Go virtual and set the scenario in ESXi….

Then use fault tolerance to enable heartbeat between the PFSense box'es. Thereby you wont need 3 external IP's provided by your ISP.

CARP on the PFSense needs 3 external IP's to start with. By std. it cannot operate with only one external IP address.

Ah, well then that is a little different. You should have mentioned that up front.

I believe there are some other examples of configuring what you're after with DHCP on the forum here. I don't recall the specifics, but it wasn't an ideal situation.

No. You would need to have both WANs connected to both units for failover to work in that way.

Anything show up in the system logs around the time of the failure?

What does Status > Load Balancer show?

You might also give a 2.0 snapshot a try, you can upgrade in-place. Be sure to make backups first, of course.

Do not reply to your own topic just to get it put back at the top.  If someone can help you, they will.  Jimp's answer is about as definitive as its going to get for now.

Also your default allow rule at the top is going to work before any of the other 3 rules are hit, so they are superfluous.  Remember that pfSense works on first match wins.  Kill the rest of those firewall rules and on the default LAN allow rule change the gateway to reference your load balance rule.  Keep in mind that certain protocols do not play nicely with load balancing (SSL, SSH, RDP) so your clients using HTTPS will have issues.  Create a failover load balancing scenario (see the documentation) and create a firewall rule above your default allow rule with source any, destination any, destination port TCP 443 and use your failover pool as the gateway.  You can repeat this scenario so that WAN1 fails to WAN2 and WAN2 fails to WAN3.  Similarly, you can do this same thing for SSH or RDP if those are needed by your clients.

jimp,

just wanted to let you know,the two rule example you provided for blocking all outbound port 25 traffic,other than the actual mail server did the trick.
we are no longer getting black listed on spamhaus. i am still running virus stuff on all the workstations,and as stated before,i do not see anything obvious in the states,as one source to many destinations connections.
i even tried doing tcpdumps and watching and can not track down A pc,in particular,
Thanks again for the help!

Take Care,
Barry

The way I do it is to have an alias with ports 22,80,443,1935,6667
For that port alias create a rule using the default gateway
below that, change the default rule to use wan2 gateway

So no need to specify an lan ip.
IMO if the above it's good enough then change the network to.

wan –---          ---- lan
            pfSense
wan2 ----          ---- lan2

You should be able to create an OpenVPN interface based off the OVPN client connection.  Add that connection to your loadbalance pool and assign the metric accordingly.

However, you must realise that the additional connection is still limited by your WAN2 speeds (the WAN3, so to speak, still rides over WAN2's link).

Sorry for the late reply, been on holiday. :)

My hardware is a Atom N270 with 256Mb RAM, 2 RT GbE nics (http://tinyurl.com/3aclpoe) and a Intel Pro 100S, using the CF card slot to boot from, although, I'm not using the embedded version.

can someone lend a hand, its kinda important

That's normal as well. OPT1 could be a second LAN, thus the option to enable DHCP server on it's side.

Under Status -> Interfaces does it show the OPT1 status as UP? Have you setup static IP and gateway or has it autoconfigured those if you use DHCP to receive those settings.

Shoud look something like this:

How soon are you planing on implementing this?
Also make sure you can resell your service (not all business Internet service can be resold or given away)

Heres some sample rules, what you need to do are block and allow rules at the top, then a block all rule at the bottom. So you block the them from accessing the other subnets:

Proto Source Port Destination Port Gateway Schedule Description

*              *       all lan ips   *        *                                
                                          but theirs

and have it as a block rule then another so they cant touch(access its management ports) the firewall (theres an interface on each lan)

Proto Source Port Destination Port         Gateway Schedule Description

*              *       the ip of   ssh/https        *              
                                       the firewall  and http

edit(accidentally tabbed to post)

Hi Ryan,

Don't know if you solved it already, but adding a third nic and let it have the /24 network should be enough for it to work - at least on other firewalls. Haven't tried it in pfsense.

I got my problem resolved.

I couldn't understand why when i used the original setup wizard, the primary WAN and LAN were able to route traffic through each other.

Turns out, those rules are hidden by default.

If you go to Firewall - NAT - Outbound
and select Manual rule generation, all of these rules become visible.

Also, one must define valid traffic rules under Firewall - Rules.

And setting up a Virtual IP of type "alias" resolved my need for the second external ip address.