It seems like Sticky Connections fixed the problem. Thanks.

I still have problem with this issue. I have two interfaces for multiWAN with two gateways: Interface wan Gateway for VDSL   Interface opt1 Gateway for LTE I can not uncheck "Default Gateway This will select the above gateway as the default gateway" on System>Routing>Gateways. I can only change default from one gateway to the other gateway. There is always a gateway selected as default. I think this influences traffic flow. Default gateway has significantly more traffic than non-default. I would like to have 50/50. Each gateways takes half load. In "System>Routing>Gateway Groups" is group "LoadBalancing". Both gateways in this group have same tier 1. Weight for both gateways is "1". I think since some updates ago there is now always a default gway. This wasn't before. Must there be a "default gateway" in multiWAN? Why? How to change this? Rgds AW

@jahonix: On which VLANs does that happen? i don't know, that a maybe can get discovered with wireshark. butt i can't have any vlan switching apart from one switch.  or i gonna need to buy a few new switches. @5E: Just bridge the lan with the wan port not an option i need the router (dhcp/NAT) function from the pfsense, i have a separate dns server running. i used to have a linksys router (cisco time) and then i had 1 lan port in bridge to the wan, butt that's not possible anymore. i got a tip for using a static dhcp for that mac address, and then a custom firewall rule, maybe is that an option. my network setup modem only -> pfSense -> unmanaged switch (8 ports) -> 3 pc's, 1 printer, 2 digicorders                                             |-> lite managed switch (24 ports) -> servers                                                           |-> unmanaged switch (16 ports)-> 2 pc's, printer, digicorder, ps3

This is working now! I needed to add mssfix 1300 to both ends of the ovpn tunnel, and i forgot to put a default GW for the secondary internet connection the ovpn tunnel was running over. I am able to tracert from "8.8.8.5" with gw 8.8.8.1 at SiteA and it goes through the ovpn tunnel and out the WAN at SiteB. great success thanks for all the help.

Hi, Did you ever found a solution? i'm in a similar situation. But no change to keep the digicorder before the pfsense. There are 2 mac address 1 for the internal network 192.168.x.x and 1 for the telenet 10.x.x.x But i don't know how to filter on only mac for passing through those packets. If it's even possible. Greetz Tiniduske

What works very good what you stated what you had /29 that you were connected too - no networks routed to you from your statements.

@jahonix: Basically you made Opt another WAN. What's up with your WAN on re0, why don't you use that? Its Correct, but I have 4 internet connection all via router(one in bridge mode) and all router connect to unmanaged switch, now to route through bridge router, I have to define gateway on WAN, and PPPoe over WAN, so I did that way if you or any one have other idea, please share, Always ready to learn new things Pardon my delay reply

I'm trying to do something sort of similar. Ill post a new topic maybe itll help.

Ah well if you have a L3 switch (router) downstream then pfsense should be connected to this router (L3 switch doing rouing) via a transit network.. Otherwise your going to have all kinds of asymmetrical issues.  BTW you didn't list your downstream router in your drawing and still use of /32 on your interface is going to be an issue as well.  You would want to use the correct mask for whatever your transit is - common would be say a /30 Then your also going to have to make sure your rules on your transit interface allow for the downstream networks, and you're also going to have to make sure your outbound nat is setup to nat the downstream networks. This has been coming up a bit lately.. If I find the time I will put together a wiki article on setting up downstream routers.. I thought I just did a thread about this.. Let look if I can find it. edit: Here is the one of the threads where went over the problem asymmetrical, and talked about downstream.. there have been others but I found this one first https://forum.pfsense.org/index.php?topic=105825.15 Derelict put together a nice drawing even in that thread. [image: index.php?action=dlattach;topic=105825.0;attach=75014;image]

Create four interfaces, assign interface addresses to them, and put the appropriate firewall rules on them.

Yeah, the VLANs on the consumer stuff failed hardcore with what I wanted. So basically what I'm trying to do is this: the different networks are physically separated. In other words, the AP for the home network runs just that network, and the AP for the guest network runs only that network. So lets say the home network would be LAN1 - all the APs and switches connected to this are only for the home network, which means full access to everything on this network as well as to WAN and OPT1 which is connected to the guest AP which runs only 1 SSID for the guest network and has no other physical connections, it also needs to connect to WAN But I don't want LAN1 to be able to talk to OPT1 at all.

The reason is, if i would just connect it with switch, they would randomly get IP from the dhcpd on the left, and that would make them use internet connection from there. I would like to avoid that. Right now lease time is 24 hours. But i want it to be working when error occurs even, if i will be away for a month and something will get broken.

Thank you! It works.

@johnpoz: Derelict – I said the same freaking thing before him ;) "If the boxes are pointing to pfsense as their gateway" My bad that I let the technician configured the boxes and did not check them thoroughly as the location of the boxes are too far apart from the control room … SORRY!

Hey Phatsa, Did you figure out the configuration? We would like to do something similar – slightly different reason. We want to have two companies on one ISP connection and one pfSense box that will do traffic shaping.

Since your WAN interface is in a private network range, check if you have deactivated the "Block private networks" option in the WAN interface settings?

Thank's a lot! Your advice has resolved my problem.

" Hardly "moronic" to want to avoid that." Sorry but yeah… If you want HA then setup carp.. With you using each dept with their own ISP.. They all still have a single point of failure.. Your not leveraging the different connections for any sort of failover or ha setup.. You currently are using CARP with HA setup..  What the OP is asking for is stupid.. doesn't even have a smart switch, etc.