Not easily in 1.2.x. In 2.0 it can be set on a per-gateway basis in the GUI.

Success! I copied all the configurations (manually) from my 1.2.3 VMWare VM to a brand new 2.0B4 (Oct 8) VirtualBox VM, and the three ADSL connections are working perfectly fine. Could it be that the problem it is not pfSense, but VMWare? I was using Workstation 7.1 In any case, it seems to be solved! (At last) Thanks again guys, for this awesome piece of app! glemDot

Yes, if I understand what you're asking, that should be quite feasible. It sounds like what you need to do is proxy ARP for your public scopes upstream, then push them downstream to each campus with a series of 1:1 NAT rules. Regarding removing the pfSense nodes downstream, I'd be cautious about that. It's a good idea to have something segmenting the schools off from eachother downstream. Keep in mind that students are often brighter and more capable than school faculty, especially in technical matters, and should not be underestimated. One final piece of advice would be to stage as much as you can before it goes live. Also might want to run some serious torture tests on the hardware/software stack you plan to deploy, ensuring that: The hardware is reliable and won't be a bottleneck for the amount of traffic you're expecting, + predictable growth. pfSense / FreeBSD is reliable enough on your hardware stack, and has all the features you need. You know exactly what to expect in terms of configuration, backing up and recovering configurations (if the interface names don't match you're in for a fun time), etc. Regarding the stability of pfSense / FreeBSD, I ran into some rather serious issues myself which essentially blocked me from deploying pfSense 1.2.3 in an overly-hostile environment. YMMV of course, but here's the record of my endeavors for reference: http://forum.pfsense.org/index.php/topic,24337.0.html

its hard to keep up while shaped - your are answering faster than I can upload the replies. Now that I have some success, I will re-test each connection and look at the bridging option - I cant see anything available yet, so Ithink it will be a double NAT/port forwarding. All help is really really appreciated Mick

I dont get what you have done. If you set it up on the WAN and OPT1, then isn't that for in coming connections from the internet? My logic to me says to add the rules to the LAN set. I am struggling with a similar setup where I need to use two different WAN connections for specific applications. Mick

We also encountering this problem  :'( :'( :'( :'( :'( :'( but no luck to block it

That is covered in the doc wiki, the book, and here on the forum. It's just like a two-wan setup, just add the third wan in the same way. See the links in my sig.

@Kirill: @eirikz: Why create a double NAT ? :-) Just disable the DHCP on the "router" (I'm guessing this is a commercial home router with WLAN ?) and plug the connection from the pfsense side to one of the LAN-ports instead of the WAN port. Hella lot easier. Yeah, it's a Netgear WNR3500L… But I need the Wi-Fi for my 360, 2 laptops and my 2 Nokia N900  8) Will try this out this weekend, will come back with the results after the weekend. Cheers Kirill eirikz's advice is exactly how I have my WiFi setup. Netgear router with DHCP disabled. Manually set an IP on the LAN side so I can access it, and connect LAN to LAN.

http://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x

ok heres what i've tested… i have a multi wan pfsense in my network. I install squid in another computer and had its gateway pinting to the pfsense box. i went to google whats my ip search pages found out that my ip changes when i refresh the page. i think you guys can have another pfsense box and install with squid in your network and it might work. LAN ---------->pfsense + Squid (transperent proxy) --------------------> pfsense + multi wan ----------------> the internet i think you can label your pfsense+squid as kraken ^^

need a static route, 10.10.8.254 my server vlan gw. dhcp-dns+firewall in this vlan. dhcp server ip 10.10.8.4 gw:10.10.8.254 , pfsense firewall ip 10.10.8.8 hp procurve switch default route 0.0.0.0 0.0.0.0.0 10.10.8.8 ….  need a static route in pfsense 10.0.0.0 255.0.0.0 10.10.8.254

Thanks for the super fast reply GruensFroeschli. I'll give it a go.

Many changes in 2.0. It's completely redone. There's a sticky post in the 2.0 forum with info, it will eventually go into the wiki.

I did a lot of searching on this topic and really I found nothing that gave the full setup and explanation that made sense to me, so I ended up going back to an older version(1.231) of Monowall to clear up the issue. I then updated until Hamachi stopped working. Looking at the version change log I found that there was a change that made the firewall remap the ports for UDP connection. Where this is slightly more secure, it is also not compatible with Hamachi. False Hope(Skip this if you don't care to know what not to do.) Before I found the correct solution,I first had a false positive correction where I setup each internal Hamachi instance to have its own port to connect with. This is done by setting up the UDP IP and port for the Hamachi instance in Hamachi advanced settings. Then Adding a port forward for each one in the firewall. This seems to work at first but when you have PCs that disconnect and reconnect over time they will all go to Relay Tunnel. This is because at first the ports that are assigned are used but at some point they get remapped. This can be confusing because if you restart the internal Hamachi instance, it will clear up for all connected clients. This is not a solution. Since you will find your self running around every day resetting Hamachi instances or setting up restart times for the Hamachi service. To make Hamachi work on either Monowall or Pf-sense, you have to create an Outbound NAT rule for your Lan network Subnet that has the disable port mapping checked. Then turn enable Advanced outbound Nat. When you don't have (AON ) turned on there is a rule just like this created for you but without the port mapping turned off. Basically your rule should look something resembling this(see below) if you have a Lan setup like with 192.168.0.x / 24 (Subnet:255.255.255.0) . Create a NAT Outbound mapping entry that has these settings. (see attached image for monowall screen shot.) Interface:wan Source: 192.168.0.0 / 24 Destination: any Target: blank Portmap: checked Description: [what ever you like] Don't forget to turn on AON (check box ) If this entry is correct you should not see any changes to your FW operation. The only real difference you should see is that Hamachi and other UDP using traffic should start to work as expected. Hope this helps someone, I know it would have helped me save several days of experimenting. [image: monowall_AON-Hamachi.png] [image: monowall_AON-Hamachi.png_thumb]

Un-ticking 'Use sticky connections' in System -> Advanced -> Load Balancing did the trick!

You don't really need multiple failover pools. A single wan1 fails to wan2 fails to wan3 should be enough. (Of course the WANs should be in the order in which you want them to failover).

Yes this should be possible. With 2.0 you will have the possibility to terminate all the PPPoE links directly on the pfSense. However if these links are from the same provider you might run into the problem, that two links are not allowed to have the same gateway.

;D