@razer0r: You're serious?… This is not some private home connection ... but a fully routed 1Gbit INTERNET connection... in a DATACENTER, where i just rent a server box... (actualy multiple, but that's another story... which is located 12000 KM away from me... Great. Then maybe ASK the collocation provider to provide you with the requested information and post back, instead of wasting other people's time here.

What you are wanting looks possible in apinger, which really just deals with monitor IPs. pfSense has "Gateway Groups" that consist of a set of Gateways with priorities (tiers). But really it seems to me that they are really "Monitor IP Groups". It would be possible to have multiple monitor IPs for each gateway. Each Monitor IP would potentially have its own advanced settings (loss, delay, down time…). The existing "Gateway Groups" could actually become a selection of the "Monitor IP entries", with a tier for each one. apinger reports which target (monitor) IP has a state change, pfSense can use this in a more refined way than now - passing that up to the various "service reload" commands that react to apinger alarms. Then you can have different Gateway Groups that are prioritised on different sets of monitor IPs (although ultimately underneath the traffic is on the same gateways/interfaces). Particular OpenVPN instances, or policy-routing rules can then use a particular Gateway Group that responds as required to the failure of particular monitor IPs. I can think of a use for this here in Nepal - sometimes links to the "rest of the world" internet go down, but our internal national ISP/s are working OK, so my VPN links between offices in the country will still work. In that case, I don't want to try to failover the VPN links to some slow backup link. On my main WAN gateway I could monitor an in-country ISP address, and use that in a Gateway Group for VPN failover. On my main WAN gateway I could also monitor an outside-Nepal IP, and use that in a gateway group for general policy-based routing of browser traffic. I could monitor my international mail server IP, and use that in a gateway group for policy-based routing of traffic to the mail server. The failover could detect (with a reasonable guess) what bit of the internet is unreachable on the main WAN, and just failover that bit to the backup link. This is about having multiple networks/services/resources available over a single gateway, and detecting which particular network/service/resource is now unreachable, and allowing the firewall rules, VPN settings... to just failover the things that need to reach that network/service/resource. How many people have a need for this? And who has the time to code and test it?

Shouldn't be any problems. You have to deliberately allow unsolicited incoming traffic via NATs and Rules.

I think: System > Advanced > Miscellaneous > Use sticky connections is what you're looking for, time out is set to 5 minutes I think on 2.0.3, editable on 2.1. Check what's tracked under Diagnostics > States > Source Tracking

After doing what you have done I figured out that I don't need to add a VIP for those addresses to work. Because the packets are routed to the firewall, you only need a VIP configured if you're planning to use it for a service on the FW itself (openvpn etc.). If you're using it for devices behind the firewall you can simply create 1:1 nat mappings and firewall rules and the traffic will flow as intended.

2.1RC seems to working fine.  No issues yet. But its always had: make sure you have the modules for hyperv installed. make sure that you have the network cards on static mac addresses

thanks all, will give it a go when the project goes ahead

check your pm

Create a rule on OPT2: From: * To: Not OPT1 subnet Gateway: WAN gateway This should be the only rule that allows Internet access.

I'm a teksavvy user also but I have their IPv6 service turned up also.  Let me know if you need any screencaps of my config if you go down that road.

The only way it could work is if you also had outbound NAT fake the source so that the second server sees the firewall as the source of the traffic. Otherwise the far-side server would respond directly to the request, and the client would drop it.

Did you go into your pfsense firewall > rules > Lan and put in a rule to pass traffic to anywhere? The fact that you can ping things inside the network but not outside makes me wonder about your firewall rules.

Should I provide more specific Infos ?

[image: ss1.png] [image: ss2.png] [image: ss3.png] [image: ss4.png] [image: ss5.png] [image: ss6.png] [image: ss7.png] [image: ss8.png] If you need a further diagram let me know… if anyone knows a good software program (free/perhaps online) for drawing a quick one let me know... basically local network is 10.2.24.0/24   the real LAN range is 10.2.27.1-255 though /24 is allowed        /          DSL (OPT 1) is on DHCP 193.168.x.1 (OPT1 is connected to DSL modem/router)                     and static WAN is 50.XXX.5X.121/29 Default GW is .126        bogon RFC is not turned off)

I would expect to have to goto System Routing and setup a Gateway named something like LAN1_OPT1GW assigning the LAN1 interface and having a gateway and monitor IP matching the IP of OPT1.  OPT1 of course being on a different subnet than LAN1. This should create a static route automatically. Then goto Status, Gateways to ensure the gateway link is established. At this point you should be able to ping devices in OPT1 subnet from the LAN1 subnet. Rules could also be added to define specific traffic to pass from Lan1 via the LAN1_OPT1GW gateway.

You can do this also by changing the gateway in the Firewall->Rules->Edit.  There is an advanced section at the bottom of the edit page.  Click on the Advanced button next to Gateway.  Choose the gateway for the particular LAN you are editing. In your case you'd edit the 192.168.5.0/24 page and select Opt3 as the Gateway.  That's it.