i just wasted an hour after setting up gateway groups wondering why NAT reflection broke… i strongly suggest this side effect should be mentioned in the pfsense book - which i didnt find or overlooked.

Start by updating to the latest stable version. (read the upgrade notes)

roundrobin

Yes you can! Create a Rule In a Firewall > rules > Lan, you can specify a gateway in Advanced Options from a specific source (this should be the IPs statically mapped, of your roommates. Create an aliases IPs). Put this rule on top of the generic pass all in LAN.

I'll check for the asymmetrical, it would mean that the 10.20.0.250 GW is bypassed on the return traffic, why not … Messy my diagram, really? :( I've updated a new version showing up the physical links and couple of updates to make it clearer. I've got 3 physical NICs, 1 for the core, 1 for LAB A and 1 for LAB B. The ports are set to trunk mode with correct allowed VLANs. The slowness is from 10.20.0.250 (red line) or from 10.30.0.250 (yellow line), both LAB use the same configuration, it makes sense they have the same issue. LAB A and LAB B talk between each other using VLAN 101, when copying data this way (green line), I have no performance issue, it works well. There is static route set in pfsense LAB A for 172.16.30.0/24 to use the core gateway 10.20.0.254, the LAB A gateway is 10.20.0.250 (VLAN 200), same for LAB B (VLAN 300). LAB A and LAB B can't talk to each other though the core, I don't want it, it is only to give access to my Citrix sources. Hopefully it clarify the situation. [image: Pfsense_design_issue_slowness.jpg] [image: Pfsense_design_issue_slowness.jpg_thumb]

@kimkhan: 6. I have default gateway switching enabled in System/Advanced/Miscellaneous (If I don't have this checked the failover does not work) It would seem that this is the only setting needed to do what you and I are attempting to accomplish. If you don't use this, the more advanced way would be to use the gateway groups and not set the automatic gateway switching. Examples show gateway groups are necessary if you are looking to balance load across one more more WANs. So far, I have not been able to get this to work well regardless of using the default gateway enabled setting or using the numerous multi-wan setup instructions posted in this forum and all over the internet. Another issue I have noticed is when either WAN goes down or down and back up, the user experience is high latency to internet connections and the pfSense GUI becomes unresponsive or incredibly slow. Restarting the firewall or restarting PHP-FPM seems to restore normal operation until the next time one of the WAN connections bounces or goes down. It's been about two months since you posted this as a possible solution, I would be interested to know how it's working out for you not that some time has passed? Thanks, Markn455

Further testing shows that the 'flapping" of the satellite link really has little to do with it. Simple failover from WAN1 to WAN2 results in poor performance and loss of gui responsiveness. So far, I have not been able to get Multi-Wan failover to work properly. I have tried all the suggested configurations and even the most simple automatic gateway switching builtin to pfSense. If anyone has a working configure Dual WAN failover setup that works it would work. I don't even care about load balancing across the two WANs, just needing a failover configuration that actually works. I have tried the suggested configurations here and some on Youtube multiple times.

