Yep, and you can also use failover groups if you want the traffic to go over the other link if one fails.

Just a follow up, I have the following rules that work, but they don't use the Load balancers I've set up.  Is there a device path or something similar I could substituted in the rules below?

Thanks,
Todd

#Set up our ACL for high throughput sites;
acl high_throughput dstdomain .amazonaws.com .rapidshare.com .apple.com .windowsupdate.com .update.microsoft.com;

#Bind high throughput to the wireless interface;
tcp_outgoing_address 116.90.140.xx high_throughput;

#Set up ACL for DSL always;
acl DSL dstdomain .spidertracks.com;
tcp_outgoing_address 203.114.178.xxx DSL;

Nevermind, found the outdated PDF, I'll remove it.

@fvter:

It's just weird. I tried using the diagnostic-ping and manually ping the monitor ips but gives me 100% packet loss. so not sure what is going on.

Read the note at the bottom of the Diagnostics > Ping page, and be enlightened :)

Yeah, I think a virtual IP on your LAN interface for each subnet would do the job here. You might need to tweak the rules a bit, but I think it should work fine.

Like everyone else though I question why you're doing it this way. Without VLANs or separate physical segments it doesn't buy you anything. Either upgrade your switches (or rearrange them so you have a VLAN-capable 'core' and unmanaged edge) or flatten it out since all it does is complicate your setup needlessly.

Screen dump of setup would be nice…

Problems solved!
The Problem was me, not pfSense,
but although thank you for your reply ITCoresys.

I didn't know or remind that Windows ICMP-Ping(Reply) is deactivated by default on actual Windows Machines. So there even is no "Linux, Unix,…-Ping" if you have activated Windows-Shares on machine A and B and of course opened corresponding Ports in the FW.

So there is a "Windows-Ping" which only works under Windows machines in the same Subnet. The "ICMP-Ping-Reply" must be manually activated at your Windows-Machines of which you want to get an answer(for windows XP and higher i think).

Maybe If you have a Wins-Server in both Subnets which are integrated as DNS-Server, the ICMP-Ping(by IP!) may work. I didn't test it, but Windows-Shares over a router only work when you've such Servers in your Subnets as I think due to my test. Even connect to a Windows-Share by IP (\%IPAddress%) over the router didn't work! I don't know why, and there are meanings that this should work! Maybe someone can get me some information for that - so for now i think i must have a Windows Server(which is solving "some" requests?) in both Subnets to use any type of Windows-Share over a Router.

I've tested it with Windows732(Final) as A and Vista64 as B and as iam using Win-Server(as DNS Entry only for my Clients that are not in Domain) in both subnets there where no problems anymore - What a s***!

Maybe it is also helpfull to mention that of course I've used IPv4 only.

Hopefully this would help someone else which such a halfknowledge like me.

Thanks to pfSense for such a great product!

So, from what i've read your problem is, that you can't access websites on the network behind your 2nd Firewall.

If this is the case, this would lead me to the following approaches:

1. I would make sure that nothing blocks traffic between Network 200.x and 1.x (In this case your 2nd FW)
2. If you have a Proxy Server on Firewall #1, try using the Upstream Proxy on Firewall #2, given it the address
of the first proxy of course and then try telling your clients that Firewall #2 is their new Proxy.

Hope this helped.

Regards,
Stefan

When using the freebsd 8 openospfd 4.3, I found it necessary to symlink a library file to get it to run under 1.2.3-RC3 9/21/09 build.

ln -s /lib/libmd.so.4 /lib/libmd.so.5

And that was the final trick to get openospfd 4.3 to run smoothly without issue.

The 4.2 version did indeed cause the "ospfe: unknown error" issue. 4.3 solved it but needed the symlink for the lib file to complete the solution.

Now the real fun part begins.

Quagga's OSPFD uses Cisco like "network" statements to match prefixes/inverse masks to determine which interfaces to include in OSPF areas.

OpenOSPFd uses a specific interface name declaration in the area statement of ospfd.conf.

So, if say an open vpn "tun" interface now "appears", it would seem I would have to add "tun" to the area statement in ospfd.conf file manually, where quagga's ospfd would include it on the fly as long as it matches a "network" statement with a matching area for that network.

Ordinarily, I would use Quagga's OSPF instead since Im partial to Cisco, but, I couldnt get Quagga's OSPFD to update the pfsense kernel routing table. After fussing with it for 2 hours, combing google to no avail, I fell back and figured out openospfd.

Anyone else have this issue?

Brian,
Thank you.  I've sent you an email.  I'm currently having two problems causing a cascading problem.  There does seem to be an issue with PF sense assigning the gateway address from interface A as the gateway on interface B.  I don't believe that I was having this problem in 1.2.1 Release, so hey, I live with the fact that I'm running a beta build.

The second is that I have poor uptime on my DSL connection.

No, this is not a multi-wan setup. I thought that because this was also a routing area that I might post it here. If you can't tell I don't post a lot.

hi,

i have vyatta and vmware running on several esx and esxi machines. on one of my setups i have 2 physical hosts each running pfsense as the firewall  (bridged to the physical nics) then 5 vyatta routers with multiple subnets. this is also configured with ipsec tunnels to the other pfsense box running on another vmware host with several more vyatta routers running behind that host. i'm using OSPF as the routing protocol behind the firewalls in my vm environment and then redistrubuting the routes into pfsense(i wish pfsense came with ospf). i'm also using VRRP on several of the vyatta routers.

so yes, it is more than possible.

This might be a bit hacky.
I assume you can already communicate between both sides.

You need on the side on which it works an advanced outbound NAT rule.
Create one at the top with source the other subnet and interface WAN.
With this you allow traffic from your side to be NATed to the internet on the other side.

Now create under the loadbalancer a dummy-pool.
Save this, downloadnthe config.xml and edit this dummy pool to reflect the tunnelIP of the other side.
Restore the config.
On your side create on the firewall lan tab a new rule with as destination the ip(s) you want redirected and as gateway your new loadbalancerpool.

(sorry writing on iPhone… If you dont understand the part with the poolediting and config.xml search the forum for this. I explainit better elsewhere)

@dreamslacker:

Sounds like Xrio but the website does state that their appliances can actually do some form of policy based routing.

it's not xrio but very similar to them

You should also post this to the trixbox and pbxinaflash forums. Lots of guru's there.

There really isn't a need to put the asterisk on the internet…It's safer to get it behind the firewall and port forward.

I've successfully established many remote sip extensions with no issues. I have pbx in a flash at the main site, behind a pfsense box. The remote extensions are behind the run of the mill dsl/cable modems. Nothing fancy. Phones have been Snom's and Mitels.

If you're connecting multiple asterisk boxes just use iax2 connections. Only One port to forward.

Good luck

Hey folks!

I'll gladly write yous up a script but it would be great if you could give me a few days as I'm just busy with work.

Cheers

Hi john, I'm fairly experienced in networking as well however you probably hav more knowledge however I'll give my 2 pence :)

the outbount NAT rules are used from the top down. Have you tried placing tHe NAT rule at the top? Also
make sure the destination is set to the DMZ sub net

also, would you not expect to see requests coming from your WAN IP? like when you surf the net, external servers will see your WAN IP…

You probably can so some fancy footwork to get the DMZ servers to see the DMZ if interface but I imagine it required adding rules manually

cheers