Okay, after reading and testing some stuff i could answer the question myself. I enabled forwarding in the unbound / Dns-Resolver settings and set up some dns server for each gateway in general setup. Then i set my LAN ip Address of the firewall as DNS Server for OpenVPN and Ipsec clients.

It has been a while. So I'm happy to present to you my final working solution. Using Version 2.4.2-RELEASE-p1 (amd64) Have a pfSense Firewall with 2 WAN connections (Failover). Created Gateway Group [FAILOVER] with 1 x Wan Tier 1 und 1 x Wan Tier 2. Wan Tier 1, is a DSL Connection. Call it WAN_Main Wan Tier 2, is a 4G backup connection. Call it WAN_4G On my firewall, I configured an OpenVPN client. [u]This client should always be connected to a server in the cloud AND use WAN_Main if online[/u]. So, if WAN_Main fails, the vpn should fallback to WAN_4G. As soon, WAN_Main is back online, the vpn client reconnects with WAN_Main. To do so, create a VPN Client as usually, but use Gateway Group [FAILOVER] as interface.

Nobody any ideas? Can't make it work sadly…

If your running the connection from pfsense to a vm host… Then you don't need a switch even and you can do tagging and use vswitches with port groups to accomplish what you want. But if your going to break this out into the real world network and connect to a switch and send use multiple layer 3 networks.. Then yes your going to want to isolate said networks at layer 2 with vlans. Don't be that guy - forgo that pizza or that case of beer and get a switch that can do tags.. I mean really its 30 freaking $'s - shit you can drop that in after work beers on a tuesday..  Which I am sure I will prob do tonight ;) Don't be that guy [image: wrong-tools2.jpg] Your switch may or may not pass the tags… But that is really not the point..  Its not going to teach you anything, and all it does is promote bad habits... There is one thing when hey this needs to be up and running in 30 minutes, and all I have is this dumb switch and production is down.. Can we connect using this dumb switch and run multiple layer 3 on the same layer 2 until the replacement switch comes in. And then there is oh lets save $5 and just use this dumb switch.. You get a pat on the back for scenario 1, you get fired and ridiculed by your peers in scenario 2.. So there is knowing that it "can" be done.. And then there is being smart enough to know that nobody should do that.. Your not using duct tape to save yourself on Apollo 13 here.. What your doing is breaking out your hack saw to cut the pizza because your tool lazy to open the drawer and pull out the pizza cutter.

Thanks a lot for replying.

I think I got it. The key word is 'internal interface': it means the LAN interface. So I have to edit the default LAN rule and set the gateway group instead of tge default gw. Yesyerday I've done that but something unexpected happened: all hosts on lan was unable to comunicate (ping each other). Some like that happens in case of loop in the switch. Monday I'll double check my configuration. My pfsense is installed on an alix (so physical, no virtual). All 3 nic are connected to the switcn amd I had no problem till I set the gateway group on the lan default rule. Any hint is wellcome.

@johnpoz: yeah can be done with just 1.. Not sure why you think it couldn't? Your using a reverse proxy from the outside into your dmz. I realised that is more easy to do this whith only one pfSense in HA clúster. Thankls for help.

For egas_tt only It was a design issue. Basically 2 interface DGs cannot be set to point at each other. 1 of the 2 need have no if-dg. Osfp helps avoiding to create default routes. Wonderful Pfsense ! :o 8) ::)

I have managed to get 8.5Mbps. :) :) :) the problem was on squid!!!!

i think i found the problem. my pfsense interface is displayed in french. i try to change the language to english to take screenshots and surprise, the gateway choice is back. so there is a bug with some foreign language interface.

I think he means the switches SVI is 10.1.10.1?? If your switch is L3 and doing the routing between your downstream vlsns, then it would need an interface with IP in each of these vlans.  This SVI becomes the gateway devices in these vlans. The network between pfsense and this downstream router now is just transit. A /24 is a huge transit - you do not have hosts on these network do you.  If so you going to have asymmetrical routing unless you create routes on each host. For pfsense to be an upstream router the interface that is the transit needs to allow for the downstream networks.  And if you changed the outbound nat rules from auto you will have to adjust those after you create your gateway and route(s) on pfsense telling it which networks are downstream.

It was idle OpenVPN connection from third machine from the LAN keeping tunnel and packets going!!