I am in Egypt the Internet Providers Suck Big Weenies but on the other hand the cost of 2Mbt 1:2 Adls is quite cheap! I have your basic setup I have five, four port cards stacked in one machine for a total of 20 ports! I have 18 2Mbt connections coming into one machine and load balancing across this puppy! So I have approximately 36Mbt down and 18 Mbt up…  I am spending about 600 Egyptian Pounds per 2Mbt connection! So that is a little less than 100 euro per 2 Mbt! So for under 2000 Euro a month I have a ton of bandwidth! You need a real box to have this puppy work well! I am using a quad processor with 2gigs of ram, serial ata raid setup! This box has the balls to run all I am throwing at it! It spends most of it's time whacking it pud... instead of crashing! So if you really want to balance, route and have performance make sure you have the balls to do the job! Because a slow machine will destroy your performance! So good luck....

Anyone?

Add a static route at system>static routes for the dns server/32 at interface opt1, gateway opt1-gateway.

hi, i'have also a problem with the routing, my WAN interface have 212.21.69.97 and the default gateway ip is 192.168.23.8. i'can ping the default gw very well but i dont get traffic over the gateway only if i set up a static route, for example to dns-server. the i'can ping the dns-server but nothing more around the world. i'work 5 years with freebsd and pf an hfsc … and i'dont understand it. the routing table look ok but the pfsense dont do it. ??? maybe someone have the same problem and know a workaround. nice day for all ... merl

You'll need a properly configured vlan-switch to attach all the modems to that goes to the trunkport of the pfSense but it will work.

I only can give you some advice for the ipsec part of this setup: Create two identifiers other than IP-Adress (like user full qualified domain name) Switch the tunnel that you already have up between 192.168.1.0/24 and 192.168.2.0/24 to use one of the identifiers create a second tunnel between the same public endpoints but with the following local and remote subnet tunneldefinition:   192.168.1.0/24 at dc1 and 10.1.1.0/24 at office   use the second identifier that you created for this tunnel Now you have 2 parallel tunnels between the same endpoints, one that covers the next hop network at dc2. At least the traffic from dc1 to dc2 will get to the office now. You possibly have to do something similiar at the dc2 site for the openvpn tunnel like pushing a route. However, as I don't use openvpn and don't have too much experience with it somebody else has to help you with that part.

If not using the ftp-helper you need to froward all ports (controlport, usually 21 and the passive portrange) and you should try to make the server aware of the public IP the clients see it coming from.

Hello, I wonder if the problem is in your rule set somewhere.  I have VPN tunnels configured to my workplace where I have access to both Windows Remote Desktop and VNC based hosts.  Appart from my VPN rules for each of my required VPN subnets (Firewall: Rules @ LAN - Protocals = All, Source = LAN Subnet, Port = All, Desination = VPN Subnet, Port = All, Gateway = Default (*) <– NOT a balancer gateway here), I don't have any VNC rules set via policy based routing, and I have a dual WAN configuration.  In fact, I don't have any VNC specific rules for inbound VNC or outbound VNC.  I should add that I don't access VNC hosts which aren't being encrypted in some way - either by SSH or VPN, so I can't really test if outbound VNC is working to clients on the internet somewhere.  I suspect that policy based routing might be required for this on a per port basis. Speaking of ports, I remember playing with the ports within the server/client to get things working, but I attributed that to the fact that I have local VNC hosts running on my home LAN.  Maybe you do too. In order to get it to work, you could try changing the "display number" within VNC on any of the hosts you can control. Display # 0 = 5900 (default) Display # 1 = 5901 Display # 2 = 5902 etc.. You may want to try to specify the actual port within the VNC client (eg. 192.168.1.125:5904 vs. 192.168.1.125:4) to get things working. (I needed to for some clients, but not for all) Give these suggestions a shot.  Like I said above, I don't have any rules configured for inbound VNC as I tunnel in via SSH for LAN side connections... this way I get VPN like encryption when on the road without having to get my local host (hotels etc.) to open ports on their firewalls.  Try turning off all VNC related rules to see if it makes a difference. Sorry if this is as clear as mud, suffering through a bit of insomnia these days, and its the middle of the night here... I'm off to try to find sleep again. Good night and good luck. -- Phob

@OrCAD: ok, but the FTP Helper? My balance don't work with passive mode…  :-\ You didn't ask about that. –Bill

You either want a bridging setup if the internal servers should have their public IP or you want several virtual IPs and 1:1 NAT. Help on bridging can be found at http://pfsense.trendchiller.com/transparent_firewall.pdf . The other option looks like this: create all the public IPs at firewall>virtual IPs (most likely proxy arp should work for you; I have heard carp has issues running on a VM) create 1:1 nats to associate the virtual public IPs with the internal server IPs at firewall>nat, 1:1 create firewallrules for the needed ports at firewall>rules, wan

@eric: thanks scott netstat -rn does not show either dns ip address.  traceroute works fine on one dns ip address and not the other (sends out the same interface both times) It should… If it is not then there lies the problem I suspect.

I dont see your static routes. hoba suggested that you will need these. pls post your static routes.

Show us your static routes. Also make sure it's not a firewall issue.

I believe you're right about using the external service to check the external IP address.  I think it's using HTTP to do so, which I have set to always use WAN1.  When I get time I'm going to try to figure out where it's going to do that, so I can tell it to use the WAN2 gateway.

Thanks a lot!!! Lubo

True. If that is what you primarily need, I wouldn't recommnd this router. We only have one server so we don't really need to do any incoming load balancing :)

Yes, you got it. If the routers that you use in front have a DMZ/expedited host feature enter the LAN IPs of the pfSense there.

Did you reconfigure your PCs behind the pfSense? They now have to use the pfSense as gateway and have to be in the LAN subnet of the pfSense. Somehow sounds like they are still using public adresses.

@khuetam: @DanielSHaischt: OMG - SmoothWall as a replacement for pfSense :'( Hi all, Does Smoothwall support multi-wan? Maybe not the right forum to ask about smoothwall but afaik it doesn't.

@hoba: Just install an additional nic in your machine. Then after powering up go to interfaces>assign in the webgui. There should be a + icon now as there is a nic that is not yet assigned. Just click it and the nic will be assigned. Thanks for fast answer. Follow your help, I added the fourth NIC to my pfsense.