Hi, normally the monitor ip could be gateway IP of your WAN interface… If both WAN interfaces have same gateway then you should "randomly" use external IPs to get a monitoring up. As written in other threads the pfSense would set special routes for this monitoring IP to use only WAN1, WAN2,...WANn to this special IP. So you need to use an "always up" IP to guarantee monitoring is working. GoogleDNS could be offer IPs... 8.8.8.8, 8.8.4.4 OpenDNS could also help: 208.67.222.222, 208.67.220.220 or you use 2 different IPs of your provider...

Hi, yes, we have done it. In my mesage history are several posts / you can search common for BGP here in forum - there are many good question/answer threads. You should use OpenBGP which works nice. But BGP uses also static IPs… only routing is done in different way. And BGP normally makes sense only for /24 or bigger networks because public announced networks must be minimal /24. I guess your ISP want you to discard default gw and offer you 2 or more gateways to let you automatically failover between backbones. Perhaps he can offer you also OSPF which is a little easier to setup because its done "automatically" per broadcast (but with pfSense package only IPv4 actual possible)? Bests

You use the "Firewall Rules" for that….  (also look at the advanced options of the FW rules)

you could try to enable default gateway switching (System: Advanced: Miscellaneous: Loadbalancing). it's possible that you'd get a faster responds this way, but it might have consequences elsewhere - be ware ;)

NAT is configured as described but still the problem persists :( Any more suggestions?

@galaxy60: Can you confirm on each VLAN you have a firewall rule allowing all traffic out? pfSense interface firewall rules work on traffic INTO the interface.  It doesn't matter whether it's another LAN (or VLAN) or the WAN. Keep in mind that the default pass any any rules are not automatically generated for any interfaces other than LAN, so you probably need to create them.

~~Ok, missunderstanding. Of course I have not the same IPs in the VPN. The moste easiest way would be if I would be able to setup a failover route. For example: 10.10.2.0 through 192…..1 and 10.10.2.0 trough 192......2 for example. Even more easy would be, If I could use GW-Groups levels for doing that. Then I would have a failover and I would route everything first through the first then when its down the second gateway. But I will try it again with your ideas in the post, because before I added the vpn as DHCP Intereface. Maybe this was my mistake.~~ THANKS :) EDIT: Ok, I think I can make it work through RULES (with GW) instead of ROUTES But when I configure an Interface (opt2) with the openVPN Connection (ipv4 none) than the RULE is NOT working. It is going through the default route

Can anyone help please?

Marvosa is absolutely right, what you're trying to do has no logic to it. Don't throw /16s around, you need to actually understand what subnets are and how to use them. Assuming your equipment is capable of handling VLANs, break it down to a /23 or /24 on each VLAN with different actual networks, then go from there. Almost no company actually needs a /16, and it would be a broadcast nightmare if they used one to even half its capacity.

Thank you. That is very helpful.

Muddling through myself, documentation is a bit lacking. I think the bit you need is that (from the bottom of routing page, groups tag)``` Note: Remember to use these Gateway Groups in firewall rules in order to enable load balancing, failover, or policy-based routing. Without rules directing traffic into the Gateway Groups, they will not be used. Going from the default setup, I added a rule to LAN below the "anti-lockout" and above the "default allow LAN to any" Which is almost exactly the same as the "default allow LAN to any" except the "advanced" section at the bottom has the "Gateway" pointed at the Gateway group. I have some other things going on right now with my setup that are not yet working, but I think that part is basically correct…or at least worth a shot. I think (unless you really don't want to use one connection until the other fails) that you might really want both at the same tier, but with different weights (proportional to their speeds) defined (which is back on the gateway, not the groups.) i.e. if one is 1MB and the other is 50MB, one gets weight 1 and the other gets weight 50. Better information welcomed.

So you want all your PCs to use the new ISP connection and let the old ISP just for incoming requests and access? Just set the new ISP's gateway as the system default gateway in System -> Routing. Remember to flush the state table before testing. (Considering you are not using policy routing to choose the gateway on the LAN rules)

thx for the info, Hopefully I wont need to do any special routing on the untangle box…. regards,

You are double NAT'ing, so your network is behaving as expected.  Your DDWRT's WAN is PFsense, so essentially what you are trying to do is access the 192.168.2.0/24 subnet directly over the internet, which is not possible. As currently configured, in order to access the 192.168.2.0/24 subnet you would have to setup portforwards on your DDWRT. i.e.  if you want to access 192.168.2.10 on port 80, you would connect to 192.168.1.2 on port 80, which would be NAT'd to 192.168.2.10. The other option is convert your DDWRT into a router (instead of a gateway) and configure static routes on both sides.  This way PFsense will route 192.168.2.0/24 through 192.168.1.2 and DDWRT will route 192.168.1.0/24 through 192.168.1.1.

sorry, in my younger days I would have been able to put 1+1 and come up with 7 but these days, not so much. what would the gateway be for this?