• Hello,

    I configured PFS 2 to use 2 differents WANs to browsing internet. I did it by creating 2 differents WAN gateways and one Group where one of these WANs is Tier1 and the other is Tier3.

    I did it this way because I need more an automatic failover than a load balance.

    My problem is that browsing internet is very slow. I mean, it's slower than use just the quick WAN connection (alone).
    So, I wonder if this kind of config could be improved by some kind of FW rule. Do I need to do a rule to permit external DNS resolution, permitting one external DNS connection on every WAN?
    My current configuration use external DNS, but the DNS server is MS, and I don't use PFS at all for it.

    Thank you.

  • Does your default PASS rule on the LAN use the gateway group as its gateway? You may want to post screen shots of the LAN firewall rules page.

  • Hello,

    these are the screenshots of FW rules from LAN and 2 WANs. The rest of tabs hasn't any rule.

  • Netgate Administrator

    Of the firewall rules you have on LAN only your first rule (gateway WANG1) will ever be used.

    You may have those other rules in place so that you can easily disable the loadbalancing?


  • Yes, I realize that only the first rule will ever be used. WANG1 is the Group that contains both WAN.

    I put the others two rules permitting traffic for every WAN just in case.

    But do you see something wrong here that could be the cause for the slow speed?

  • Netgate Administrator

    No, not obviously. Your faster WAN (TelWAN?) is set to to tier1 in the gateway group so all your traffic should be going via that.

    What happens if you set the gateway to TelWAN directly, rather than via the group?

    The only thing that you have slightly unusual is your DNS arrangement. I'm just wondering if DNS requests are being routed incorrectly and there is some timeout you have to wait for.

    Incidentally have you tested the failover function? Usually you have ensure you have DNS servers set for each WAN connection in pfSense, or DNS servers that can be reached on each WAN. However since you are using only external DNS this may not be a problem for you. Are you using pfSense for DHCP?


  • the faster WAN is VODWAN. TELWAN is a backup WAN.
    When I did a test with every WAN individually the speed was OK.

    I tested the failover unconnecting the wire from one WAN, and the speed still was a little slower. I could browse internet, but the speed was really poor.

    I have internal DNS (LAN) servers setup just in TELWAN. I wasn't able to find a way to assign internal DNS to VODWAN. In fact, the only way I found to setup internal DNS to TELWAN was using CLI.
    But both DNS could be used on both WAN, without problem.

    I'm not using pfSense as DHCP server. I just have enabled DNS Forwarder on PFS, but I don't know if this is necessary on my network.

  • Hi,

    any help, please?

    thank you!

  • Netgate Administrator

    Why do you have a gateway on LAN? Just for monitoring?


  • No, that gateway is the main switch, and it also works as a router between VLANs.

  • eooo :)

  • Netgate Administrator

    I have no answers I'm afraid.  :(

    So you have VLANs but you're not using pfSense with them directly?
    I'm still not sure why you need a gateway on LAN.