Grrrrrrrrrrrrr. Found the problem and it was of course my fault. I had a client specific override for my user account (which I knew about but never checked). In there, the 192.168.2.0/24 network was set as a "Remote Network" instead of a "Local Network." Deleted it form remote networks, added it to local networks and now all is working. I didn't realize there was an option for "Remote Networks" as that's not an option for the actual OpenVPN server itself.

Hi guys, Thanks for your help, I guess it's because of a NAT thing, there is an extra layer between me and the host I cannot connect to. I'm off to go move some cables around :) Thx again /tony

@viragomann Good to know. I will need to enable "skip rules" and put a "block" rule after. I do not want email services egressing anywhere except WAN_1_IP2

All working. I forgot to enable NAT Reflection (and I only had the bright idea of trying to go to https://virtualIP using my phone off WiFi. Thanks for your help guys!

Anyone?

@johnpoz Dear John, Thank you. My issue solved. I got confused and made everyone confuse. WAN- 203 Series LAN - 192 Series (192.192. series will change in few days to 192.168.) Currently Windows DC is running in that 192.192 series. So will change in few days. Please find the below link. https://forum.netgate.com/topic/134674/how-to-configure-3-ip-s-internet-restriction/20 Big Thanks to you John. No words to express my gratitude. Lokesh Kamath

Only 23days to find a problem.... I wish my bosses were as nice

I'm afraid I won't be of too much use here, but it did occur to me to ask whether you really mean 50MB (as in 50 megabytes per second, or 400 megabits per second)? I'm assuming that's the case, because 50 megabits per second certainly shouldn't be stressing anything. Additionally, is the connection symmetric (50 upstream too)? Also I don't know whether this is really an option, but if possible I might suggest backing up your configuration and performing a fresh installation. Then you can see whether the problem exists even when you're starting from zero with no packages installed.

IPsec is ... faster.

Hello, thanks to fill my great ignorance; with your help I resolved the issue. Now I have this in the rule for LAN interface: [image: 1535450236460-pfsense_rule_1-resized.png] and on the outbound NAT I set the correct interface: [image: 1535450278183-pfsense_rule_2-resized.png] But now please you can explain something about that? The first thing is how I can go out via the 88.45.191.140 path even if I am on the WAN interface; or better, when I do traceroute I see that correctly I go out through the "desired" path and not that it is of default. The second question if about the starting path, i.e.: with the configuration that I have done initially I've seen that the flow is: 192.168.0.3 (swi1) 192.168.0.31 (pfs1) network desired hop while now with the correct gateway setup on lan->net 7 rule I see only 192.168.7.7 (swi1 address hsrp for net 7) *network desired hop so it seems that the pfsense is not engaged. Thanks.

Using failover, you do have to call out the group in the firewall rule. So yes if you want to allow traffic to your local vlans and not go out the specific gateway this is how its done. Its gone over here https://www.netgate.com/docs/pfsense/routing/multi-wan.html And in the book with more detail - everyone now has access to the book... I would suggest you take a look ;) https://www.netgate.com/docs/pfsense/book/multiwan/index.html

According to my testing sticky connection is not working as you described. When opening several connections from one machine both wan gateways are being used. And there are persistent connections still active AND all connections are established within sticky connection timeout. If it is supposed to work client based it is not doing that in practice. And that causes issues when a single software opens multiple connections and those are routed through different wan gateways. One test I made was pretty clear: opening www.whatismyipaddress.com in two browsers -> different wans. A.

Hello @tejas you NAT outbound rules?

"OpenVPN-GW" is handled as a gateway group including all OpenVPN instances (servers and clients) on pfSesne. So if you running multiple OpenVPN instances on L assign an interface to the concerned one and use the gateway of it for policy routing. On pfSense R add an outbound NAT rule to the WAN interface for the source network opt1, translating source addresses to the WAN address.

So your internet connection is what exactly 10ge? Multiple gig over a 10ge interface.. Multiple smartjacks... How exactly is this isp connection with multiiple IPs presented to you? Is it a 802.3bz into a switch and you want to run multiple gig interfaces into the same switch on the same L2 to be able to leverage the higher than gig connection? Unless your bandwidth is higher than what your interface can handle at the physical layer - there is zero reason not to use just a vip or a vlan, etc. I have 100mbps internet with /24 for ips - why would I need multiple physical interfaces to use all those IPs if I have gig interface?