Lexje, you shouldn't need to create 3 gateway-groups for what you try to accomplish. Create only 1: Tier1 BGC & Tier1 Dommel Then go to your firewall rules, to the LAN tab. adjust the default any-to-any rule, scroll down to the advanced section. Change the gateway to your newly created gateway-group. You do have to realize that Pfsense will not gain you speed difference with typical http/ftp connections (see previous post). It should however speed up when you use P2P or speedtest.net Zonnige groeten Jeroen

Thanks for your help, I will try 2.0.1

Okay… so today it works like it should. I don't know what went wrong before I opened this thread - I guess that day simply was too long  ;) Thanks for your kind support and detailed replys! Kind regards, Sascha

That would not give you full two-way routed connectivity over the VPN. You either don't get a proper return route or you have to do NAT as the traffic leaves. If you are only concerned with failover in one direction, it may be acceptable, but if you need fully routed two-way connectivity, you need a routing daemon.

@Terrabit_AH: why you don't fix the problem in the pfsense ? other devices like a cisco route can route over a ipsec, not realy but the routing table will be used. that meanse you route the traffic based on the routing table and only the encryption will be effort bei ipsec policy. thats the main reason why ipsec is used, to define encryption policys for trafic between two hosts oder networks. Not doable at the moment, due to how FreeBSD (the underlying OS FreeBSD is based on) handles IPsec traffic. Read http://forum.pfsense.org/index.php/topic,50589.0.html

I've setup a additional testbox to have two boxes that could be easily reset without disrupting the normal users. I've now got it working on these test machines by adding tunnel and remote on the vpn client configuration.

Indeed it does!  I must've skipped over it since it's labeled PPPOE. Thanks!  :) EDIT:  Actually, the 2.0 instructions don't work.  It won't let me assign another interface definition to the same network interface. The following input errors were detected: Port ue1 was assigned to 2 interfaces: OPT1 OPT2

What version of pfSense are you running? The book was written for version 1.2.3. If you are running 2.0 or higher, there are more options than there was in 1.2.3.

It was a configuration error. I only specified the interface and left the destination address unspecified… I should of course selected that interface's address. I just reverted all changes and it is working. I killed that cronjob that makes sure my gateway is manually added. Thanks for your input. The "gateway outside scope issue": I still think pfsense should take care of a situation that has a gateway outside of the scope. The reason "It's not according to RFC" just isn't enough reason… Things should be about "working" vs "not working" In fact the ISP's should even give a /32 address to their clients as those clients within the /24 network can only be reached through the gateway and not directly.... I've seen routers that couldn't cope with that and they had te be given a /32 address The issue with grep: I don't know, but I'm not giving it too much thought. If someone has an idea, you're welcome

There isn't any documentation on that. Short of learning everything about PF's route-to and reply-to. You're in for a ton of work. Even at that, it's not possible to fully address. Put in a small VLAN-capable switch and save yourself a huge amount of trouble.

you can choose to go for failover or loadbalancing. you basically set a priority for a gateway, if gateways have the same priority (Tier) then you have loadbalancing. If one gateway has a higher priority over the other, then you have failover

If i was you. I would setup a virtual server and virtualise Pfsense. This would allow you to create multiple Vnics so you can route traffic… and the config is alot easier, especially with Vmware. Another way there is an option in pfsense to add in IP Alias's. So under Firewall there is a virtual IP option click this and select virtual IP (IP Alias). Then make up the gateway address for the Lan nick and make it whatever you want. Then the networks will be able to communicate and get out on the internet... For security reasons, FYI, if the networks are going via the same switch. I would look into Vlans if i was you. There would be nothing stopping me changing my IP to something else and compromising the network. (you may already have this place, just an observation)

This is how i understand it. Squid is based on Cache… So if you happen to change your Ip over, and then do say www.whatismyip.com the ip for me would be the same. But to check this 100% i logon to pfsense and check the system logs, and by default will say logon sucessful from IP..... Then you know for sure what IP your actually getting, and not a cached squid interpretation. Does that make sense? I hope that helps.

@svfusion: is there a better way to ask for this that they might understand? To the first level people you get on the phone? Highly, highly unlikely. If you can get escalated to someone that actually has a clue about PPP stuff, then maybe. Hopefully these are business connections you're talking about, much more likely to get someone competent then. Windstream does do MLPPP on bonded T1s at least, whether they're able or willing to do so on DSL I'm not sure.

@imcfarla: I have a setup with 2 WAN connections WAN is the default gateway OPT1 is the secondary WAN connection. Port 443 is Nat'd on both interfaces to the same ip address I have an Interface group with both WAN and OPT1 setup with all my firewall rules set on there for incoming connections When I try to connect to WAN:443 it works fine when I try to connect to OPT1:443 it fails. If I do a packet capture I can see traffic coming in on the OPT1 interface but no outgoing traffic. However on the WAN interface I can see traffic going out with the OPT1 address stamped on it - this is obviously wrong but I have no idea how to fix it. Outbound NAT is currently set to automatic. Any ideas? 1. Add to your Local Server additional IP (IP1: 192.168.1.10 and add IP2:192.168.1.11) 2. Set to Advanced Outbound NAT 3. Add a rule for Source 192.168.1.11/32 (second Server IP) to use OPT1 as Translated adress 4. Move this rule above Auto created rule for LAN to WAN Do NOT forget to set a NAT rule for OPT interface Regards, Andrej

With full Internet routing table feeds, the status page won't work, you have to use bgpctl via SSH to get that information. Nearly all the BGP deployments I've done use the raw config option in the openbgpd package. The GUI is lacking unless you're doing really basic stuff. Hope to see the GUI improved with time. For now, for many things you have to use the raw config.