Don't add static routes, pick the appropriate interface in the OpenVPN config.

Any ideas or suggestions how to solve that problem ?

You won't have a gateway for the proxy arp. It will use the default wan gateway.  The ISP is routing to the existing wan address therefore pfsense will have to route them or use them. Proxy arp is a way to use them. Other wise they would need to be routed to internal machines.

Here is a video complete with bad music I found for you.  https://www.youtube.com/watch?v=n5COzizaMYQ  This has the tiers setup the same so it would be round-robin with failover.  Documentation is located here http://doc.pfsense.org/index.php/Multi-WAN_2.0.  Good luck!

Sounds like you def have WAN failover configured. I assume if you do a direct connection to one connection or the other you get full speeds?

do you plan to move this box to be in front? if not, why are you using 1 pfsense box behind another, just for testing right now? (done it myself, so understand)

Would it not be easiest to just assign 1 IP to the WAN interface and then create Virtual IP's and NAT set ups to point to the internal LAN IP's and be done with it?

if you want LAN IP's to go OUT on external IP's other than the LAN default, you need to go to Firewall - NAT - Outbound NAT and enable MANUAL mode. you then enter in the internal LAN IP and then choose the ext IP you created (under Virtual IP's) to go out on.

@alanfs: I run multiple pfsense (pairs) at multiple locations and I am moving to a BGP setup. All of the sites are connected via a ring to each other and to the internet. I have a /21 which I want to split between the sites (probably a /24 at each site). I wanted some advise on the best way to set it up. Should I anounce the whole /21 from one of the pairs or should I anounce each of the /24 from each site? My ISP technican said me that you always have to announce your biggest network/AS … (we have also an /21 ;)). If you later separate your networks then the separate network would be announced as /24 minimum and gets preference over your /21 announce. We have split our actual used /24 in 8 parts... I announce additional /28 parts and our ISP routes them individually between our two buildings but announces only the /21 to public. If your ISP is good he can it this for you, too ;). For instance you can set an COMMUNITY Tag for your /24 networks which your provider then can filter out for internal use only. Bests Reiner

I just thought I would report back. It was Firewall related as the 'Bypass firewall rules for traffic on the same interface' option under 'System' -> 'Advanced' did the trick. I applied this setting to router 1 and now it's all good. Thanks for your help!

We are in a large data center.  Each firewall has it's own external network, we try to get them as different as possible.  So each one is a different path.  One VLAN has over 600 servers.  manually load balancing the gateways is painful.  Plus when I add a new firewall its a pain to go change 20-30 machines to use it.  If the whole VLAN used one IP as it's gateway, and that device could round robin each connection to a different firewall, that woudl simplify everything tremendously.  I would just add the new firewall to the list, instead of 20-30 servers.  Plus, we have some machines that spin up 20 different processes, I would love for each process to have a different gateway, instead of all having to use one. We have a full gigabit to the Internet, everything in our data center is gigabit. Thanks, I am open to any suggestions if there's a better way to do it.

Thank you, The WAN connection is done via PPPoE. I have contacted the hosting company, they claim the website is fine (because they can browse it). There was not issue before setting up pfsense in the client's premises and there was no issue for a day with pfsense up and running. What more details are needed? What should I check? Best regards Kostas

About the first post. In what way are you connected to your provider? Is there modem giving you the ipadresses and working as a dhcp server? In what way does it connect to your provider? I'm using a modem in full bridge mode over pppoe. What I have running now is different external ipadress for single computers not interfaces. If I have some time I'll try if I can make it work for an interface like your setup. Something on my todo list for a long time anyway. About the cant allocate llink, whatever I have found about it is a problem with the default gateway or default route. http://forum.pfsense.org/index.php?topic=33504.0 I've had a problem with a modem in half bridge that was giving external ipadresses by dhcp where the gateway and the wan ipadres were not in the same subnet. Manually editing the default gateway/route solved it. Thats why I'm curious about your isp connection.

bump!  ;D

Replied to your PM

Dont know your setup but i think your dlink is firewalling all the traffic from the outside wich is your .50 network. The traffic from the inside the .10 network is not being firewalled since that is trusted traffic and 99% of all routers are setup like this. Also the network before the Dlink does not now of the existence of the .10 network since all they see is your dlink that has an .50 adres. So if any traffic needs to go to the .10 network only the dlink knows where it should go. That can cause a lot of problems to. Its best to setup de dlink as an accespoint, no dhcp firewall or nat. Add a third network interface and connect it. Let pfsene do the firwalling nat and dhcp an add firewall rulles to allow traffic between the networks. You can do this also without an extra interface just connect it to the 24p switch and everybody on the wireless will get an .50 address. But than you cant apply any firewall rules to it. Link with info howto set it up as an acces point http://apttech.wordpress.com/2009/09/29/how-to-connect-a-dlink-dir515-wireless-to-another-router-to-use-as-an-access-point/