@ktims:

Have you read the MultiWan documentation? This is a very straightforward setup and you should be fine using the basic setup.

Yes.. I read but i am unable to setup.. please can you send me the some documentaion or can you brief me how to setup please

Yeah, I always make three- load-balance both lines, failover from WAN to OPT, failover from OPT to WAN.
Just to be flexible. You want to use the failover pools and not an interface gateway so you don't break https (or whatever) when a line drops.

I've been downloading a backup config with the GUI.  I then use a text editor to search and replace the monitor IP I want to change…then I upload the "fixed" config.  It would be nice to be able to edit this value without having to reconstruct the pool.

My guess would be that you miss configured the static routes screwing up the DNS requests, maybe you got the CIDR wrong (/32)

Untitled.png
Untitled.png_thumb

Will each NIC be connected to a separate modem, or are all of the WAN connections going out through the same cat5 line (like the internet accounts at my apartment building)?

sorry it took me so long to respond, but if I plug in my laptop into the router, it gets internet access fine. It's only the pfsense that can't ping out. The pfsense box can ping out as far as the cable modem. It pings the router and cable modem fine, but I try to ping the cable modem's gateway and it just doesnt get anything back.

Yes you can surely do that.

The gateway should be the load balancing pool for the client.

Yes you can do it.

Squid Guard , Squid doesnt work fine when used in a MultiWan Setup.
I have faced the same issue and Now I am using a very old harddware of mine which run behind pfsense and i have installed smoothwall in it which does the rest of the content filtering. and when you say that your customer is facaing the problem you can always use smoothwall in an additional machine saying that if there is a hardware failover on the pfsense side. you just need to plug the cabl in smoothwall and you will save a lot of downtime.

For the below rules .remove the below two rules. Just have the one above . And sunny is right , put Open DNS servers as your monitor IP instead of using your ISP Servers. in place of DNS  also you can use the same Open DNS servers. and check

I think this will resolve your issue.

Change the pingable ip of all the ISP to an OpenDNS Server.
Lke 4.2.2.2 or 4.2.2.4.

ITs better to keep an ISP's IP.But as you are facing these issues .Its better try these.
One more thing, do you have a router from ur ISP. If that is the case then your pingable IP may be of the router, which is set next to pfsense and after router there is no connectivity.

Check that.

Please show screenshots of the rules that dont work.

WAN:
Destination "WAN address" means exactly that.
You allow access with your first two rules to the IP of the pfSense. Nothing more.
If you want to allow access from the first two subnets to the LAN on the pfSense you have to set as destination: "LAN net"
Also dont forget to set on the vyatta side a static route for the 172.16.15.x/24 subnet pointing to 172.16.5.5.

What are your rules 3 and 4 for?

LAN:
Basically delete your first 4 rules. They dont do anything.
The last rule you have allows everything in your LAN to the WAN.

You also need to make sure you have a static route on the pfSense for the 172.16.3.x/24 pointing to 172.16.5.10.

Sorry for wasting everyone's time. The system has now made a liar out of me. Everything seems to be working as it should today. I haven't changed anything, which has confused me even more, but while it works, ill go with it

There was a pledge to program this feature so it would work well. It's obviously very difficult to do, as no open source firewall can support dual wan with many capacities - it created problems for load balancing, distributed downloading, secure sites blocking connection when detecting multiple IP's, etc.  I believe only some sizable pledge by many people to create a larger project would ever get this done… perhaps as a part of some other larger project, such as OpenVPN, or IPTables, would be the way to get this done for once and all...

Ok…

So with help from a modified bridging script, kindly provided by Darth Android on post http://forum.pfsense.org/index.php/topic,19231.0.html I’ve finally got a working solution.

Step-by-step instructions for those who may need them:

Install pfSense, specifying your IP connection providers settings (in my case this was a /29 subnet w/gateway IP) pfSense: Diagnostics -> Edit File: /usr/local/etc/rc.d/wan_bridge.sh. No point in pressing load, as file doesn’t exist yet. Files in this location get run after booting, installing the bridge and reloading the configuration each time. Paste in the script at the bottom of this post, changing the LOCAL_IFACE to your WAN adaptor and the VIRT_IFACE_MAC to something different from your WAN adaptor & press save. pfSense: Diagnostics -> Command: chmod 755 /usr/local/etc/rc.d/wan_bridge.sh. This makes our script file executable. Reboot. pfSense: Interfaces -> (assign), press the + in the bottom-right of the screen to show the new adaptor (should be ngeth0) pfSense: Interfaces -> Optional x Enter a name, your public IP range settings (in my case a /26 subnet), an IP for the interface in this range, enable & save. Reboot. Setup some CARP IP’s in the public IP range. Setup your NAT’s and rules to use WAN as the incoming interface, and specify CARP IP’s in the public range. Manual Outbound NAT’s can also be setup, using the CARP IP’s as the translation IP address, making outbound traffic appear from your public range.

Script below, thanks again to Darth for the main body of the script. The main modification was the addition of a few lines of PHP at the bottom, which reloads the pfSense settings after setting up the bridge.

Use at own risk!!!

#!/bin/sh
#A simple virtual interface script - USE AT OWN RISK
#Creates a virtual interface and bridges it with a physical interface.
#Author: darthandroid@gmail.com

#User Variables - Modify these to suit your needs. Both need to be customized for the current system

#This is the name of the physical interface device. Look it up in `ifconfig' if you don't remember the name from when you configured pfSense

"WAN" is most likely NOT correct.

LOCAL_IFACE="eth0"
#This is the mac address of the new virtual interface. It should be different from the physical interface
VIRT_IFACE_MAC="00:00:00:00:00:00"

Non-User code

BRIDGE="bridge0"
#create the bridge
ngctl mkpeer ${LOCAL_IFACE}: bridge lower link0 || exit 1
ngctl name ${LOCAL_IFACE}:lower ${BRIDGE}
#restore packet flow to the physical interface
ngctl connect ${BRIDGE}: ${LOCAL_IFACE}: link1 upper
#create virtual interface
ngctl mkpeer ${BRIDGE}: eiface link2 ether
#set virtual mac address and bring the interface up
ifconfig ngeth0 ether ${VIRT_IFACE_MAC}
ifconfig ngeth0 up
#make sure we can read packets from the physical interface directed to the virtual one and
#that we can write packets out without the virtual mac being overwritten
ngctl msg ${LOCAL_IFACE}: setautosrc 0
ngctl msg ${LOCAL_IFACE}: setpromisc 1
#do some php and reload some stuff
echo "" | php -a

It works!
I have to check 'Bypass firewall rules for traffic on the same interface' on System->Advanced
That means that some rules are missing in the firewall. Using this option they're not needed.

Thank you!