@cmb:

@kevindd992002:

Do you mean that it doesn't matter what monitor IP I use since all of them will be load balanced between my two modems anyway?

No, I'm talking about traffic that gets policy routed, which won't be the case for traffic initiated by the firewall (unless you're getting deep into floating rules, which does give you the flexibility to break your monitor IPs).

Ok. And a pinging a monitor IP is traffic initiated by the firewall? So any IP I use, it doesn't matter because it will come back still load balanced?

Thanks for your reply, I will try to replace them…

You're missing a default gateway, hence have no return routing. You can't put one on a Linksys with stock firmware unless you use the WAN port, which you don't want because that leaves you with double NAT and you just want them to be a bridge only. You'll either have to use one of the alternative firmware distros like DDWRT, or configure outbound NAT to translate to the interface IP when accessing those APs so they don't need return routing.

Couple things to check:

Make sure you have at least one DNS server per WAN under System>General Setup if you're using the DNS forwarder (default out of the box config you are). Validate whether it's just DNS that's failing (you can't resolve names, but can ping things like 8.8.8.8), or IP connectivity fails. I suspect just the former because your DNS config isn't valid for multi-WAN. In general, I would not allow overriding your manually configured DNS servers with ISP-assigned ones when using multi-WAN.

Check your gateways status under Status>Gateways and make sure a failure is being properly detected. If it's not, it's probably because you're doing something like using your modem's IP for your monitor IP and it never goes down when your connection goes down.

Working..

Thanks.  ;)

So I decided that it wouldn't be so bad to just download the ISO and do a fresh install.  This solved the problem and everything is working as expected. ;D

OK  I'll try that after hours and post back.

I had to also revert to my old setup because there were some things that rely on the DNS forwarder.  I'll do a big clean up later on as well.  Thanks again for all the help.

OK, I got it. However, since I do not control the other side (and I do not want to involve with it, since it is working fine), the changes that you are suggesting, are:
A) remove the gateway from OPT1 IF
B) add the corresponding static route.

I'll give it a try and I'll let you know.

Thanks!

@jimp:

tomdlgns,

The scenario would be, for example, a dyndns entry for something like www.example.com pointing to WAN1. When WAN1 is up, the dyndns host is updated with the IP of WAN1.

Then WAN1 goes down, when this happens, www.example.com dyndns entry would be updated with the IP of WAN2 instead of WAN1, following the tiers of a gateway group or other similar setting/ordering.

When WAN1 comes back up, www.example.com dyndns entry goes back to WAN1.

Effectively it would allow a sort of failover between WANs for inbound connections (for people who can't get their own IP space and BGP…)

got it..makes sense now.  probably makes sense after reading the first post again.

thank you.

No Firewall: NAT rules were created or generated

Post screenshots of your:

Firewall: Rules  LAN

System: Gateways

System: Gateway Groups

Ah, figured it out. I created a static route to the OFFICE network that uses a gateway pointing at the PFsense LAN interface IP and voila

But if each match stops further execution of rules, isn't it much less flexible than netfilter?

No it's not. Just move block rule before allow and you will have all working.

You can get around the validation by adding the gateway from the Interfaces > LAN (or WAN) page, click the "add a new one" link by the gateway drop-down and it will let you add a gateway without the validation. Then you can re-select the proper gateway ('none' for LAN, or the right WAN gateway on WAN) and do what you want.

Ok sadly it's what I had expected. I didn't think of the bridging solution though, so thanks for that one, I'll probably try that approach.

Thanks
Bardelot

Please don't cross-post the same question to multiple boards.

http://forum.pfsense.org/index.php/topic,44202.0.html

I will answer my own thread for forum-completeness  ;)

Answer is "no" I can't do what is described in the picture above. This is due to both WANs having/being assigned the same gateway, see http://forum.pfsense.org/index.php/topic,44059.0.html etc.

The "solution" I'm going with currently is to add a real cheap router inbetween the switch and WAN2 and then enable DMZ for the router to the WAN2 interface. This way pfSense won't use the same gateway for the two WAN ports (only trouble I have now is that there must be something wrong with my firewall rules since I can't port forward a connection from WAN2 to anything but the pfSense machine itself, but that is an other story).

I presume the provider means they're using those IPs for their HSRP, which just means you cannot use those IPs.

Ok so this ended up being an issue where the firewall auto created a dynamic gateway.  Thanks for the help