Did you change to a transit.. If not just routing to your downstream does not remove your asymmetrical issues when you talk to devices on your 172.16 network.. /21 huge freaking network.. You have 2000 some devices on this network? ;)

Pfsense will automatically route between networks be physical interfaces or vlans..  The only thing you have to do is create firewall rules on the optX interfaces you bring up.. You seem to be creating rules on your lan for these other networks??  What rules did you put on the other networks interfaces? Post pictures btw of your rules - so much easy to read ;) Rules are evaluated as the traffic enters and interface from the network towards pfsense. First rule to trigger wins No other rules are evaluated. If no rules trigger then deny (default not shown deny rule). I would suggest while you test you just create any any rule on your new network interfaces.  Then start restricting traffic, etc. Keep in mind that hosts can be running their own local firewall.. Windows out of the box for example if on 192.168.1/24 would not allow access from 192.168.2/24… So while you can route and allow the traffic on pfsense - you still may need to config any local firewall rules your running to allow the access from these other networks. Your IP cameras -- do they have gateway set?  Are they dhcp or static?  If a device does not talk back to pfsense as its gateway to get off its local network, then no you would not be able to talk to it from another network - it would not have internet access, etc.

@Derelict: So it is really one service and all you want to do is make one LAN egress out one IP address and the other out another? Yes, a VIP is much easier for that than two different WANs. Especially if it's not really two different WANs. Just get a /29 from them instead and outbound NAT one subnet source out the interface address and the other subnet source out a VIP. Ya I think that is what I am going to do, especially because then I can have some extra IPs for DMZ's. The sales department was closed to have to get with them tomorrow, he told me we can provision this for now, and then if you want we can just up it to a /29 tomorrow.

Bypassing policy routing is a known requirement in that case. It is not a bug nor a problem. https://doc.pfsense.org/index.php/Bypassing_Policy_Routing It sounds like that you have done should suffice. If it still does not work you are probably going to actually post what you have done so we can see where you went wrong. Keep in mind that rule changes do not affect existing states. Make your changes and clear states to be sure.

Thanks Chris.  That's what I though.  Looks like it's the 4-port firewall for me. Have any jokes about TCP?  I'm sure I would get those.

Such a setup is a basic feature of pfSense. pfSense filters the traffic usually on that interface where it comes in. So you would have filter rules on both LANs which allow any to any for internet access (default rule on LAN). Now you have only to set a block rule with destination = trusted LAN network on the top of the untrusted LAN rule set.

Dureal99d - Does this create a double NAT situation, or any issues with port forwarding from PFsense to internal Servers?

Hi. This is sorted.. it appears my son had a route in his NAS that was sending all traffic mouth over his PIA VPN.. He's now added a route for 192.168.1.0/24 back to the pfSense box and I can now access it fine from my LOAN PC. Thanks for your help.

@viragomann: There are only three things left to check: The network settings on clients and on pfSense (DHCP if used). Ensure that the network mask is set correctly and that the gateway is the pfSense LAN address. The firewall rules. But if you haven't changed anything there should still exist the default allow any-to-any rule on LAN. The outbound NAT. But in default settings, it should work also. There should exist a rule with source = LAN network and translation = WAN address. If that doesn't help you can check the routes on the client and run packet capture on pfSense to find out if packets destined for a web address arrive on the LAN interface. Tripled checked and all looks good.  A clean install using default settings should work right out of the gate, but for some reason doesn't.  I guess pfSense simply doesn't like this box for whatever reason.  Just odd that the firewall itself can reach the internet and not a single client can do the same.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Nobody?

Bring your interface up on pfsense, give it a network that does not overlap your lan network.  Are you really using a /16 on your lan??  Seems bit much.. So lets say create 192.168.10/24 on your other interface (opt1) and you call this wifi or something. Then connect your AP to this interface.. If you want other ssids to be on different vlans.  Then you would create vlans on pfsense, assign them to the interface (em2?)  Then on your AP create the other SSIDs using the same vlan ID, lets call it 100 that you used when you created the pfsense vlan. That really is all there is too it.  Other than creating rules on your opt and any vlan interfaces that allow the traffic you want.  And enabling dhcp on the interface and vlan interfaces as you see fit. Why would you try creating a bridge?  You would have ZERO reason to do this, and if you wanted your AP or specific ssid of your AP to be on your lan network then connect your AP to your switch..

How exactly did you setup OpenVPN? The logs are cut off so I can't see it all, but it looks like it's saying the OpenVPN server is not using a Server Certificate ("unsupported certificate purpose")

Anyone? :)

I do have natted ip routed only to WAN2 … and all personal devices too routed to WAN2 .... and the rest to WAN1+WAN2 .... i just finish adding a failover to WAN group .... so now VLAN 3 to 23 are on MULTIWAN and VLAN24 to 62 are on WAN2 hopefully this is increase the utilization on WAN2 .... LAN GOUP 1 = VLAN3 to 23 = MULTIWAN LAN GROUP2 = VLAN24 to 62 = WAN2 (FAILOVER ENABLED) and regarding services we have unbound and snort packages running on our pfsense ....

It works! I removed the port group (VLAN ID1) in VMware. And I had to apply the VLAN configuration on port 2. [image: mybBuk] https://ibb.co/mybBuk Thanks for your help!