That works fine. For the Second WAN you will need VIPs for the external IPs of the 1:1 NAT, but otherwise it should be the same. Traffic that enters WAN or WAN2 will go back out the expected path. Traffic that is initiated from the inside will choose a path based on your gateways/groups in LAN-side rules, as it would for any other Multi-WAN setup. As it leaves a particular WAN, the 1:1 NAT for that WAN will apply on the way out.

Just to give some further info… LAN - 192.168.200.2 /22 WAN - 192.168.205.254 /24 ADSL Router 1 - 192.168.205.1 ADSL Router 2 - 192.168.205.2

From your description, pfSense (gw1) is the gateway to the "real public internet" and gw2 goes to some other networks (presumably networks with private IP ranges behind gw2). If so, then the LAN clients should use pfsense (gw1) as their default gateway. That will resolve the asymmetric routing problem for normal internet traffic. Then you get asymmetric routing when LAN clients send to addresses behind gw2 - the clients send to their default gateway (gw1) which redirects the traffic to gw2. The replies from behind gw2 are delivered direct to clients on LAN. So pfSense (gw1) cannot keep track of the states. You can: a) switch on sloppy states to allow this, or b) on pfSense you could NAT traffic coming from LAN that is directed to networks behind gw2 (then the networks behind gw2 see all the traffic as coming from the pfsense LAN IP, so replies get delivered back to pfSense LAN IP, and get unNATed there and delivered to clients. That forces symmetric routing, but means the networks behind gw2 do not get to know the real source IPs of the clients. or c) Put gw2 on a serate [NIC|VLAN] and subnet on pfSense. Then traffic to behind gw2 has to transit through pfSense in both directions - no asymmetric routes.

some cable modems send out a private ip-address in the event the isp's dhcp is unavailable (for whatever reason). if this happens, you can get what you describe

Many games use specific UDP ephemeral ports or "client ports". You can check the source port on the LAN interface firewall rules and send those through the ADSL gateway. This will still break for Steam games since the Steam ticket will be against another IP address if Steam doesn't get classified correctly (it officially has specific ports too but in practice I haven't seen it use those ports). Other applications such as uTorrent let you specify the ephemeral port range in advanced settings so you can also use it to route Torrent traffic from properly configured clients. In general I'd recommend sending only HTTP/HTTPS through the Satellite connection and let everything else default to ADSL to avoid breaking things. Other than pfSense there is no other router which can do this except very expensive hardware.

Are the outbound NAT rules correct? You need outbound NAT rules for both WAN1 and WAN2 similar to the automatic rules that get generated for WAN1. You need two gateways under System > Routing for WAN1 and WAN2. In the firewall rules for LAN1 and LAN2 you must use the advanced gateway parameter and set it to WAN1 and WAN2 respectively for your Internet traffic rule.

Are you using different monitor IPs for each interface?

Hi Everyone, Just a quick update. I put in a firewall rule that will take all http(s) traffic and push it down one of the gateways and everything seems to be fine now :). I will call this "closed".

I'm assuming all these things are connected via a single switch or set of chained switches. Any resources connected to the same switch(es) can't be firewalled as you suggest. You can create a bunch of VLANS and use a VLAN switch and firewall rules to accomplish this though.

If you wan't better VOIP then ditch the adsl and go with a cable solution. I had nothing but trouble using my bellsouth business Adsl.

Pfsense is a fully functional router and firewall. You can disable the firewall stuff and only use the routing if thats what your looking for. If you gave alittle more information on your setup then it makes it easier to explain for you. Are we talking about internal subnet or an externally routed subnet?

If it's trunked to pfSense then each vLAN will show up as a separate interface in the firewall page. Just edit the Internet access rule on the VLAN30 interface and set the gateway to WAN2.

@jamesl: I think the confusion is a person can use the same gateway for dual wan, but you need to use "two different monitoring IP's". That is what i did to make my setup not show "Gathering Data State" You can have the same gateway for dual WAN, I am using one such setup now. I think since version 2.0 or maybe 2.0.1 you can have the same gateway for multiple interfaces via PPPoE. Like this poster said, you need two different monitoring IPs. Really anything will do, but I liked to use my ISP's recommended DNS. I was slamming my head against a wall with this too. Change it, it should work.

Yeah - You can do it with Manual outbound NAT.  Easily.

My internet connection is direct by LAN with static IP. I have tried with IP alias & Proxy ARP - same results. I did not have engough NICs so that is why i wanted to put the second IP on my WAN NIC too. Anyway i have found a workaround adding one more NIC(and changing the pc ofcourse) so now it is working with two separate physical NICs. The idea is not to use multiwan as failover or loadbalancing because the ISP is the same so if something goes wrong with the ISP i will lose both WANs. The idea is to make separate rules for HTTP request for my two Webservers. The first IP is going to first Webserver and the second IP is going to second Webserver.