• So I have a four port pfSense box. The dashboard tells me is Release 1.2.1  (Old I know but Stable.)

    So I need to take VR3 and instead of it connecting to a Comcast Router, I want to add a four port switch and connect the Comcast and a New AT&T.

    I though I new how to do this – But it does not work --

    • Added a Virtual IP for my AT&T assignment - Type IP Alias

    • Added a Gateway for the AT&T Router - Using the Same Interface Name as the Comcast (VR3) ...

    ---- Gateway Status is always - Offiine--

    Do I actually new a New Interface on VR-3 ?


  • In fact when I do a ifconfig -a

    vr3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:00:24:ce:df:17
    => inet netmask 0xfffffffc broadcast
    inet6 fe80::200:24ff:fece:df17%vr3 prefixlen 64 scopeid 0x4
    => inet netmask 0xffffffff broadcast
    nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active

    But the Gateway still shows Failed –</full-duplex></performnud></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

  • You have to set the mask of the AT&T (virtual IP) so that the gateway is inside the subnet! You have a /32 mask!

  • Okay,

    So I caught that as well it's a /29

    The gateway address is at the top of the range .46 and the VR3 address is .45

    I restarted apinger after I changed it but still no joy..  Gateway is down -


    vr3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:00:24:ce:df:17
    => inet netmask 0xfffffffc broadcast
    inet6 fe80::200:24ff:fece:df17%vr3 prefixlen 64 scopeid 0x4
    => inet netmask 0xfffffff8 broadcast
    nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    enc0: flags=41 <up,running>metric 0 mtu 1536</up,running></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

  • PS: I can ping the AT&T router from the Diagnostic Ping function -


  • You can ping the router which is the gateway, but the gateway is shown as offline?  ::)
    So check the gateway monitoring settings. That does no others than ping.

  • Okay,

    Just where do I check those settings –

    If I go into System => Routing => Gateway -  I have the disable option and the Advanced setting, but I don;t see a way to affect apinger -


    Also, looked at Advanced Settings but the Gateway rules there only have to do with NAT States.

  • So the gateway monitoring for the AT&T gateway is enabled and you haven't entered an alternative monitoring IP (don't know if this option was there already in 1.2.1)?
    If so appinger should ping the gateway IP like you do in Diagnostic menu.

    Ah! There may be another reason for this issue. The outbound NAT. You have to add a separate outbound NAT rule for traffic directed to the AT&T. Have you done?

  • Outbound NAT is set to Automatic - -

  • So pfSense would translate all outgoing packets source to its WAN address, which isn't known by the the router, so it will send its responses to the internet and they will never reach pfSense.

  • So,  I understand what you are saying –

    The Comcast link  primary on the VR3 interface is using it's address to ping it's gateway --

    However, the AT&T link, Secondary as an Alias is using the Comcast address of VR3 to ping the AT&T gateway so the icmp can not come back -

    How do we tell apinger to use the Alias, which by the way is what I had to do in the diagnostic for the ping to work -

  • As mentioned already above, add an outbound NAT rule for this traffic.
    Switch outbound NAT rule generation to manual. The automatically generated rules should be preserved, I think.
    So you can copy the rule for source (pfSense itself), edit it and set the destination to the AT&T subnet and the translation address to the virtual IP.

    You will also need additional rules for traffic you want to direct to AT&T.

  • Ah,

    But that's my headache –  I have these in a Group for generic Internet traffic (aka Default Route), and there are three Three Gateways Tiered 1, 2 & 3.  VR0 has 3, and VR1 has 1,2  and  VR 2 has LAN and VR3 has DMZ.

    So If I add a specific route for say yahoo.com through the AT&T gateway (1) and it fails, then it can not fall back to the Comcast (2) Gateway -

    Think the answer is going to be an expansion card and a new interface.

    Thank you.


  • Surely, this will be the best way. So you have both WANs on pfSense and the box can manage a failover.

    And also a new version of pfSense will be recommended.  :)
    My first version was 1.3, but only for play around.