I did notice one problem with using the PFsense box as a router as described above. It does route traffic as expected and i can have my 1 or 2 rules to restrict access to the box except from my network, but apparently this breaks PPTP connections. I have and will have other firewalls behind this pfsense router and currently i am running another pfsense box behind it for my private network. I will have another for a DMZ network, and then i have other customer that will be behind it with their own firewalls. Kind of a bad thing if they won't be able to have vpn's. Haven't tried and FTP'ing yet to see if it will have a problem. I'm a little confused as to why it would have these problems since NAT is essentially off.

this is my error from system log:

Mar 31 09:43:43 kernel: arpresolve: can't allocate llinfo for 24.13.136.1

@GruensFroeschli:

What IPs are used between the pfSense and the cable-modem?
Is it the same subnet than you use in your LAN?
–> That wouldn't work.

Hi GruensFroeschli,

Your tip was gold worth. It runs and here is my solution:

WAN / Internet
           :
           : DialUp-Cable-Provider
           :
     .–---+-----.
     |  Gateway  |  (Router, Fritzbox 6360 Cable)
     '-----+-----'
           | LAN 10.100.100.1/24
           |
           | WAN 10.100.100.2/24 (Static)
     .-----+-----.
     |  pfSense |
     '-----+-----'
           | LAN 192.168.245.50/24
           |
           |
     .-----+------.
     | LAN-Switch |
     '-----+------'
           |
           |
           | LAN 192.168.245.100/24
     .-----+------.
     | PC          | (PC/Client-LAN 192.168.245.100/24 with Gateway and DNS 192.168.245.50)
     '-----+------'

@DarKcapricoRn
Nice illustration. PPTP may be simple, but according to the docs for pfSense 1.2.3, there are a few limitations specific to the implementation of pptp on pfsense that may limit your ability to have more than one concurrent connection to the same pptp server. I've never tried this though, and even if this is a limitation, there is likely a workaround.

But, you may be able to use another method of tunneling traffic. I've used ssh to create tunnels from one location to another. Ssh even supports dynamic SOCKS proxies. If you only want to try to load balance traffic, perhaps you could create two ssh tunnels with socks (look for the -D option) on different ports/ip addresses on your local network which will be connected to the host outside your network. You could configure each ssh client instance to take different routes to the outside host such that each instance would use each of your WAN ISP connections. Then you could loadbalance using the server option. Note: I've never actually used server loadbalancing with pfSense, only gateway loadbalancing.

If there really is a limitation for pptp vpns running on pfSense and you and your tutor want to use pptp, perhaps you could use separate pfsense boxes to maintain the desired vpn connections separately, then use a third instance of pfSense to handle the loadbalancing. I have used pfSense virtualized and it seems to work fine. But I don't deal with heavy traffic.

HTH,
-Joshua

I have been thinking about this some more, and I think I have to enable a loopback interface in the web GUI, and set up my public /24 as virtual IPs on that interface. From there, I SHOULD be able to NAT without a problem - I think?

Thank You

That Was It What I Was Missing =)

My Best Regards
Hevreka

What version of pfSense are you using?  When I set up my 1.2.3 configuration I used a tutorial that I can't find right now.  You might want to check this out:

http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing  I didn't use this one but it looks similar.

and I just found this for 2.0 which I'm going to get started on in the morning:

http://forum.pfsense.org/index.php?topic=28121.0

Regards,
Michael

@Padua:

Yes,
the bridge is already working perfectly, because I can access the rl0 LAN Wireless LAN to OPT1 RL2.

That's because there's a default rule that allows LAN access to anything.  Easiest solution is to go to the Firewall rules and make a copy of that rule, changing the source interface to OPT1.

Depending on what you want to accomplish, that may not be your best solution, though.

OK.

Thanks.

Unfortunately, you can't do failover for IPsec in that way.

Hi, thanks a lot for your help, but when i did it, it didn´t work, I don´t know if because I use three connections of internet in the LB, and your solution it would work with two connections only, i mean, with the failover if one connection fails, the other works, but I have three and the failover is configuring if one connection fails the others two works. I still have two connection where the session can be established, and for that the page doesn´t login in.

If you have both WANs on both firewalls, and proper CARP VIPs on both WANs, then yes it works fine.

please help. how to set up dual wan with different isp…  the one ppoe and the other one is dynamic..