It looks like bug 7719 which is fixed in 2.4.0 looks like it finally solves Dynamic DNS. It looks like it was an issue with gateway groups. https://redmine.pfsense.org/issues/7719 I will be testing as soon as 2.4.0 is released and I'll report my findings!

@johnpoz: In single mode your not pointing towards a gateway…  Or the only gateway you can to go is where your trying to go.. If you were load balancing, and it tried to go out the wan2 wan when your trying to talk to wan1 then not going to work is it ;) Perfect, thank you. Appreciate the help!

More than happy to throw my advice at you, if there was an actual drawing of your network with enough details so wouldn't be guessing.  For example you mention hsrp - no where previous did that come up.. So your 3560 is actually a stack?  Are you going to run a lag to this stack so you have 1 physical connection to each switch in the stack.  Is there some other switch between pfsense and that?  Are you going to run pfsense in a carp setup? If you would draw out your current network with enough details, then could make suggestions on what I would change, etc..

"so i could have 192.168.7.0/24 and X.X.X.48/29 on the lan side " Not sure where your coming up with the 192.168.7 but sure you could use that on our local lan side along with your x.x.x.48/29 just on on the same network.. So 192.168.7 could be your lan, and .48/29 could be on an opt or a vlan..

First, it's time to upgrade your pfSense! 2.2.6 is pretty old, and one of the best things to come in 2.3+ was that apinger (gateway monitoring daemon) was replaced by dpinger – which is infinitely more reliable. Anyone who's been using pfSense for more than a couple of years will remember with much angst the nightmare of wrestling with apinger. Once you've done that, I highly suggest you read https://doc.pfsense.org/index.php/Multi-WAN#Optional_Tweaks and experiment with the latency & loss thresholds. The messages about IPSEC/OpenVPN/Dyndns are not important and do not indicate any problem. They are just basically debug messages from code paths that, in your case, are not being hit. Good luck. If you need more specific help feel free to come back and ask.

Not quite enough info there to help you… can you post a screenshot of the rules on your LAN interface? Rules are processed in order from top to bottom, so make sure you put any policy-based routing rules ABOVE your last "default" rule otherwise it will never get hit... Generally, make sure you leave "source port" blank - 99% of the time source ports are random and you should only be concerned w/ Dest. port. Did you change anything on the Firewall > NAT > Outbound page? (you should leave that on 'Automatic' until you understand it fully)

"can you explain from where the gateway 192.168.9.253 and 192.168.2.253 comes from" As I told you already - those were my wan_dhcp gateways in the downstream pf1 and 2 I setup.. That is just my internet in my setup to mimic yours.  Here is a drawing.. "Both firewall communicate each other but can not access Internet." Who can not access internet, can your 2 networks talk to each other? 192.168.0 and 192.168.10?  Did you mess with outbound nat?  When you create your downstream route it should automatic create your outbound nat for you. Your going to have to post your setup if you want me to spot what your doing wrong.  How is it showing online when shows NO interface or connection just "NONE"  How does your wan have a 0.0ms response time?? [image: setupsimyoursetup.png] [image: setupsimyoursetup.png_thumb]

Policy routing Will do that. (specifying a gateway on a fwrule)

Sorry for the belated reply. The answer is not specific and definitive. It appears that FreeBSD is more stringent on the rules it will accept for routing than is NanoBSD. Look at the way your routes and gateways function.

Well static lags generally only detect link up/down AFAIK. Then you have more modern stuff like LACP. its a bit more intelligent: https://www.thomas-krenn.com/en/wiki/Link_Aggregation_and_LACP_basics When multiple switches are involved you probably want STP (or brandspecific alternative) https://en.m.wikipedia.org/wiki/Spanning_Tree_Protocol

pfSense Multi-WAN does not care if they are VLANs or physical interfaces. It works the same way.

:-[ Unfortunately I had another one today, 8 out of the 12 processors where going berserk on the interrupts, while there was only 20Mb/s and between 2000 and 5000 pps.

Hi, Generally speaking, your pfSense box is placed in between your work (1.x) and other (2.x) networks which appears to be acting as a firewall/router. If you want to continue with a configuration like this, you'll need to do some NAT/Port forwarding AND firewall rules to allow the 1.x network to be able to talk to the specific 2.x network hosts in terms of what ports (i.e.: 443, 80, 22, etc) and protocols (icmp, tcp, udp, etc). You'd then access the pfSense box's WAN address on the 1.x network and define which port you want to access, which translates over to the proper host on the 2.x via NAT/port forward with some configuration on the pfSense box. As a side note, you may be able to disable NAT on the WAN interface (1.x) of the pfSense box and then you'd only need to do firewalling. I have never done this before but seems simple in concept. A cleaner configuration would be to have the pfsense box with multiple network adapters (minimum of 3 in your configuration) which segregates these networks using pfSense, (but using a single box for LAN1, LAN2, WAN, etc),  LAN1 could be the 1.x and LAN2 could be the 2.x. Then you would only need fire walling rules and not also inbound NAT rules/port forwarding. There's some other settings to be applied with outbound NAT i believe but the auto-generated outbound NAT should suffice out of the box in this scenario. Hope this helps give you some direction on how you want to approach the problem without writing a book. @WillieBeamen: Hi. I need some help, and I think the answer is simple, but I'm not very experienced with routing and networking, so I need some noob-friendly help, or pointers to some threads that might help. I use an internet anonymizing service (PIA (Private Internet Access) if that helps).  I have 8 PCs (towers and some laptops) in my home, some for work, some for leisure, some just for Netflix, streaming.  I am trying to set up a system so that 1-3 devices stay fully anon (behind the PIA servers) when surfing the internet, but can still share folders / files between the other PCs in my home network (which are not utilizing any anonymizing services at all). Following the guides provided by PIA I was able to successfully install pfsense to a single tower PC (1 Realtek NIC (embedded) + 1 4-port HP gigabit NIC (PIC-e slot))  and configure OpvenVP services for PIA access.  Amazingly, I got it up and running, but now I have a problem. Here's my situation at the moment. My 'work' PCs are all plugged straight into my home router and are using 192.168.1.xxx These do not (nor will ever) use or need to access PIA's services. My pfsense Box (which is configured with PIA/OpenVPN (anonymizing traffic)  is configured to use the 192.168.1.xxx gateway, but the LAN address is 192.168.2.xxx so here's my problem. Any PC on 192.168.1.x can't see / share files with any PC on the 192.168.2.x domain. Is there a way to get devices on 192.168.1.x  to see the devices on 192.168.2.x ? Or am I going about this all wrong? apologies in advance, I'm a noob at this, I'm honestly surprised that I was able to even get my pfsense box setup and working with PIA. Everything would be great, except I can no longer share files between the two domains. Any (noob friendly) help would be very greatly appreciated. edited to add: on the box running OpenVPN: pfsense:  running 2.3.4-Release-p1 (amd64) WAN:  is being assigned a gateway from 192.168.1.xxx LAN:  192.168.2.xxx

He changed his post from his original question..  Yes what he asked now is easy peasy..

Like the Chinese say: those who say it cannot be done should not interrupt the one already doing it.