Thanks for all your help , I have been there and trying to make it work :)

@johnpoz I use IPSec to create a site-to-site tunnel should the wireless bridge go down. (Hilariously, this is no longer working, but that is a different problem for a different day). I wanted to use the pfSense for the VPN clients but had too much problems setting it up with the win 10 clients. I only have two VPN clients so it is not really a problem at the moment. But I will probably sit and redesign the whole network. Or I should just get some hardware routers. The win 10 hosts are giving me hell as well.

@Derelict noted on that. Does a reboot also reset state?

@moo82 said in During transition of default gateway, pfsense is irresponsive for various seconds: In any event, the J1900 CPU doesn't appear to support AES-NI, so you need to look into a replacement router or CPU upgrade before upgrading to pfsense 2.5. It will possibly be released at some point this year? That requirement has already been discussed and lifted for 2.5 as it will most likely not getting the REST API. But again, it wouldn't hurt to upgrade before stepping up to 2.5 either ;)

thanks for your help. actually, in my case, the easier way is to let pfsense create automagic associated rules. i was hoping to separate and delegate the nat rules to other people while managing the firewall rules which is why i wanted this feature. that's a no-go until/unless i create a rules generator. let's turn it into a nice feature request ;) there is no reason why pf would not be able to store the router's mac and incoming interface and reply-to accordingly ^^ ( i used this setup on some hacked config some years ago with a single interface but multiple gateways which was very convenient. i recollect on an ipfw+ipf based setup on bsd 7 and i actually though it would be builtin pf ) see you around

OK Fixed it. All workiing perfectly now! I had forgot to include OPT2 in DNS resolver's LAN interfaces.. Thats why clients on OPT2 couldnt reach the web, they couldnt resolve sites.

There will always be traffic from gateway monitoring (two pings per second by default) unless it is disabled. If it is disabled you will have to do without knowing if that gateway is up or down.

What are your LAN subnets? Does your WAN have a public address or is it behind another router?

@johnpoz thanks for the reply. i didn’t really think i could but was confused/intrigued. i appreciate the clear answer

@SergeCaron This is the result of a configuration error. Mine, of course! The "Disable Gateway Monitoring Action" option was checked on the Tier 1 Gateway on Box #1. Clearing this option, everything is working as expected on both boxes. Regards,

Thanks!!

@Bruno27live said in pfsense redirect sites through different links: could anyone teach me how I can target sites by the desired link? ex: link1 = all sites - not youtube link2 = balancing with link1 all sites -not youtube link3- youtube only I really need to know how to do this I do not understand much about nat the youtube site is just an example and I also intend to use it in aliases for more than one site. If you are able to match the traffic in a reliable way, then it's just about setting a specified gateway (link3) for this traffic. For some multiple connection protocols like passive FTP or external services using some content delivery system, it may be hard or impossible to do without some application detection layer in-between. link1 and link2 in load balance mode, remove link3 gateway from this load balance group if it's in there. Let's say link3's gateway is called link3GW Let's say the service in question, named 'ex1' uses TCP at ex1a.example.com:8855, ex1b.example.com:8855, and ex1c.example.com. Your entire local network is on LAN port. You could then make a port alias for 8855 named 'ex1_ports', and an IP alias named 'ex1_sites' listing ex1a.example.com, ex1b.example.com, and ex1c.example.com. On the LAN tab, above where this traffic is allowed out now, you set up Pass, type TCP source: * destination: ex1_sites destination port: ex1_ports In the advanced section, you go to Gateway and set this to link3GW. This rule will then show an icon in the rules list to let you know you set an advanced option. Let's say the next service in question is named 'ex2' and uses UDP at *:8080-8099. Make a port alias for 8080-8099 named 'ex2_ports' and on the LAN tab below the ex1 rule you add Pass, type UDP source: * destination: * destination port: ex2_ports In the advanced section, you go to Gateway and set this to link3GW. This rule will then show an icon in the rules list to let you know you set an advanced option. If a single computer or set of computers in your LAN use some service on random sites at TCP:443 which should use link3GW, then you make an alias for these computers (ex3_lan_servers) and set them as a source alias, with the rest of the setup same as before. All other eventual HTTPS traffic from these computers would then also use link3GW unless you use another rule to match some of that traffic to the load balanced GW. If the external service is an FTP server then you would make an alias for the host(s) and just not set a destination port. The random port data connection would then also be matched to link3GW. We use the FTP_Client_Proxy for this, and I think it may work if it doesn't add it's rules to the top of the ruleset, above your redirect rules (I think the default is to add to the bottom). If there aren't any identifying characteristics of the source or destination you won't be able to match the traffic, and can't set a specified gateway. There must be some identifying feature to divert the traffic this way.

@SergeCaron (Sheepish grin) I figured out the "cannot uninstall cleanly" caution in Patch Manager. I installed the patch and Patch Manager happily reports it can be uninstalled cleanly. Unfortunately, I can no longer reproduce the disapearing Gateway issue: even if I force a complete disconnect of Tier 1, the Gateway Group does not switch to Tier 2. So, I will close this issue for now.

ou can tag all you want - doesn't mean anything if your switch doesn't support vlans

@jimp Thank you! Works perfectly as you described. Regards,