Set-up pfsense+lusca-cache with multi-WAN or dualwan links version: pfsense 2.0-RC1 (built on Sat Feb 26 15:30:26 EST 2011) ISO download: http://www.mediafire.com/?1a1mwiw1198dd66 NETWORK DIAGRAM PFSENSE STEP BY STEP HOW-TO DUAL WAN 1.) Configure correctly your wan1 and wan2 interfaces (Static IP or DHCP) and Gateways. wan1 example: wan2 example: test your gateway (ping the router). 2.) Configure your DNS server in "General Setup" Tab example: some explanations: - Provider for WAN1 uses 2 DNS servers. I configure the correct gateway to reach theses DNS - Provider for WAN2 uses the gateway as DNS server (!). In this case, I didn’t configure the gateway to reach the DNS. 3.) Configure a "Gateway group" in "Routing" tab Check the existing gateway (you may have one as “Default Gateway”) As a monitor IP, I use the DNS servers of the providers. Click on "Groups" and add one: - Choose Tier 1 and Tier 2 to prioritize a gateway (failover) - or, Choose the same priority (load-balancing) In my opinion, "Packet Loss" is a good trigger. Result: 4.) Set-up firewall rules Set-up a "Floating" rule with the following parameter: Explanations: - The floating rules apply on multiple interfaces, - Choose your WAN1 and WAN2 interfaces, and direction "out" - Choose "HTTP" as destination port - Specify the gateway with "MULTIWAN" (the most important thing!) Result: You can also create another rule (optional) to use MULTIWAN with other flows. Example on the LAN interface: 5.) Set-up manual Outbound NAT (AON option) In "NAT" tab, you have to check "Manual Outbound NAT rule generation" Then, add 2 mappings with WAN1 and WAN2 interfaces: - Protocol = any - Source = any - Destination = any - Translation = Interface address 6.) Configure correctly Squid Web Proxy (the tricky thing!) I assume that you have installed Squid (Lusca-Cache) package. In my case, I also installed SquidGuard (filter) and LightSquid (reports). In "Proxy server" tab / General settings, add the loopback interface: I also use a "transparent proxy". I choose to activate this option, you must change the port for pfSense Web GUI (HTTPS instead of HTTP) in "Advanced" tab. Then, you have to add a Custom Options on the bottom of the page: Code: tcp_outgoing_address 127.0.0.1; Don’t forget to end with a semicolon. 7.) Test it! - Open your favorite Web Browser (Firefox) and go to " www.whatismyip.com ". - Unplug the "Tier 1 router" and reload the page. Your IP address may change in case of failover. Comments on this document are welcome. Thanks to all!