Before trying the scripts, you may want to check "firewall optimization" is normal or aggressive. The VoIP configuration docs suggest conservative, which could be aggravating this particular problem. I've bumped mine to aggressive, but have no idea if this will cause other issues.

https://docs.netgate.com/pfsense/en/latest/book/config/advanced-firewall-nat.html#config-advanced-firewall-optimization
https://docs.netgate.com/pfsense/en/latest/book/config/advanced-firewall-nat.html#state-timeouts

@Gertjan said in Help is needed with understanding of Trigger level documentation:

When the WAN cable is ripped out, or the router (or modem) up stream goes down, the NIC will signal a LINK DOWN.
No need for pinger to determine if ICMP packets come back, and measure the time. They won't come back, they can't even been send away.
That's an event that will take down the gateway in the routing table.

pinger, can detect if there is an upstream problem, and uses ICMP packets to detect if the upstream path is available. If it is to bad, the gateway is likewise considered as down.

And this is exactly for the case when "Member Down" is selected, right? So it triggers to the "down" state when ping is bad, despite the fact that the link associated to this interface is "up"? Someone actually verified this by an experiment? I cannot do this right now because I have no test environment, just production.

@JeGr thanks for your response

Strange. Did you already reboot the pfSense box?

Some guys who had similar issues here succeed after pulling down the OpenVPN server or the whole pfSense and rebuild it again.

@Derelict said in Multiple wan att bypass:

They should not give you 64 addresses on an interface subnet.

They should give you a /29 or /30 on the interface and route the /26 to you there.

That way you could, in turn, simply route the /26 to the cPanel server for use there.

Else you have to bridge or NAT. Neither is a proper solution when compared to a routed subnet.

What I am trying to setup is so cPanel can go out and pull what ips it wonts to use. and I can't figer out how.
I got a subnet of 255.255.255.192 with 61 useable ips. but a block of 64.

@cleciomelo Good afternoon Guys, I'm new here and also the use of PFSENSE.

I need some help on a dedicated link, but for some reason the internet doesn't work, and the funny thing that is dripping the internet doesn't work anymore.

I removed every rule on the most unsuccessful Lan.

Here in the company we have two working wan, plus the third is that dedicated link does not work, is like Uptime.

The link is PPPOE, I'm waiting and thank you all in advance.

Update

We have interfaces assigned to the VPN connections at both SiteA and SiteB. Looking at firewall rules SiteA VPN-interface rules are currently (any/any). SiteA has no rules in the one named OpenVPN. SiteB also has a rule allowing (any/any) on its interface assigned to the VPN but it also has an (any/any) rule in the one named OpenVPN. Removing the rule from the one named OpenVPN now gives me the same behavior at both locations. I am still seeing routing issues depending on which host I am pinging from.
SiteA-LAN to SiteB-L2VPN the routing is asymmetrical. Send is over L2VPN, reply is over VPN
SiteB-L2VPN to SiteA-LAN the routing is symmetrical. Send and reply is over VPN
SiteB-LAN to SiteA-L2VPN the routing is asymmetrical. Send is over L2VPN, reply is over VPN
SiteA-L2VPN to SiteB-LAN the routing is symmetrical. Send and reply is over VPN

Goal would be to get the traffic flow routing symmetrical no matter the to and from address.
Any thoughts?

Yeah!, I was watching the camera through vpn with pFSense OpenVPN, IPSEC/L2TP but recently I had to restore to default the pFSense config And now I was testing the connection from internet, because I wasn’t able to connect to the cam! Once resolved the problem, I will enable again my vpn server, I know that if I try to connect by vpn it’s easy to do it without Any problem cause I’m in the same net, but that’s not the question!, I’m having some nat troubles in my pFSense configuration And that’s what I’m trying to resolve! I would like to know what is delaying the connection to the cam while the connection to rdp, for example, is much faster!.

Thanks!

Thanks for the reply, your right it had to be done that way thank you again

I set an upload and download limiter to 10mbit. However it seems no pages load when I enable it on the firewall rules on the vlan created. Should the source be the new vlannet an alias and or the wan net. When I set an any any rule on the new vlan I am able to grab the other wan just fine but I need to restrict the bandwidth. I noticed a bridge vlan was also created when I bridged the new vlan with vlan. Does anything need to be done with this? I've tried just about every source possible in firewall rules with limiters on and it's either I can still ping out to 8.8.8.8 but no web pages load or the limiters do not function .

@MathewFernandes Try something like Qotom-Q575G6 https://www.amazon.com/Qotom-Q575G6-S05-Qotom-Barebone-Gigabit-Firewall/dp/B07KM31GJT/ref=sr_1_1?keywords=Q575g6&qid=1572885456&s=pc&sr=1-1 with Pfsense

My solution ATM is to use FRR and OSPF. I've setup IPSEC VTI on the WANs with public ips, and one openvpn pair for each WAN2 over the natted cellular connections. I have 3 vpn connections in total between A and B. OSPF will usually default on the IPSEC connection and use OpenVPN when IPSEC is down.

I'd have set it up faster with some gateway groups and port forwards, but I expected it'd got too dirty when throwing site C in the mix. Haven't setup site C yet but I expect it will work in this setup.