[image: 1613153217218-screen-shot-2021-02-12-at-12.06.47-pm.png] Adding floating rules to allow HTTP, HTTPS, ICMP, and NTP inbound for LAN fixed the issues. No more errors on the Cacheboxes and websites load like they should.

Today I need to bring down the WAN 2 link for an installation of a new wall outlet. During WAN2 was down I tried the VPN connection - works as expected , using the WAN1 link. When WAN2 was up again I checked again the VPN connection, again it worked, now with WAN2. Without my pseudo tunnels it will not work. I guess, that is a bug in pfSense software. Looking forward, if 2.5 will fix this issue. As far as I found this issue is a very old one, people claimed since years about it. Regards

Found it. I advertise my routes via BGP. There's no OpenBGPd package in 2.5 RC. So, I'm not advertising my routes anymore . Never even occurred to me... *&^%$#@! Guess I'll install FRR and try that out now, whether I wanted to or not.

@noplan Just a friendly check in to see if there are other screen shots you might need.

@teamits I have done this multiple times. It goes away with a single line but it does not matter which one.

@hieroglyph they were set the same. Over the course of 24 hours it evened back out.

@greeves Hello! I am on 2.4.5-p1 with multi-wan (failover/loadbalance). WAN0 -tier1, WAN1 - tier2. When WAN1 goes down/up, I dont see any of the tunnels on WAN0 being affected. John

@ddbnj said in One gateway on failover multiwan is behind NAT: My question is how do I set up my network to that the VPS IP address only attaches via the LTE gateway. Your network has to establish the connection, since it has a dynamic IP, for instance a VPN to the VPS. For stating the gateway to be used for that connection you have to add a static route for the VPS IP and select the LTE gateway.

@mainzelman Thanks for the reply. Site B IPSec firewall rules were empty (I assumed this to be ok because Site A and Site B hosts can talk no problems) I added the rule for Site B and it appears to be now working! [image: 1612211413945-dd6e54f6-fa74-4b38-bf03-a8b3e6c04ec9-image.png] I knew it had to be something simple I missed, thank you!

@yacud i'll whip up a test!!!! so... it's not as simple as I thought; I got ahead of myself. according to: http://www.squidworks.net/2012/08/pfsense-2-0-limiting-users-upload-and-download-speeds-by-limiting-bandwidth/ Setting the mask field to "source address" results in a unique 3x1 queue per source address (later applied in the firewall filter). Leaving that field "none" would result in a single queue that would allow a single user to abuse/hog the full bandwidth availability (3x1). if your intent is to limit each device on the ap to 3x1 you can work out a schema to ensure those hosts end up with DHCP leases that would match the limiting firewall rule's range of IPs. Or, give them static IPs and add them to an alias.

@yacud With failover and multiple tiers, it will use the Tier1 gateways until it meets the criteria of a failure (specified packet loss or latency). Then it will route all traffic on the Tier2 gateway until Tier1 gateway is back within acceptable limits. If you want to load balance you could set multiple gateways as Tier1 and it will split traffic between them, you can set a "weight" in the gateway options to have it balance the traffic unevenly (e.g. put 2x as much on WAN1 vs WAN2) As far as I know, there is no way for it to know what the maximum throughput of your link is - just trying to split it evenly if you want load balancing.

@hieroglyph Bit of everything really so ill post another one up! Thanks.