Firewall:Rules:LAN Proto    Source    Port    Destination    Port            Gateway  PASS  *      *        *        *      LAN Address    443 22 80      *        Anti-Lockout Rule PASS  IPv4  TCP      *        *      *              443            WAN2 PASS  IPv4  TCP      *        *      *              80              WAN2 PASS  IPv4  *        *        *      *              *              WAN1 DENY  IPv4  *        *        *      *              *              *

Each WAN must have a unique subnet and gateway IP, with the exception of PPPoE. You can put a NAT router in between the additional WANs that are on the same network, so your multi-WAN system sees them all as different networks. Less than ideal, but that's the only way that scenario is going to work.

If this is IPsec, it's easily fixed by adding the right Phase 2 definitions on each leg to cover the path from Reno to Azure and vice versa. If it's OpenVPN, then some extra routing would be needed to make sure everyone has a path over the right VPNs to get to the right places. If you can provide some more detail about the setup we can offer better advice.

with Comcast I have a modem with 2 IP(s) and the LAN is connected to the modem and receiving the 2nd IP, so the incoming connection from LAN and WLAN (comcast wifi) considered as private network? Huh?  You lost me as to your actual topology there. Private IPs are just RFC1918:  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 If you are connected to something outside your WAN, are receiving an RFC1918 address and are not NATted to a public IP, and attempting to make a connection into your WAN to a port forward then yes, you need to turn off block private networks on your WAN. Blocked connections from the private IP should show up in the firewall logs. When inside your network does your server DNS resolve to internal or external IP?  If external, you need NAT reflection.

I was able to fix this myself. Pretty much what was happening was that my OpenVPN broker was pushing ipv6 routes, amongst other a ::/2 default route. For some reason the policy rules didn't intercept the packets and the default route was being used. To remedy this, I added to my OpenVPN client configuration "route-nopull" to the advanced configuration. As such no routes are added for neither ipv4 or ipv6 and everything is working the way I want it to. Big thanks to everyone at #pfsense @ Freenode for attempts at helping and showing patience with my constant nagging.

SITE A: WAN_VLAN5:  ip: 10.12.13.1/30 Static routes: 192.168.10.0/24 wan_tositeB - 10.12.13.2 WAN_to site b First firewall Rule in LAN: IPv4 * * * 192.168.10.0/24 * wan_siteb none to site b –------------------------------------------------------------------------------ SITE B: WAN_VLAN5:  ip: 10.12.13.2/30 Static routes : 192.168.10.0/24 wan_tositeB - 10.12.13.1 WAN_to site b First firewall Rule in LAN: IPv4 * * * 192.168.0.0/24 * wan_sitea none to site a Is it enough for you? Thanks.

I may be wrong but in your LAN rules I think you can do this. If source address is the LAN network AND destination is 1.2.3.4 ( website ) use gateway A , else gateway B. You obviously won't have the speed increase doing it this way. http://postimg.org/image/yb89nka5l/ http://postimg.org/image/irbh4cry1/ http://postimg.org/image/6ghxvxtt7/6d7d89a8/ I was having difficulty uploading photos here. Probably something I am doing wrong.

Do your WAN connections use the same upstream GW? This causes issues as both connections are actually routed out the one gateway and pfsense only sets up one route to that gateway (the default WAN link).

UPDATE:  For my situation, in our live environment I found a rule that was causing our traffic to go over a slower link.  Once I fixed that, I was less interested in why I had this problem in the test environment and quit researching.

Please don't double post. I'm having trouble understanding what you are doing. If pfsense is behind a proxy server, go to system, advanced, misc and fill in the proxy settings. If squid is your proxy server, your client machines will have to point to the proxy server (squid) on pfsense to get out.

Yes, that will work so long as they are not in the same subnet.

Thank you for the advice! I've progressed further in replicating my old setup to enable plug-and-play migration. In order to enable the second gateway the same way as before, I've created virtual IP for .248. At this moment, I've got following setup: main IP 192.168.2.1 IP alias of the main IP 192.168.2.248 (this was previously another modem with static IP on the network). My question now is - how do I set up outgoing firewall rule for any device that has the router set as .248? My idea is to have all traffic hitting .1 to go through the main WAN1, and all traffic trying to reach .248 to go though WAN2. I would pipe all non-important backups etc. though the WAN2 and then play a bit more with QoS on the WAN1 to make skype and any other VOIP work well.

Hi, Is what you are asking for really needed? I would have thought that when WAN1 comes back online, traffic would meet your first firewall rule which is to load balance (and thus use WAN1 as per weighted preference). Or is it more complicated than that? Richard.

Shamelessly bumping my own thread ;) I've started developing a PHP class that lets you programmatically connect to the WebConfigurator to make changes. It's very low-level at the moment, but it working very well :) I plan to use it together with a simple wget operation that tests the responsiveness of each WAN interface, to automatically disable routing of traffic across a capped connection. Unless there are better options available, I might release this code.

@gonzopancho: is old, and somewhat out of date. i'm sure it is within your power to make it "new and shiny" and somewhat up-to-date  :))