@jimp: Sticky keeps an association between a client IP and a gateway so long as there are active states for that client. This is how I understood the sticky connections works, but as the "Show States" display no active states I think there is somewhere something that "inadvertently" prevents the sticky connections option to achieve it's goal by ending connections (thus becoming in FIN_WAIT_2): it might simply be HTTP "Connection: close" header. @jimp: In https://github.com/bsdperimeter/pfsense/commit/4573641589d50718b544b778cea864cfd725078a I added a GUI field to control the state tracking timeout so that sticky association can be held longer. I'll give it a try… @jimp: What some people do is direct HTTPS into a failover group instead of load balancing. In this case, the websites aren't served via HTTPS protocol. One funny thing I found while testing: some site's backoffice where I was always "kicked" of in 3 or 4 seconds were now working just fine (or at least 10 minutes) after I added the following firewall rule just before my "load balancing" rule: TCP 192.168.0.0/24 * * 80 (HTTP) GW_LoadBalancing none So my firewall rules are: TCP LAN net * * 443 (HTTPS) GW_WanA_FO_WanB none TCP 192.168.0.0/24 * * 80 (HTTP) GW_LoadBalancing none * LAN net * * * GW_LoadBalancing none I can't really explain how this could be of any impact as the rule #3 does the same job as the newly added rule #2.

those interface rules are only for outbound connections, the incoming rules would be on the EDPNET01 interface, and would have to allow whatever you're trying.

@podilarius: As cmb said, it could have no gateway or it does not use it. It is best to put a tcpdump on the pfsense LAN while you try to access it and see if it is returning any packets. If not, then your AP is either not configured correctly or just ignores your settings. Ok, so that's my first step in this troubleshooting. Should I post the results here?

First try if LoadBalöancing with your three connections is working in general.- Try: www.pfsense.org/ip.php Refresh the page fastz after another and make sure that you get displayed all the public IPs of your connections. Another possibility could be to brwose to maps.google.com - zoom in and out and check the traffic graphs on the dashboard if all your WAN connections will be used. If this or the above is working then LoadBalancing is working and you should not bother about speedtest.net. I am using three ADSL connections, too, and I only get two connections "combined" with speedtest.net but on other websites I can see that LoadBalancing is working over all three connections.

Not wanting to double post in the forums so i will ask a moderator to close this thread and i will start a new post in the DHCP/DNS section since my issue has moved in a different direction. I still have the same issue unresolved but i think it would be best suited in DHCP/DNS area also.

It might not be ideal, but sometimes that is the hand we are dealt. Thankfully pfSense is flexible and can work for both solutions.  ;D

@clarknova: You're probably looking for this: http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall#For_2.0 Beautiful!  Works like charm! Thanks!

Check your traffic shaper settings. If you used the wizard to set up the shaper when you had only a 10 mbps connection then it will continue to enforce that.

No, that would not work. The reply has to leave with the same IP/port combination that it came in on, and your ISP on the other link would likely drop that traffic even if it could go out the other way, since it is not their subnet/IP to route. In order for a reply to go out another WAN, the request would have to come in on  the other WAN. It may be possible to do that via DNS trickery (round-robin DNS) but it wouldn't be perfect, and not something you can really manage in the firewall. So long as you have a port forward to the web server on both WANs you should be able to reach it, assuming your 3G link isn't behind NAT already. Many of them are, so you couldn't take inbound connections on there.

As long as you both do outbound NAT on the wifi interface, and do outbound NAT for the wifi interface subnet, then it should be fine if you do it that way. You'd need to use manual outbound NAT since automatic outbound NAT would not work for that kind of scenario. You'd also need to make sure the wifi interface firewall rules allow the traffic from them out to the internet (but you may want to block it from reaching your LAN, unless you really want them to poke around in your LAN. With the wifi interface set like a wan (with a gateway, etc) then you can setup a gateway group and do whatever you like with the traffic.

I had a first try and pfSense reports a warning on satellite latency, which is normal.

Could you please specify how i have to do this?

In that case you're stuck using NAT on the rest of the IPs. With regular Ethernet connectivity in that scenario you can bridge a DMZ interface to WAN and use the remaining public IPs on that DMZ, but that's not possible with PPPoE.

Oh cool thanks. Messed around with my firewall rules. All working correctly now.

is this setup is possible for redirecting my yahoo messenger to my WAN.. coz i noticed its taking much bandwidth in my OPT1…coz my wan is for browsing and my opt1 is for my online games...everytime they using YM it becomes too lag ... thanks in advance YM voice chat port = TCP 5000-5001 UDP 5000 - 5010 YM message port = TCP 5050 YM webcam port = TCP 5100 FIREWALL=RULES=LAN interface = protocol = source = destination = gateway =

You state you want to separate the networks so you dont break the family Internet, but the LAN is shared between both firewalls. Since both firewalls get a public IP why not keep them separate? (same ports being used by both servers?) Depending on your setup to force server1 to respond to requests through FW1, set a static route on server1 to use FW1 as its gateway. Which firewall is the: DHCP gateway DNS for the servers?

example sir i want to redirect yahoo messenger to WAN..coz YM are taking too much bandwidth in my OPT1 which is my online games ISP yahoo messenger voice chat port = TCP 5000-5001 UDP 5000 - 5010 yahoo messenger message port = TCP 5050 yahoo messenger webcam port = TCP 5100 FIREWALL=RULES=LAN interface = protocol = source = destination = gateway =

Create a Gateway Group with your two WANS, change your Lan's outbound internet traffic from default gateway to your new gateway group.  Setup squid in transparent mode add a custom options rule at the bottom with the following:-  tcp_outgoing_address 127.0.0.1 Then goto outbound NAT and create a rule for each of your WANS as below WAN    127.0.0.0/8 * * * * * NO    WAN_1 Rule WAN2  127.0.0.0/8 * * * * * NO    WAN_2 Rule Now create a floating firewall rule as below TCP WAN_MAIN address * * 80 (HTTP) Loadbalance1 none   GW1andGW2