"Why would you be natting to internal rfc1918 networks?" Because I connect to a wireless network that I don't manage that uses rfc1918 IPs.  Each wireless node (router) in the network gets configured with a random 10.0.0.0/29 network address during initial setup on each node.  The routing for these nodes is managed with OLSR on the wireless network.  Pfsense apparently used to have a plugin for OLSR, but doesn't any longer and I cannot add routes for my internal LAN to OLSR.  Nodes can come and go without notification or coordination on this network, so I can't reasonably maintain an accurate static route list, so I have a generic static 10.0.0.0/8 route out to that network interface to cover all wireless networks.    I'm only allocated a /29 on the wireless network, and I provide services from multiple internal LAN IPs, so I have NAT configured so it only consumes one wireless IP.  This is on my OPT1 interface, and the IP and gateway are provided via DHCP from the wireless node. I'm open to suggestions for better ways to do this, but this is the only way I could see getting it to work with the restrictions I have. My internal LAN is 10.10.6.0/24.  This works fine because the LAN interface's /24 route is more specific than the wireless /8, so things route properly. The WAN port connects to my ISP, and is a 73.x.x.x/24 which is provided via DHCP from my cable modem. So to recap: To internet 73.x.x.1 (gateway)   | 73.x.x.x/24   WAN +–---------+ | pfsense    | LAN--10.10.6.1/24----To internal LAN +-----------+ OPT1 10.117.100.157/29   | 10.117.100.153 (gateway)   To a couple dozen or so random 10.x.x.x/29 networks routed by OLSR "Do you have both gateways you get via dhcp as "default"?"  "Post up your gateway section" The only gateway that is set default is the WAN (internet) side. This is from my /conf/config.xml file: <gateways><gateway_item><interface>opt1</interface>                         <gateway>dynamic</gateway>                         <name>MESH_NMT_DHCP</name>                         <weight>1</weight>                         <ipprotocol>inet</ipprotocol> <monitor_disable></monitor_disable></gateway_item>                 <gateway_item><interface>wan</interface>                         <gateway>dynamic</gateway>                         <name>WAN_DHCP</name>                         <weight>1</weight>                         <ipprotocol>inet</ipprotocol> <monitor_disable><defaultgw><latencyhigh>1500</latencyhigh>                         <losshigh>100</losshigh></defaultgw></monitor_disable></gateway_item>                 <gateway_item><interface>wan</interface>                         <gateway>dynamic</gateway>                         <name>WAN_DHCP6</name>                         <weight>1</weight>                         <ipprotocol>inet6</ipprotocol> <monitor_disable><defaultgw></defaultgw></monitor_disable></gateway_item></gateways> and just for info: <staticroutes><route><network>10.0.0.0/8</network>                         <gateway>MESH_NMT_DHCP</gateway></route></staticroutes> Normally netstat -nr shows this: Internet: Destination        Gateway            Flags      Netif Expire default            73.x.x.1        UGS        em0 10.0.0.0/8        10.117.100.153    UGS        em2 10.10.6.0/24      link#2            U          em1 10.10.6.1          link#2            UHS        lo0 10.117.100.152/29  link#3            U          em2 10.117.100.153    10.117.100.153    UGHS        em2 10.117.100.157    link#3            UHS        lo0 73.x.x.0/24    link#1            U          em0 73.x.x.x      link#1            UHS        lo0 75.75.75.75        73.x.x.1        UGHS        em0 75.75.76.76        73.x.x.1        UGHS        em0 127.0.0.1          link#8            UH          lo0 172.16.0.0/12      10.117.100.153    UGS        em2 When it goes bad I see this: Internet: Destination        Gateway            Flags      Netif Expire default            10.117.100.153    UGS        em2 10.0.0.0/8        10.117.100.153    UGS        em2 10.10.6.0/24      link#2            U          em1 10.10.6.1          link#2            UHS        lo0 10.117.100.152/29  link#3            U          em2 10.117.100.153    10.117.100.153    UGHS        em2 10.117.100.157    link#3            UHS        lo0 73.x.x.0/24    link#1            U          em0 73.x.x.x      link#1            UHS        lo0 75.75.75.75        73.x.x.1        UGHS        em0 75.75.76.76        73.x.x.1        UGHS        em0 127.0.0.1          link#8            UH          lo0 172.16.0.0/12      10.117.100.153    UGS        em2 I've looked through the various logs when the problem happens, and I don't see anything obviously wrong.  I've played with various values and ultimately disabled gateway monitoring to make sure that isn't causing the problem.

Just to be clear, you just want your mobile IPsec clients to be able to communicate with an endpoint device across an OpenVPN tunnel?  Or is there more to it then that?

is it possible to change default gateway from command shell ? the problem is: i have two different internet connections and i have to use Squid proxy. When i activate squid, it uses only default gateway. and i have to change active internet connection to other gateway at 7pm if there is an option to change default gw from command shell, i just add the command to cron and l'll solve the problem.

Post a network map.  Are you using a L2 switch trunked to PFsenseLAN or separate dumb switches? What does your log look like?  Are you seeing blocks?  If so, on what interfaces? The first thing I would do is add an any/any rule to every interface.  Second, disable the software firewall on your test endpoint devices until basic IP connectivity is established. At this point, you should have a route to all subnets (check your routing table) and an any/any rule on all your interfaces…. so you "should" be able to ping anything from anywhere.  If not, you would just need to start in with a troubleshooting progression.... e.g.... Verify connections.  Verify IP's and subnet masks.  Verify your DHCP server is handing out the correct default gateway.  Can the PC's ping the default gateway? Then, depending on your topology and equipment used... are the correct VLAN's tagged/untagged on the correct ports?  If you're using cisco gear and have an "allowed" statement configured... are the correct VLAN's allowed across the trunk?  Did you configure a custom native VLAN? Not that this is contributing to your main issue, but it appears you are using a mixture of tagged and untagged traffic on your network...  but what many do... is leave the LAN interface (parent interface) unconfigured and use all VLAN's.  Worth a shot if nothing else works.... but there are many questions that need answers first.

thank for your reply sir… my vlan200 is a new interface this is my lan rule IPv4*  lan.net  *  room3.net  *  *  none this is my vla200 rule IPv4*  vlan200.net  *  lan.net  *  *  none

Post a network map, so we can get a better visual of your topology. If you're adding a 2nd WAN interface, it shouldn't be conflicting with any LAN interfaces…. unless you're using public IP's on your LAN (which you shouldn't be) and they truly do conflict.... do they? Also, be sure to add an upstream gateway on the 2nd WAN interface or PFsense will consider it a LAN interface.

Sure, you can do "policy routing" meaning create Aliases with internal IPs of hosts and use LAN > WAN rules to route them through the gateways you like. Make sure those LAN rules to be above the main LAN > WAN rule. Best regards Kostas

It is possible as a stand-alone proxy, though not ideal. It can't act as a gateway, so whatever the actual gateway on the network is, it would have to forward traffic to the proxy. That or you'd have to add the proxy settings to user's PCs/Browsers/Devices directly and maybe setup WPAD. Same as any other stand-alone proxy. Basically you'd only be using it as a GUI for squid at that point.