So i just tried something and it seems to work. not sure if i was suppose to create a em0 interface when i created my pfsense router. 1. Go to Interface -> assign 2. assign em0 as only one with a vlan exist on WAN 3. enable the interface em0 4. go to Firewall rules and select the em0 tab 5. create a rule to block all traffic. [image: WAN_interface_4.png] [image: WAN_interface_4.png_thumb]

Yes, you're right it's asymetrical. It's working now but we'll upgrade the pfsense with some NICs later… Thanks again.

Because, as you are finding out, the servers need to know how to route the different traffic. They can't just have a default gateway. You end up with asymmetric routing, hairpinning, NAT reflection, etc. Yes. That looks much, much better. Note that the web server no longer has any routing decisions to make. It just sends everything to the inside firewall and it makes all those decisions for it.

cool cool johnpoz his internet plan is same as mine. 250down/25up comcast said needs biz account for another ip address.. he did get an F with bufferfloat was I fixed with traffic sharper.. i just get the unifi hd 4x4 for my house well 2 of them.. i was hyped… but I'm happy...only around 700USD.. LOL...  replaced my ac pro 3x3.. single story 2100 sq all my kids are happy...

As a workaround you may set up an SNAT rule for the AP. Maybe that's what also the USG did. I've seen this also on a Fortigate.

Yes, you need a route on the client, but not static. The OpenVPN server can push the route to the client after the connection is established, when connection is closed the route is deleted again. To set this up go to the server settings and check "Redirect gateway". Ensure that there is an outbound NAT rule for the vpn tunnel subnet in place on pfSense with NAT address = WAN address.

Awesome! Thank you for your help! Now I just have to find out the IP Adresses for Steam and I'm fine :)

Yes. You can have VLANs on WAN going to an outside switch to two or more different providers. pfSense: vlan 100 vlan 101 Switch: tagged port vlans 100 and 101 to pfsense, untagged 100 to ISP 1 modem, untagged 101 port to ISP 2 modem. It will be functionally equivalent to having two different WAN interfaces. You will have to understand that powering off and on one of the modems won't trigger a DHCP renewal event on pfSense because the port will not go down from its perspective. You might have to release renew manually, etc, if that ever arises.

Ping works fine claims it's up but it is qos limited normally 14mbps now 0.5 Mbps

That would depend on the isp sure.. I know you can get a lowend vps for your vpn connection for like $15 a year..

That'll probably break your users' firewalls. If they send packets to xxx.xxx.xxx.xx1 and get a response from xxx.xxx.xxx.xx2, firewalls will block the response packet. Sounds like you need a CDN service or similar. I don't think pfSense can help you here.