Bypass firewall rules for traffic on the same interface. That seems to have fixed it. thanks ;D

There are really cheap Intel MT dual nic on Ebay… (PCI-x)
They work great!

Those packets are TCP FIN+ACK packets, so it's the last packet of a closing connection.

Most often, it's this:

http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

I figured it out :-) Added two outbound NAT rules for the interfaces, source "any".

Thanks.

@cmb:

For routed subnets, you do not want VIPs (other than type Other), just have them routed to a CARP IP on your main IP block.

Ok, great.

Thanks SeventhSon, but this doesn't appear to be the problem. As I said, I have even tried disabling the monitoring. I have tried several monitor IPs. And the graphs shown are with monitoring disabled, from and external network monitor.

You probably want some Manual Outbound NAT magic to get this to work properly

@eytanes:

Is there any way to get the reply traffic route via a specific gateway without using the routing table.
The reason I'm asking is that I would like the return traffic out of an interface to use a gateway group.
I've found that the 'gateway' field in the firewall rules only apply to traffic generated on that side. Any return traffic that goes through will always use the routes in the routing table and not the rule.

That's a much different scenario than this one, the reply-to is automatically added to WAN rules which takes care of that. The exception being where you have multiple routers on the same interface, then reply-to is only set for the one chosen as the gateway on that interface. Disabling reply-to is at times a work around for that.

Please start a new thread with a description of what you're trying to do for further feedback.

SOLVED!

The 'Gateway' field should be filled in the Interfaces->OPT1 configuration section. Then just add WAN and OPT1 interfaces in Load Balancing mode (Services menu). Thus, all incomming packets on the LAN interface also obey the defined static routes.

Cheers!

SOLVED

In theory only though.  I havent had time to test so correct me if im wrong.

Make a firewall on the LAN interface.  Specify the source as being from the LAN subnet.  Destination being the IP and/or ports its going to.  Then at the bottom under advanced options simply choose which gateway.  Must make sure you add that 2nd WAN as a gateway.

… I read that so many times now I see the pictures.... Also it fixed my issue thank you

I deleted the firewall rule for WAN1 subnet and re-created the rule but with no success/change.

Noone who could help me with this problem ? Or perhaps it is none ;)

@cmb:

@kevindd992002:

Do you mean that it doesn't matter what monitor IP I use since all of them will be load balanced between my two modems anyway?

No, I'm talking about traffic that gets policy routed, which won't be the case for traffic initiated by the firewall (unless you're getting deep into floating rules, which does give you the flexibility to break your monitor IPs).

Ok. And a pinging a monitor IP is traffic initiated by the firewall? So any IP I use, it doesn't matter because it will come back still load balanced?

Thanks for your reply, I will try to replace them…

You're missing a default gateway, hence have no return routing. You can't put one on a Linksys with stock firmware unless you use the WAN port, which you don't want because that leaves you with double NAT and you just want them to be a bridge only. You'll either have to use one of the alternative firmware distros like DDWRT, or configure outbound NAT to translate to the interface IP when accessing those APs so they don't need return routing.

Couple things to check:

Make sure you have at least one DNS server per WAN under System>General Setup if you're using the DNS forwarder (default out of the box config you are). Validate whether it's just DNS that's failing (you can't resolve names, but can ping things like 8.8.8.8), or IP connectivity fails. I suspect just the former because your DNS config isn't valid for multi-WAN. In general, I would not allow overriding your manually configured DNS servers with ISP-assigned ones when using multi-WAN.

Check your gateways status under Status>Gateways and make sure a failure is being properly detected. If it's not, it's probably because you're doing something like using your modem's IP for your monitor IP and it never goes down when your connection goes down.

Working..

Thanks.  ;)

So I decided that it wouldn't be so bad to just download the ISO and do a fresh install.  This solved the problem and everything is working as expected. ;D

OK  I'll try that after hours and post back.

I had to also revert to my old setup because there were some things that rely on the DNS forwarder.  I'll do a big clean up later on as well.  Thanks again for all the help.