In general pfsense should sqitch between Balance and Failover Group and restore if all Gateways are up again. What option did you set on your Balancer Group ? I would suppose to not use "Member down". Better would be high latency and/or packet loss. Further check and make sure that the latency and/or packetloss of the WAN connection is lower than the limits you set for that GW. When you got to SYSTEM -> Routing -> Gateways. You can edit the limits: Latency by default is ~100ms and packet loss ~10% if I remember correct. I set this values higher (latency 300-1000ms) and packet loss (30-50%) because I sometimes have a bad connection and this prevents me from a flapping connection.

Thanks for answer, I did read it but at the last post one of developers send this feature for future development…., any idea if theres a work around for this? or other product I can test? Thank you

Anti-Lockout is ok - no need to change it. firewall rules look ok. no need to use sticky connects when solving all with firewall rules. So why don't you try to connect to https websites (facebook) and check if it is using GW1 ?

Thank you for answer If it were possible to perform the floating rules specific request of customers to 80 out for a determined group of gw And other clients on the other gw my problem would be solved already Until they do not think a more elegant solution Will this method forcing tcp_outgoing_address Too bad he did not understand the variable created in LoadBalance

@sap68: If I understand correctly I will be fine if I use google or open DNS servers IP as a gateway monitor, I'm right? Yes, set google DNS 8.8.8.8 for GW1 and 8.8.4.4 for GW2. (Google DNS servers) and in SYSTEM -> General Settings set other IP addresses as DNS servers. then everything should be finde. Don't worry to much about that fact because I am not sure if this is still correct on actual pfsense version. the documentation/wiki could be a little bit outdatet on this point. Not 100%. @sap68: Ps. I experienced in last few days some issues about https web sites, maybe it's better open a new topic about these? Thanks again… You can use sticky connections in SYSTEM -> ADVANCED Or you create a separate firewall rule for destination port 443 and select GW1 as gateway. (or better create a GateWayGroup with GW1 Tier1 and GW2 Tier2 and set this Gatewyay Group as the Gateway for the https firewall rule.

figured out the solution. LAN1 192.168.100.1/24 LAN2 192.168.101.1/24 For every client, i add a virtual IP so they belong to both subnet. e.g. Client1 IP: 192.168.100.11/24 Virtual IP: 192.168.101.11/24 Client2 IP: 192.168.100.12/24 Virtual IP: 192.168.101.12/24 Client3 IP: 192.168.100.13/24 Virtual IP: 192.168.101.13/24 Client4 IP: 192.168.100.14/24 Virtual IP: 192.168.101.14/24 It worked normally now, hopefully without problems after i put in the traffic shaping rules. Thanks for the advice.

When you only have a rule where you have specified loadbalance_gateways then everything will try to go out that way and not follow regular routing. to solve this, you need an additional rule "above" the rule where you specify the loadbalance. rule specs: source:any destination:10.10.53.0/24 (or whatever subnet you choose) gateway: do not set any

Depends on which speed test you're using. speedtest.net now opens multiple TCP connections, but not simultaneously, which means your end result is going to be some combination and average of the speed of the connections. Those that open multiple connections simultaneously will show the sum of all the connections. Others will stick with one.

@cmb: Yes and no. Having multiple routers on the same subnet like that creates a lot of routing complications. Better to put each on its own subnet, then you can do what you're looking to do without any complications. Thanks alot for your response! :) I only have 2 NIC's, what seting do i use for the 3rd one? do i use bridge for that one to? 1 nic(bridge) 192.168.0.1 = router wan1 2 nic(bridge) 192.168.1.1 = router wan2 3 nic(??) 192.168.2.1 = VMware pfsense [image: 2dv7mtv.jpg]

Ended up getting this working! possibly a bit unique to OVHs setup. Created a WAN interface, assigned the IP address of 10.40.40.1 (completely random) and one of ovhs virtual mac addresses which all my IPs in the /28 range are set to. Added a shellcmd to set a static arp entry for 10.40.40.254 to the mac address of OVHs gateway and to set 10.40.40.254 as the default gateway. Doing this via the gui and just setting the static arp entry via shellcmd led to a "proxy entry exists for non 802 device" message when setting the static arp entry. Created a DMZ interface with my /28 range and added a VIP on the WAN interface for this to accept any ARP requests. Left the LAN interface alone. Added NAT rules to rewrite the source address of all packets to have the first IP in the /28 range i.e. the IP address the DMZ interface gets. Hope this helps somebody else…

i use the default dns for ISPs,and when i traceroute google.com twice in sequence ,the results show that loadbalance is worked in a good way, the problem happened with the wan interface not the opt.

@cmb: Everything that passes out of a WAN interface (any interface with a gateway selected) gets routed to the WAN's gateway by default by the pass out rule, so if you have a static route on an interface with a gateway that goes somewhere other than the gateway on that interface, you need a floating rule to bypass said policy routing. Pass out on WAN from the appropriate source to the destination of the static route with no gateway selected with quick chosen. Thanks, that did the trick :D

afaik, it can't be done with pfsense

Sticky with multiple PPPoE with the same gateway isn't going to work correctly.

Default any any rule should do the job on the another nic. Another nic needs also the same kind of rule.

is the 'block private networks' box ticked ? are you sure the opt1 interface is in the correct subnet and its not the same as the WAN subnet ?

I solved thanks only adding the rules to go to internet

In some cases, jut tagging vlan1 on firewall port should work. On thing to keep in mind while using vlans, never configure a port with tag and untag ids.  ;) att, Marcello Coutinho

http://forum.pfsense.org/index.php/topic,28379.msg148389.html#msg148389