SOLVED, I migrated to NethServer. Thanks for nothing!

You probably want to look at this: https://www.netgate.com/docs/pfsense/solutions/xg-7100/switch-overview.html In particular, you want to take some of the ports off of VLAN 4091 (LAN) and put them on separate VLANs tagged through the uplinks to newly-assigned pfSense VLAN interfaces. You likely don't want 1:1 NAT because you can only 1:1 NAT one address to one other (hence why it is called 1:1). What you can do is create Outbound NAT rules so each subnet egresses from a different address. Port forward inbound are controlled by which address the outside clients are told to connect to. Any outside address can be forwarded to any inside address.

Unfortunately, there is no way to put this in the middle of the wan's as I do not have another pair of fiber between buildings locations. I may just go with using as a fail-over for location two.

@duren: The simplest solution would be to stop using the modem as a router, add a switch by the modem, wire the modem to the wan port of pfsense and wire back a lan port to the switch. Another alternative depending on the flexibility of the DHCP server of the modem is to tell it to give the pfsense box as the gateway and DNS for clients. They will all go through that, of course this assumes the pfsense box is wired as lan to the modem and it's DHCP is off. Given the physical constraints, the second option sounds much more promising. This would of course mean that the WAN and LAN are directly on the same physical system, and that the hosts should all treat pfSense as their primary gateway, yes? I can turn DHCP off entirely on the Modem, so this may work. I'll have to poke at it and see how it behaves. I'm unsure if pfSense will allow me to use the same network segment on multiple interfaces (WAN, LAN, etc.). If so this should be fine, and would allow all the clients to resolve to each other as if they were all physically in the same segment, including the virtual systems.

Bridging.. WAN to LAN? or.. Trying to bridge LAN and OPT as a switch?

I have a backup pfsense box at home with only 2 nics.  WAN1 and WAN2 are on VLAN's off the same nic and connected a VLAN aware switch that is connected to the two modems.  The nics and switch are GB which is more than the combined speed of the two WAN connections so the speeds aren't much different than with my main pfsense box that has 4 nics.  Being a backup unit I don't use it much, but it works fine when I do.

@mrpsycho: Hello, i've created 2 lists: whitedomains whitenets whitedomains consists of single IP addresses per line. and it works fine with "Static Routes" and whitenets looks like that: is it possible to create Static Routes for subnets? Yes, when creating a static route, put the alias name in the Destination Network field.  This works for both host lists and network lists.  Downside is that if the alias name is changed, although pfSense will update other tables with the new name, it will not update the static routes entries, you'll have to update the name change in the static route entry manually.  Also if your host list has domain names that round-robbin, your route table will not be updated each time the DNS record is refreshed.  Best to use only fixed IP's in host list if using for static routes. As an added note, you can include single IP address in a network alias list by using /32 mask. (host list just assumes all entries are /32 mask).  This would allow you to only have to maintain one list and one static route entry associated to that list.

"Apparently like 20+ years ago when the network was made, it was a reserved address space?" Maybe not allocated to someone, but sure not reserved for local use.. What does that have to do with today.. That space is current owned by orange, and clearly not part of rfc1918… The correct thing to do would be to re ip it to more appropriate space.

It's a while since I touched a Nexus switch with VRFs. Shouldn't you have the following under the interfaces :- ip vrf forwarding VRF_NAME Also what's the HSRP and EIGRP commands doing there with a single switch, was there some config on the switch when you got it?

Firewall rules maybe ? Firewall on the local clients ? Do a packet capture the far end Diagnostics -> Packet Capture, is traffic flowing down the tunnel. I don't actually use OpenVPN, just putting some ideas out there.

Thanks for your help Johnpoz, I'll investigate on this way (state table) to see if i can solve the problem …. why are Aliases so unloved by the PfSense guru, where this feature has been touted as one of the strengths of PfSense, and what is the negative impact of their use? Does PfBlocker NG derogate from this malaise with its Aliases hijacked features? Thank you in advance for your answers.

The set-up is possible though, but the routes make zero sense. @DemoNIck: where: for the WAN interface under pfSense: General Settings: IPv4 Configuration Type: Static IPv4 Static IPv4 Configuration: 10.0.0.254/24 IPv4 Upstream gateway: NONE Reserved Networks/Block private networks and loopback addresses: NO Block bogon networks: NO Enter the ISP routers internal IP 10.0.0.1 as upstream gateway here. @DemoNIck: for the routing under pfSense: System/Routing/Gateways/ADD: Interface: WAN Gateway: 10.0.0.1 Default Gateway: YES The gateway is set automatically if you enter the IP in the WAN interface settings, as above. @DemoNIck: System/Routing/Static Routes/ADD Destination Network: 192.168.254.0/24 Gateway: WAN System/Routing/Static Routes/ADD Destination Network: 10.0.0.0/24 Gateway: WAN Why want you add routes for networks which are connected to pfSense directly? That's absurd. @DemoNIck: for the routing under my ISP's MODEM/ROUTER: #route add -net 10.0.0.0/24 192.168.254.1 The same here. On the IPS router forward the whole traffic to the pfSense WAN IP.

other factors are just examples…. thanks! will try to create "load balancing"

is there a good HOWTO for that? I have a freebsd decicated server on the internet… and pfSense...

The more information you share that is relevant..  The less you will have to pay for someone else to do it for you.  ;)