Hi all
I'd the same problem, so I'd checked all my configuration:

I disabled all my own rules: some of these no longer needed I followed the official doc: http://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x with a difference: don't check the "sticky connections" checkbox! To browse is impossible with this option: but I don't know why…

Bye

Folks, thanks for your help!

The general idea is to use a single port on the switch with only tagged traffic.  This port connects to the upstream device (pfSense, another switch, whatever).  It carries the various networks over a single physical link, but each is tagged independently.

If my switch was in the middle of a chain of 3 switches, i guess 2 ports would be ok for this? (At the minute, I only have 2 switches, so this question I'm asking doesn't really apply atm)

On the switch, each port is assigned to groups of VLANs.  For most devices, you want them to exist on a single VLAN.  For those ports, you specify the VLAN to use for untagged traffic and remove the port from all other VLANs.  That way, even if the device sends a tagged packet, the switch won't allow the traffic onto the VLAN.

So in terms of our HP switch (Mine is a 1800-24G layer2 only), what setting does your quote above refer to? Uncheck VLAN aware? Or/And just make the port a member of NO VLANs but ONLY set the PVID? (See where I'm getting confused here?)

For some devices, you may wish to have it be accessible on multiple VLANs, but not route between them.  To do that, you setup the port to use only tagged traffic and only make the port a member of the VLANs that it should be allowed to participate in.  The device is then configured to set an IP per VLAN and disallow routing.  Unless you are doing something really complex, this probably isn't something you will need to do.

No need for this at the minute, but thanks for explaining. My switch is only layer 2 so it's probably a bad idea for this anyways (Unless I didn't care about the single device routing between the 2 VLANS)

The main gotcha with VLANs is that VLAN tag 1 is almost always special in some way.  For the HP switch I have (2800), VLAN 1 is the default VLAN and is the one on which all the management services run.  That particular setting is configurable on my switch, but many other switches don't offer a way to change it.  To be on the safe side, use VLAN tags other than 1 for your actual networks.

Understood :)

Other solutions described here:
http://doc.pfsense.com/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

I dont think your plan to redirect traffic with a transparent bridge will work.

How i would solve it:
Use a pfSense instead of the cisco.
Put the cisco in front of the pfSense.
Like this you have to do no configuration for the network and only have to do changes on the routers.

yes. if you dont want to use the firewall capabilities of pf, just disable them.

I too would like to know, specifily the ability to set rules up for what local ip:port the traffic comes from since that is the only part I control on the PfSense side.

Agreed, add an extra nic in one of your pfS boxes to load balance your servers and resolve routing.
If you do want to make use of the second pfS box as a failover then use CARP to keep them both in sync. There are a few things to consider though…
You will need at least 4 nics in each pfSense box:
  1 x LAN
  2 x WAN
  1 x CARP pfsync
If you use a DMZ, that will need an additional NIC in each box.

You will need 3 useable public IP's on each WAN connection

the first part - connecting both WANs to one pfSense box is a no-brainer and you should do it. The CARP setup takes a bit of configuring but is well worth the effort if you have all of the required bits above.

can i have an example?

If it's not showing up there it doesn't have a gateway (and hence isn't a WAN).

I think he means this without literal translation

Hi can anyone help me
I have two DSL modems from the same company and from the same ISP (assuming he means same models obtained from the same ISP)
One modem is provisioned for 4Mb service and the other modem is provisioned for a 2Mb service.
When I check speed test (from what source?), it only shows the modem with the 4Mb service. The two connections are not combining.
When I connect the modem(s) to the TP-Link router, the speed test shows 6Mb.

Then he goes on to describe how his configuration is set up but it's not working. It sounds like he wants to use loadbalancing but if either connection fails, he wants all connections to fall over to the working connection.

I think he is using his connection as a wifi hotspot that services 20 users.

I think perhaps because of the language barrier, pictures of a proper config might be better. However, network typology will have to be assumed, and the optimal configuration suggested, to suit his clients needs (not his) since it is his clients that are complaining.

Absolutely,

It will aggregate. I have the same kind of setup with 3 WAN connections. I use SMoothwall in place of IPCOP.

After creating load balancing pools and configuring respective intefaces try a download accelerator and see the traffic graphs interfaces simultaneously. it will use everything it gets.

Bump.

For this to work, does pfsense remember which ISP a packet came in on, so that the return packet goes via the route it came in, rather than the default route? (my current tests, show it goes back via the default, which doesn't help)

It uses default route. You can do policy based routing from the Firewall Rules and choose a different gateway for a traffic handled by a particular Firewall Rule but you can not do dynamic routing based on the inbound source of the traffic.

I am not aware of any firewall capable of doing what you are trying to do.

One solution may be to dual IP the servers/services you want to publish and publish one IP to the internet connection from one ISP and the other IP to the other internet connection. Then use policy based routing to have the return traffic routed properly through the correct ISP.

@gregoryc911:

@kc8apf:

You add them as virtual IPs under Firewall/Virtual IPs.  They can then be used for 1:1 NAT, manual outbound NAT, or port forwarding.

So should I leave the WAN as DHCP?  Right now for testing I have the WAN set for the .240  If it is supposed to be DHCP I will change that and make the setting changes.

Thank you again in advance!
;D

The WAN interface would generally occupy one of the static IPs.  All the other static IPs would be added as virtual IPs on the WAN interface.  You could run DHCP on the WAN interface and have all the static IPs as virtual, but there isn't any benefit unless you needed all your static IPs for some special purpose and used the DHCP address for outbound NAT or something.

You just described why FTP and voip are such problematic protocols….
It is usually solved by forcing these protocols
to only one WAN and not balance them.

The other possibility is to use sticky connections.

Use sticky connections
Successive connections will be redirected to the servers in a round-robin manner with connections from the same source being sent to the same web server. This "sticky connection" will exist as long as there are states that refer to this connection. Once the states expire, so will the sticky connection. Further connections from that host will be redirected to the next web server in the round robin.

however i dont know what the status of that feature is.
The last i know is, that it doesn't work like it should.

If I recall correctly, you can edit the config file (viconfig from console or backup/edit/restore) and add two more additional dns server tags that aren't accessible via the gui in 1.2.x.

OK, understood on the rules for WAN interfaces, use default.

Any explanation (or theory) then on why (at least it seems to me) the port forwards do not work then when using the failover pool gateway for LAN_VOIP->WAN and using the default gateway for WAN2->LAN_VOIP? When configured like that, VOIP calls are dropped after a minute.

I am a little stumped on why the calls are dropping.

Thanks!