@johnpoz: So did you call your ISP??  Maybe they do not support bridge.. This is not place to help you or troubleshoot if your isp device support bridge mode, or if you isp even allows it. Call them!!!  Ask them if you can put their device in bridge mode - problem solved. If not then use pfsense with a double nat, its not the end of the world. Well, well, well, ….. We finally get their. I have managed too get an external ISP provided I.P Address. I need too explain a few things because I'm not 100% on whats going on. I went in too my router, looked at every possible setting and configuration and eventually found DHCP under LAN settings; being listed under, WAN, LAN, WiFi and USB Devices. I disabled WiFi, Disabled DHCP under LAN and also set WAN too Bridge Mode LLC. Switched the router off for 5 seconds as thats the amount of time it takes to do a hard reset. I reset PFSense too Factory Defaults, Immediately picked up an external I.P Address from my ISP Provider and currently have my PFSEnse Firewall set on the 192.168.1.1 Network. I was simply trying every option available when setting LAN to use DHCP as I was not sure if this would be needed as I have multiple home computers connected too a switch. Also NAT is automatically turned off by default when setting Bridge Mode in my ISP Box Router. Resetting PFSense too factory defaults using option 4) in the main terminal of the boot screen done the trick after finding the DHCP Config setting in my router basically. So yeah I totally get I have made my self out to be a complete idiot and I apologize for taking up so much of your time. I am now connected threw PFSense on my Rack Server and using my ISP Box as a modem. After all that, over the past several days I understand not what too do and what too do as I have been taking mental notes about the overall config and set up on a third party home system such as my Rack. In my case disabling DHCP under LAN for the LAN I have at home. Setting to Bridge Mode and disabling NAT  along with WiFi . It was the DHCP I was getting confused over and when I first started posting, the DNS Servers. I have learned a lot from this as I have been watching youtube Videos about DHCP handing  out I.P Address and how it works hence why I could not connect on my Home PCs. I just have a couple of questions. When setting up PFSense and having too disable DHCP in LAN on the given ISP Box Router and also having too Bridge the connection; turn of NAT and WiFi; is this the case for every custom set-up as in a DIY Build. Basically installing it your self. I've been on this for several hard days and the mistakes I have made now seem genuinely stupid when I thing about the Logicalities involved and how the overall set up would work. Am I correct in thing for DHCP; this is basically assigning I.P Addresses . DNS basically the look up of I.P Addresses and NAT is basically; the Name Address Translation Tables. Were as the like of I.P Ver.4 being the protocol used. I'm not sure what I did wrong with regards to setting up LAN as it wouldn't connect until after I done a factory reset of PFSense the the main terminal. BUt I now know a lot more than I did so thanks for sticking with me johnpoz. I appreciate it greatly.  8)

Thanks, I've just realized that the problem is on the NAS side, not pfsense

Sorry for delayed response. Was travelling for work. So today I was able to tinker with my set up a little more and was able to figure it out with your help. I was missing the PVID setting on my switch. I had to: 1. Configure the VLANs on both the router ans switch 2. Assign specific switch interfaces as members to my VLANs 3. Set the PVID for the ports I tagged Once I did that, I was able to plug my laptop into ports 1-12 and get assigned an ip of 10.11.12.x 13-18 an ip of 10.11.13.x 19-24 an ip of 10.11.14.x Now onto the rest. Thanks for the great info @Derelict! :D

What you are trying to do has nothing to do with the firewall as such. You will want to implement split dns for your clients. Probably the easiest way to do this would be via the clients' resolv.conf files, or equivalent.

Hi Heper, Thank you for help Now all connection online again Root Cause: Wrongly configure modem Solution: change modem [image: 1.png] [image: 1.png_thumb]

So your saying have a route but when you do a traceroute from the client its not taking that route.. Ping doesn't test that a route was followed or not.

Ok, I think this is what happened: Since the last failover, there was 8.8.8.8 state left active. And probably it was being used so frequently that it stayed active days after Failback. For me, it looked like new 8.8.8.8 queries were routed to the passive node, but actually, PFSense respected active state and routed new queries to WAN2. After deleting the remaining state manually, no more "weird" 8.8.8.8 traffic to WAN2. Axel.

