You could get fancy with the rules, and use rules that mark the traffic based on criteria, and then use those markings in your rules to allow or block, etc.

You can do that with floating rules, that are not set as quick..

So you could mark or tag traffic based on criteria XYZ, and then in later rule on floating do something else with it like send it out a specific gateway. Or on your interface rules look for specific tag and then do X with it..

So he could in his floating rules, non quick set a tag for traffic to tun1, or tun2 or wan.. Then in the interface or floating (later down the rule set) set a rule that is quick that sends it out a specific gateway, or on the interface have rules that say if tagged tun1 send out tun1, if 2 out tun2 if wan out wan, etc. etc..

That's not even the way to do failover, you would use Gateway Groups for that. ;) In my understanding, your disabled rule would never be executed (even if it's enabled) as it matches exactly the same pattern as the rule that comes before.

When you say "physically disconnect the Fibe cable", do you really mean the fibre cable or actually the cable between the pfSense box and your modem? I could imagine that your global routing configuration is somehow in a way that WAN_DSL_PPPOE kicks in as the default gateway. I maybe wouldn't expect that, but I could imagine, that when you physically remove the network cable (which is not the typical real-world outage scenario) from the pfSense box (so that the network interface changes its whole state to disconnected), that the gateway WAN_FIBRE_PPPOE gets removed from the system in a way that it has the same effect as if it wouldn't exist at all and the then active default gateway (WAN_DSL_PPPOE) is used. Just a theory. ;)

Could you please tell a bit more about your setup how exactly you have configured everything (without too personal information of course ;) )? As you mention xDSL, I assume you are using PPPoE? If this is the case, please consider that the IPs/subnets you configured is only to access the management interface. PPPoE (as the name already says) works on Ethernet level (not IP level) and I'm not sure if this works over the same physical interface (not only in theory but also with real equipment), have never seen that.

@akuma1x That was it!!! Thank you very much for your help and @DaddyGo as well!

LaggConfigLACP.JPG

@shararaus

You’d need to create rules based on the ports the applications use then create a firewall rule to push the traffic out the gateway.

It’s in the pfSense manual.

Simply plug in the "secondary" router into a LAN port of your existing network. Could be directly on the pfsense box, then you'll need to fire up an additional interface. Or, it can even be on your LAN switch.

All you have to do is give the "secondary" router a different subnet than your pfsense LAN network.

@monocleitsolutions

FYI - Just to be clear Policy routing has yet to actually work at all.

That can be done with outbound NAT in pfSense.
Firewall > NAT > Outbound

By default it is working in automatic mode. To apply manual rules, switch into hybrid mode first and save it.

Then add a new rule:
interface: OpenVPN (or a specific one you may have assigned to that OpenVPN instance)
source: the clients IP (CIDR) or the clients network
destination: the servers IP
translation: interface address

And this computer was flooding the network with broadcast?

Lets see this broadcast please via a pcap.. So can load it into wireshark.

But how would have anything to do with pfsense?

Just set a pc to use that IP

thernet adapter Ethernet 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller #2 Physical Address. . . . . . . . . : 00-13-3B-2F-67-62 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 128.0.2.50(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Enabled

No flooding..

Pfsense has no control or say in what a client puts on the network..

@pfrickroll said in Dual WAN Failover doesn't failover back to WAN 1 [Resolved]:

It all works now but I have now new problem, IP Phones.

I would suggest you start a new thread on this one.

well we solved the problem by this way , first create a script to check if the default route is still exists or no then if does not just add it :)

I add a cronjob for this though

fixgw.sh :

HOSTNAME="$(hostname)"

if ! [ $(route -n show 0.0.0.0 | grep gateway | cut -d ":" -f 2 | cut -d " " -f 2) == "10.10.10.1" ]; then route add -net 0.0.0.0/0 10.10.10.1 ; fi

fixgw-pf.png

fixgw.sh.txt

@jonefc said in 3rd and 4th Lan Ports for internet:

Any ideas.

I think you need to understand first that these are separate interfaces...(OPT1 / OPT2)
they do not depend on the LAN,...... just because it has Internet access by default (the LAN)

forget your "bridge" idea - you presented above

set each interface separately and give them a "default allow rule" as shown on the LAN
(copy is good ....because fast)

review the DHCP setting and cable connections...
say review the DHCP logs and connect your cable to the ports step by step

Good to know, Thanks for the reply!

It has 6 independent ports so you should be fine. Each interface has its own firewall rules (or there can be floating rules).
For multi-WAN see https://docs.netgate.com/pfsense/en/latest/multiwan/index.html

Feature request for this:
https://redmine.pfsense.org/issues/4881