If you use Routed IPsec (VTI) then you would have an IPsec gateway for each tunnel that you could use with a gateway group. Though because VTI doesn't support reply-to it may not be as ideal as it could be, the return traffic would only take one of the two WAN tunnels. You can pull it off easier with OpenVPN (tunnel up on each WAN, assign the interfaces, use gateway groups + firewall rules only on the assigned interface tabs)

Probably you're missing the outbound NAT rule for the VLAN you want to direct over the VPN. To get better help here, you have to provide more details about your setup: vpn client config interface settings firewall rules outbound NAT rules

Well I can safely say that "It's not pfSense."

hi again and thanks. i built a trunk port on Cisco then set 3 vlan on pfsense ethernet. 1 managment 2 for wan1 and 2. on the other pfsense ether i just set other 2 vlan for out put to mikrotik. on mikrotik i built 2 vlan on one of the ether. thanks lot for helping me.

@joshuamichaelsanders said in AWS Load Balancers and AWS: ancers with pfSense? Can anyone step me toward a b BUMP. Curious if anyone has used ELB, either classic or the new model, with pfSense.

The PC2 will not be connected to the OpenVPN interface! The outbound NAT rule has to be on the interface where PC2 is connected to.

I dont think it is because of bug as we found no issue in Backup firewall. there must be some malfunction happened while changing the IP of WAN interface... Still searching for the root cause...

Give us an example of traffic that you are trying to pass here, actual source and destination IPs. It seems likely that the traffic is not hitting the outer firewall at all. Alternatively the target may not be using that as route back if the source is a public address. Run packet captures. See what traffic is actually arriving on which interfaces. Steve

Yes, nothing will change unless you change it. For example: https://www.netgate.com/docs/pfsense/book/openvpn/openvpn-and-multi-wan.html Steve

Not without a client side program to manage that. The existing firewall state(s) will be via the WAN that went down so that needs to timeout and be re-established on the the WAN. Steve

You have no idea how thankful I am. This works for me perfectly (https://forum.netgate.com/topic/131412/solved-alternative-to-sticky-connection-option/2) Thanks.

Ahh, okay. So one static route in the pfSense: 192.168.0.0/17 via 192.168.120.2 Thanks so much for your help dotdash!

Thanks for that. I will cross post this in VPN. These are all IPSec site to site connections.

You need: to add this second IP as IP Alias (Firewall/Virtual IPs) to add Outbound NAT rule for this VLAN ("for traffic originating from only one of my VLANS") like Source: this VLAN net Destination: Any Translation Address: this Virtual IP https://www.netgate.com/docs/pfsense/book/nat/outbound-nat.html?highlight=outbound%20nat

Thanks for the support given so far. At seems as though I was to early. A couple of hours after Hetzner said they made the change in routing it started working. So now everything works as it should.

@johnpoz I like to NAT, so I will use VIP.

Really dumb. I had a default gateway set on the interface, and the default gateway was the other router. Fixed now.

I found why. My mobile operator don't send public IP to their client. A NAT is used between a public IP and the terminal. So, modem retreive a private IP from this NAT operator. Thank anyway Derelict.