Hi Derelict, just wanted to let you know that I implemented your solution and it worked right away. Thank you very much! Andreas

Super. Thanks for your help.

Hello, I have managed to resolve the issue myself. For those, who stumble upen similar situraion, I only had to define a LAN rule to sent all traffic with the destination 94.0.0.0/8 through the VPN gateway. Kind regard, vrugaitis

Yes.

Scheduling a maintenance window and doing it right the first time is often the best way to go. Sometimes the dog needs to wag the tail, not the other way around.

I have no idea who your ISP is, but this FAQ might help:  http://www.dslreports.com/faq/16077 It talks about FIOS and their TV package.  In order to get all of the services to work with your TV, those devices need to be on the FIOS LAN.  How you get a second router or network working in this kind of environment is addressed in the above FAQ.  It might not apply 100% to your particular situation, but it does have some very well thought out approaches to solve the issue that may be helpful to you.

Difficult to say. Is the LAG LACP? Are any of the interfaces on pfSense or the switch logging any errors? Anything interesting in the system log? The log on the switch? There is certainly nothing known regarding intel NICs and LACP/LAG + VLANs.

Exactly the question I asked myself last night.  Not sure why the video wanted to go from auto to manual that I watched, but I'll know next time! Kevin

Yes, the Windows Firewall blocks access from other network segments by default.

Hi - If you're still having issues with openbgpd, give the most recent Quagga plugin a try - I wrote in manual support (meaning you have to generate a cisco-like text config or use the "vtysh" front-end for Quagga from the command line). We did away with openbgpd and are now using Quagga for all BGP needs with pfSense. -Tim

@JBNixx: Hi all, I've managed to get my ISP Router/Modem setup as a bridge. I would like to get the public IP from my ISP on the WAN interface of my PFSense box. My ISP uses IPoE to deliver public IPs. As i understand it DHCP on the PFSense WAN interface should be enough, but it doesn't seem to work. The IP just sits at 0.0.0.0. I've also tried spoofing the MAC address of the ISP router on the WAN interface of PFSense without any luck. If i take a packet dump on the WAN interface on PFSense i can see lots of ARP traffic on the external network. I can see the WAN gateway on the outside sending ARP packets and so on. So the connection is bridged, i just can't get an IP from my ISP. I see that PFSense is sending DHCP query packets, but not getting a reply. Maybe there is some other sort of security involved? Is there anything I've not thought about maybe? Thanks. that righ, I dont know, may be I thinking Is there anything I've not thought about maybe?

Did you change to a transit.. If not just routing to your downstream does not remove your asymmetrical issues when you talk to devices on your 172.16 network.. /21 huge freaking network.. You have 2000 some devices on this network? ;)

Pfsense will automatically route between networks be physical interfaces or vlans..  The only thing you have to do is create firewall rules on the optX interfaces you bring up.. You seem to be creating rules on your lan for these other networks??  What rules did you put on the other networks interfaces? Post pictures btw of your rules - so much easy to read ;) Rules are evaluated as the traffic enters and interface from the network towards pfsense. First rule to trigger wins No other rules are evaluated. If no rules trigger then deny (default not shown deny rule). I would suggest while you test you just create any any rule on your new network interfaces.  Then start restricting traffic, etc. Keep in mind that hosts can be running their own local firewall.. Windows out of the box for example if on 192.168.1/24 would not allow access from 192.168.2/24… So while you can route and allow the traffic on pfsense - you still may need to config any local firewall rules your running to allow the access from these other networks. Your IP cameras -- do they have gateway set?  Are they dhcp or static?  If a device does not talk back to pfsense as its gateway to get off its local network, then no you would not be able to talk to it from another network - it would not have internet access, etc.

@Derelict: So it is really one service and all you want to do is make one LAN egress out one IP address and the other out another? Yes, a VIP is much easier for that than two different WANs. Especially if it's not really two different WANs. Just get a /29 from them instead and outbound NAT one subnet source out the interface address and the other subnet source out a VIP. Ya I think that is what I am going to do, especially because then I can have some extra IPs for DMZ's. The sales department was closed to have to get with them tomorrow, he told me we can provision this for now, and then if you want we can just up it to a /29 tomorrow.

Bypassing policy routing is a known requirement in that case. It is not a bug nor a problem. https://doc.pfsense.org/index.php/Bypassing_Policy_Routing It sounds like that you have done should suffice. If it still does not work you are probably going to actually post what you have done so we can see where you went wrong. Keep in mind that rule changes do not affect existing states. Make your changes and clear states to be sure.

Thanks Chris.  That's what I though.  Looks like it's the 4-port firewall for me. Have any jokes about TCP?  I'm sure I would get those.

Such a setup is a basic feature of pfSense. pfSense filters the traffic usually on that interface where it comes in. So you would have filter rules on both LANs which allow any to any for internet access (default rule on LAN). Now you have only to set a block rule with destination = trusted LAN network on the top of the untrusted LAN rule set.