You can use failover gateway groups (put WAN1 Tier1, WAN2 Tier2 on 1 group, and the reverse on the other). That will let you add rules on LAN1 and LAN2 to send the traffic to the required WAN, but have it fail over if a WAN goes down. "only if more bandwith is needed" - there is no feature for that. To do such a thing would need some parameters to define what that means. e.g. if you download just a 10MB file, then, assuming the internet server is faster than your link/s, you will "need more bandwidth" for the minute it takes to download. Whenever anything other than single-packet back-and-forth interaction is happening, then using more bandwidth is "needed" (i.e. faster). Probably it means "if the main link is saturated for more than n secs then add some bandwidth by using the other link also".

you will probably be able to fix something up with NAT https://doc.pfsense.org/index.php/1:1_NAT

You need to move down a few layers and figure out what's really going on using the standard tools.  Is it a DNS issue, can you ping, resolve names, traceroute, telnet to port 80, or what. If it works then it doesn't we're going to need more to go on.  Your browser is probably not going to give you the feedback you need to find out where the problem is.

If you want 1 NIC to be shared by 2 WANs then you have to have a VLAN switch. So choose between adding an extra NIC to your pfSense hardware or having a VLAN switch.

Can you share some screenshots of your configuration?

You don't need those NAT rules.  They will only be in effect for traffic out WAN, which will not include the LAN <-> OPT1 traffic.  In your case it's sufficient to use automatic outbound NAT. Be sure to check your windows or other firewall settings on the clients themselves.  People never get tripped up by them because they trat the local subnet as friendly.  As soon as you do multiple subnets, the software firewalls start blocking "local" traffic because it's from a different subnet. People compensate by doing all sorts of things in pfSense.  Those pass any rules on LAN and OPT1 are all you need. You say there's no firewall on the hosts at all but SOMETHING's blocking that traffic and it's not pfSense.  If it was, it'd be in the firewall logs.

@cmb: Down == above the defined thresholds you have on the gateway for what should be considered down. Chris if you get a chance, I started a new thread related to this but not sure you saw it. Hoping for a little color on those apinger settings  :)

Thanks for your reply - the 10.50.30.0/24 addresses are accessible from everywhere - the problem is that some users want to use the WAN addresses (for testing websites), and anything that is connected to the 2nd firewall is not accessible via our remote office. I managed to temporarily resolve this by removing the OpenVPN route to push 8.8.8.0/24 down the tunnel, and manually specified /32 routes for individual servers, but this affected other areas of the business. The issue I can see is that when I log into the OpenVPN PFSense box (8.8.8.203) and do a traceroute to one of the VIPs hosted by the 2nd firewall (8.8.8.204), it sends it down the default route of the OpenVPN box even though it's in the same subnet. The OpenVPN box can ping the VIP OK, but anything that's on it's TUN tunnel can't. traceroute to 8.8.8.242 (8.8.8.242), 64 hops max, 40 byte packets 1  (8.8.8.1)  608.339 ms  0.217 ms  0.106 ms 2  8.8.8.242 (8.8.8.242)  734.557 ms  0.290 ms  0.270 ms 3  8.8.8.242 (8.8.8.242)  0.573 ms  0.341 ms  0.391 ms

It is also possible to use the pfSense WAN-side "LAN" as effectively another LAN in your private network. The idea is to make pfSense WAN IP give out DHCP, and be the gateway for devices in that "WAN-side LAN". Something like this works: Turn off DHCP on the ISP gateway device Give pfSense WAN a static IP (like 192.168.2.2) and define its gateway to be the ISP gateway device (192.168.2.1) Turn on DHCP on pfSense WAN - give it some pool of addresses in 192.168.2.0/24 Let pfSense WAN give itself as gateway and DNS server to WAN-side clients (that will be the default already when you enable DHCP). Firewall->NAT, Outbound - for this 2.2-RC is easiest - enable Hybrid Outbound NAT, add a rule to NAT traffic with source WANnet to WANaddress - this makes WAN-side client traffic get NATed out to he internet in a similar way to LAN-side client traffic. Firewall->Rules - add rule/s on WAN to allow source WANnet, destination all (or whatever you want to allow) so that traffic from WAN-side clients will be allowed. Now your WAN-side clients act in a similar way to being another LAN on your pfSense. You can reach devices on the real LAN and also get internet.

I'm thinking this might involve virtual IPs, but I want the phone server to be DMZ as if it's an edge device.

I asked them if I could get a "Transfer" space - but they said that this is not possible… I thought of this: WAN / Internet             :             :       .-----+-----.       |  Gateway  |        '-----+-----'             |             | (89.163.211.129/27)             |             |             |             |             |             |         WAN | IP or Protocol             | (89.163.211.130/27) --> the sense             | (89.163.211.131-158/27) --> the VIP-Adresses             |       .-----+-----.  priv. DMZ                          priv. DMZ  .------------.       |  pfSense  +-------------------------------------------------+ DMZ-Server |       '-----+-----'  172.16.16.1/24            172.16.16.2-254/24  '------------' This way I can control what enters my DMZ-Servers and what shall not pass.

I think there might be a misunderstanding since AON isn't Automatic Outbound NAT but Advanced Outbound NAT (aka Manual). I caught myself making the same misinitialism a few posts ago.  

TWC isn't blocking your pings. Trust me on this one…I believe apinger is way to sensitive ever since 2.1.x came out. Never really had any issues before 2.1.x,  once in a while I would; but it was signal issues with the cable modem or the amp across the street. I have mine setup to just ping the CMTS gateway. My work around was this: Latency thresholds 1000 1300 Packet Loss thresholds 20 30 Probe Interval 5 Down 30 Before the above settings, apinger would say my connection is down all time when streaming movies on netflixs... Once it a while it still does but that is because I'm streaming 2-3 movies and downloading a bunch of torrents maxing out my 100/5 connection.

Makes sense - thanks for the info!

Just an update, installed unbound on the pfsense onsite. Put the address of the DC in general setup page, in dhcp changed DNS to address of pfsense and all is works well. Still pushing domain name to clients and still able to see the domain. Plus got some sort of a DNS cache onsite instead of doing constant lookups offsite. Unbound was the solution all along  8)