According to my searches, PFSense only uses Round Robin. So the use case of load level based LB is not an option. Maybe there is a service for that(?) And for the second question: those failover groups are absolutely unnecessary if you only plan to use Load balancing. I think that quite a many PFSense has those unnecessary configurations just because they are mentioned everywhere just for an example of three kinds of setup. It's a bit shame that PFSense has nothing but round robin. Axel.

@wederer: Hello, please take a look at my setup in the attachement. Our DSL line is veeery unstable. That is why we have bought a LTE router which serves as a backup. Right now we still have to manually unplug the DSL router and plug in the LTE router which can cause quite a lot of downtime. In addition to that we use VOIP which is not integrated into our router, but managed by another hardware. This often results in a bad voice quality as the VOIP traffic is not being prioritized. So question 1: Is is possible to use the dsl router as the main router and the lte router as the backup and have this setup managed by pfSense? Can port forwarding, VPN and so on be managed by the pfSense or does it have to be configured in the dsl/lte router? Question 2: Is QoS management possible via the pfSense? Or do the other two routers "block" this feature? Any help is greatly appreciated! Answer on question 1: Yes you can do that. But my question is which one is more stable internet, the DSL or LTE? if LTE is more stable connection, you can setup route based policy to route all voice traffic to LTE then the rest of network will be going to DSL. This is a very common setup for multi-wan. I also have similar setup where I have 3 ISP, one dedicated for guest and NAS and one is used by Voip and the rest of them is for data. Answer question 2: you don't need QoS if you can setup like I mentioned on question 1 properly. The only QoS will be needed if you are using same internet for voice and data.

Sorry, the 192.168.1.0/24 subnet now passes traffic after I added the static route, but is not resolving DNS. So, if you're a client on 192.168.1.0/24, no DNS resolution. I tried putting PF Sense as the DNS IP (10.10.1.1) and also directly to the DNS provider and no luck. I'm still experimenting with this so I'll get back to you before I ask it again. I made a rule to tag DNS pass traffic on that interface to see if it's getting to PF via log checking. Will post when I see what's up.

In a nutshell a default gateway is the gateway used to try when there is no more specific route to get there.  But with GruensFroeschli here a bit of rephrasing or some more context would be needed to help you answer your question.

Generally, you set the lan outbound rule to use a failover group, but the firewall itself does not. This is usually not a problem, but there is a setting under advanced, misc. to allow gateway switching.

Thanks I have got it working now. One of my colleagues set the VLAN id to 2 without telling me so I had to make sure everything matched up - added some static routes and it's working now. Cheers.

Thank you for the response. I'll move forward with that solution. I'm sure I'll learn something in the process. Cheers.

That's what I was afraid of. I guess I was just hoping there would be some way to "trick" it, like with a virtual IP, or something.  :-\ In that case, let me share one of the reasons for trying to do this: Currently, there are dozens of NAT rules and associated Firewall rules on the 'WAN' interface to allow the general public access to web-facing servers and applications. Users on this VLAN should also have access to the same web-facing servers and applications, but not other servers on the production VLAN (such as database servers, backup servers, etc.).  Anyway to accomplish this without manually duplicating each rule from the 'WAN' interface to the 'VLAN' interface's firewall rule tab? Thanks!

Go to Firewall rules under initiating interface. Then put in add a firewall rule with following: Interface: current interface that has, let's call it LAN1 Protocol: TCP Source: any, or you could specify LAN1 addresses, or LAN1 network Destination: any IP address, going to HTTP, port 80 to HTTP, port 80 Here's the trick now, go to Extra Options by clicking it. Some new info will pop down Then go to Gateway and choose WAN2 for the pull down. This is called policy routing. It's routing by rule, vs. routing by routes. This is not normally newbie recommended because you can really mess things up, but as long as you know what you're getting into, and how to undo it you should be ok. You'll have to do this for 443 (SSL). No put those two high up in the list of rules. Next, do one more rule near bottom and do the same thing but do any, any, and on extra options choose wan1 as the gateway. I hope I explained that right, and please others jump in if I'm telling him something completely wrong. I've used this in that past to route to different VPNs from certain devices. thanks

Found this had already been answered in "floating rules to switch gateway" here: https://forum.pfsense.org/index.php?topic=139752.0