You can accept connections and port forward into either. reply-to will work its magic. OP gave no information regarding the port forward itself, so…

PTP SSL/TLS with a tunnel network larger than a /30 puts the server side into server mode. This means that you have to have remote networks on the server configuration to get the traffic into OpenVPN then you also have to have Client-Specific overrides with the remote networks set to tell OpenVPN which client to send the traffic to. Even if there is only one. You might try setting the tunnel network to /30 ands see if things start to make more sense. Especially if there will only ever be one client.

Ok please disregard my previous messages. I disabled CDP in the wireless bridge links on both ends and now the traffic is flowing as intended.

@johnpoz: So did you call your ISP??  Maybe they do not support bridge.. This is not place to help you or troubleshoot if your isp device support bridge mode, or if you isp even allows it. Call them!!!  Ask them if you can put their device in bridge mode - problem solved. If not then use pfsense with a double nat, its not the end of the world. Well, well, well, ….. We finally get their. I have managed too get an external ISP provided I.P Address. I need too explain a few things because I'm not 100% on whats going on. I went in too my router, looked at every possible setting and configuration and eventually found DHCP under LAN settings; being listed under, WAN, LAN, WiFi and USB Devices. I disabled WiFi, Disabled DHCP under LAN and also set WAN too Bridge Mode LLC. Switched the router off for 5 seconds as thats the amount of time it takes to do a hard reset. I reset PFSense too Factory Defaults, Immediately picked up an external I.P Address from my ISP Provider and currently have my PFSEnse Firewall set on the 192.168.1.1 Network. I was simply trying every option available when setting LAN to use DHCP as I was not sure if this would be needed as I have multiple home computers connected too a switch. Also NAT is automatically turned off by default when setting Bridge Mode in my ISP Box Router. Resetting PFSense too factory defaults using option 4) in the main terminal of the boot screen done the trick after finding the DHCP Config setting in my router basically. So yeah I totally get I have made my self out to be a complete idiot and I apologize for taking up so much of your time. I am now connected threw PFSense on my Rack Server and using my ISP Box as a modem. After all that, over the past several days I understand not what too do and what too do as I have been taking mental notes about the overall config and set up on a third party home system such as my Rack. In my case disabling DHCP under LAN for the LAN I have at home. Setting to Bridge Mode and disabling NAT  along with WiFi . It was the DHCP I was getting confused over and when I first started posting, the DNS Servers. I have learned a lot from this as I have been watching youtube Videos about DHCP handing  out I.P Address and how it works hence why I could not connect on my Home PCs. I just have a couple of questions. When setting up PFSense and having too disable DHCP in LAN on the given ISP Box Router and also having too Bridge the connection; turn of NAT and WiFi; is this the case for every custom set-up as in a DIY Build. Basically installing it your self. I've been on this for several hard days and the mistakes I have made now seem genuinely stupid when I thing about the Logicalities involved and how the overall set up would work. Am I correct in thing for DHCP; this is basically assigning I.P Addresses . DNS basically the look up of I.P Addresses and NAT is basically; the Name Address Translation Tables. Were as the like of I.P Ver.4 being the protocol used. I'm not sure what I did wrong with regards to setting up LAN as it wouldn't connect until after I done a factory reset of PFSense the the main terminal. BUt I now know a lot more than I did so thanks for sticking with me johnpoz. I appreciate it greatly.  8)

Thanks, I've just realized that the problem is on the NAS side, not pfsense

Sorry for delayed response. Was travelling for work. So today I was able to tinker with my set up a little more and was able to figure it out with your help. I was missing the PVID setting on my switch. I had to: 1. Configure the VLANs on both the router ans switch 2. Assign specific switch interfaces as members to my VLANs 3. Set the PVID for the ports I tagged Once I did that, I was able to plug my laptop into ports 1-12 and get assigned an ip of 10.11.12.x 13-18 an ip of 10.11.13.x 19-24 an ip of 10.11.14.x Now onto the rest. Thanks for the great info @Derelict! :D

What you are trying to do has nothing to do with the firewall as such. You will want to implement split dns for your clients. Probably the easiest way to do this would be via the clients' resolv.conf files, or equivalent.

Hi Heper, Thank you for help Now all connection online again Root Cause: Wrongly configure modem Solution: change modem [image: 1.png] [image: 1.png_thumb]

So your saying have a route but when you do a traceroute from the client its not taking that route.. Ping doesn't test that a route was followed or not.

Ok, I think this is what happened: Since the last failover, there was 8.8.8.8 state left active. And probably it was being used so frequently that it stayed active days after Failback. For me, it looked like new 8.8.8.8 queries were routed to the passive node, but actually, PFSense respected active state and routed new queries to WAN2. After deleting the remaining state manually, no more "weird" 8.8.8.8 traffic to WAN2. Axel.

According to my searches, PFSense only uses Round Robin. So the use case of load level based LB is not an option. Maybe there is a service for that(?) And for the second question: those failover groups are absolutely unnecessary if you only plan to use Load balancing. I think that quite a many PFSense has those unnecessary configurations just because they are mentioned everywhere just for an example of three kinds of setup. It's a bit shame that PFSense has nothing but round robin. Axel.

@wederer: Hello, please take a look at my setup in the attachement. Our DSL line is veeery unstable. That is why we have bought a LTE router which serves as a backup. Right now we still have to manually unplug the DSL router and plug in the LTE router which can cause quite a lot of downtime. In addition to that we use VOIP which is not integrated into our router, but managed by another hardware. This often results in a bad voice quality as the VOIP traffic is not being prioritized. So question 1: Is is possible to use the dsl router as the main router and the lte router as the backup and have this setup managed by pfSense? Can port forwarding, VPN and so on be managed by the pfSense or does it have to be configured in the dsl/lte router? Question 2: Is QoS management possible via the pfSense? Or do the other two routers "block" this feature? Any help is greatly appreciated! Answer on question 1: Yes you can do that. But my question is which one is more stable internet, the DSL or LTE? if LTE is more stable connection, you can setup route based policy to route all voice traffic to LTE then the rest of network will be going to DSL. This is a very common setup for multi-wan. I also have similar setup where I have 3 ISP, one dedicated for guest and NAS and one is used by Voip and the rest of them is for data. Answer question 2: you don't need QoS if you can setup like I mentioned on question 1 properly. The only QoS will be needed if you are using same internet for voice and data.

Sorry, the 192.168.1.0/24 subnet now passes traffic after I added the static route, but is not resolving DNS. So, if you're a client on 192.168.1.0/24, no DNS resolution. I tried putting PF Sense as the DNS IP (10.10.1.1) and also directly to the DNS provider and no luck. I'm still experimenting with this so I'll get back to you before I ask it again. I made a rule to tag DNS pass traffic on that interface to see if it's getting to PF via log checking. Will post when I see what's up.

In a nutshell a default gateway is the gateway used to try when there is no more specific route to get there.  But with GruensFroeschli here a bit of rephrasing or some more context would be needed to help you answer your question.

Generally, you set the lan outbound rule to use a failover group, but the firewall itself does not. This is usually not a problem, but there is a setting under advanced, misc. to allow gateway switching.

Thanks I have got it working now. One of my colleagues set the VLAN id to 2 without telling me so I had to make sure everything matched up - added some static routes and it's working now. Cheers.