rules or install packages , it will loop i will try to recreate the same scenario and try to get more results. i will update here later

If you are telling me to show all rules and logs I can do that, but would rather not post them on the forum. I did look at the logs and haven't seen anything out of place but I will look into it more. Thanks

Make a gateway group "Failover" with DSL WAN tier 1, 3G/4G WAN tier 2 Add rule/s on LAN that pass the traffic you want to failover, in the advanced section specify the "Failover" gateway group as the gateway.

Thanks for your replay, i will use L2TP over IPSec, if pfSense is able to manage L2TPv3 but pfSense isn´t support L2TPv3 at the moment. I have to trunk a lot of VLAN over the tunnel. Routing is not possible. And I know there could be a lot of L2 broadcast but i have to bridge an L2 Tunnel. Both locations need native L2 and the VLANs. For the performance, i look at the pfSense with "top" and the cpu is most idle (openVPN variante). Have anyone an idea why there is an unkown frames / packtes at tcpdump by bridging the "GIF" and the "IPSec interface (WAN)" thanks again :)

Perfect, thank you.