Dear all . .. Its works for me . It was my mistake to give proper name to my router as same as a.example.com . Thank you all 44 Mems read this post

Pfsense shines as your edge router/firewall - if it couldn't route public or was something you shouldn't do pfsense would be pretty freaking useless ;)

pfsense out of the box does not use forwarding.. So you changed to using the forwarder?  Or have unbound in forward mode - where are you forwarding? Can pfsense lookup stuff?  ie use the diag, dns lookup. Can clients query pfsense dns for say pfsense fqdn?  If using unbound and your coming from downstream networks you will most likely have to adjust the ACLs to allow for the downstream networks.  If using the unbound auto rules it prob only added your local lan network to the ACL..

Thank you very much, it's work !  :)

So are you natting because you state those are public IP.. If you want to hit the rfc1918 on that other box you would need to have a tunnel vs just a forward from the public. So what vpn did you bring up.  What tunnel network did you use?  Where is your routing table?

I would think that unbound able to use outgoing your wans should all you should need.

In the process of resolving the issue they recommended the bridge configuration and reconfigured the firewall for me. I find it quite hard to believe that the bridge was recommended. Maybe fixed so it worked, but not recommended. On what interface did you make the VLANs? I do not find it hard to believe that it's that bridge getting in the way somehow. I would get rid of it. This is much easier-done from an interface that is NOT a member of the bridge as it is trivial to lock yourself out playing around with Layer 2 there. I would: In the Web GUI got to Interfaces > (assign), Bridges Edit the bridge. Remove the interface corresponding to igb3 from the bridge. Edit the igb4 interface, Enable it, set an IP address in some throwaway IP network. Add a pass any any firewall rule there Statically configure your management laptop on the same network and directly-connect it to igb4. Log into the web gui there. Patch the LAN into igb2 instead Go to Interfaces > (assign), Bridges Edit the bridge. Remove the interface corresponding to igb1 from the bridge. Go to Interfaces > (assign) Change the assignment for LAN from BRIDGE0 to igb0. Patch LAN from igb2 back to igb0. You should now be off the bridge interface. Connect back to your LAN switch and you should get DHCP, etc if configured and log into the web gui there. Go to Interfaces > (assign), Bridges and delete the bridge and bid it a hearty good riddance. Lots of possibilities for lockout and downtime so you probably want to do this in a maintenance window. One of several reasons bridging router interfaces like that is undesirable.

So you have user in Vlan A doing a copy from vlan B to vlan C.. With a copy paste highlight file in B and paste on machine in C.. So yeah all those copies go through PC on vlan A.. Through multiple hairpins..  Not going to be good.. Talk about a hairpin nightmare.. your flowing all the traffic through pfsense multiple times, and the pc multiple times all over the same interfaces.. If they need to move a file from B to C.. Then rdp to B or C and copy or paste the file directly - don't have it flow through the PC on A..  Is that better??  Either way that many vlans that all do intervlan traffic using 1 interface is going to be horrible..  Hope your devices are all set to use 10mbps and your trunk is gig.. [image: trafficflow.png] [image: trafficflow.png_thumb]

No worries, the progress remains firmly undisturbed by any complaints here or elsewhere.  ;D ::)

@Fabio72: For the first problem, check dns. In my case the pfsense resolver was unable to work on the backup WAN. The solution should be activate default gateway switching OR set dns resolver in forwarding mode. That's because you set policy routing for LAN but pfsense itself does not follow the LAN rules. Howtos are not so clear because there's a mix of older and newer approaches to multiwan. Thanks, that actually solved the first problem, now the second problem still remains

Your first page shows that link to 192.168.0/24 is via bge0, your next posts shows its out your vpn connection ovpnc1 So if you need to go out ovpnc1 to get there, and you have it on your bge0 which looks to have a 10.20.61/24 network on it - then yeah its not going to work. [image: differentroutes.png] [image: differentroutes.png_thumb]

State Killing on Gateway Failure Flush all states when a gateway goes down The monitoring process will flush all states when a gateway goes down if this box is checked. The problem I have with this is when one gateway goes down ALL states on ALL gateways are killed. Like I said I have a primary WAN that is fiber and an unreliable Comcast connection as secondary. When this option is enabled and the Comcast connection goes down the calls going through the primary connection drop.

I've determined I needed to do this with VLANS.  Here is an excellent reference that really help me get things configured.

I got it working for now. Thanks guys. Working on firewall rules at this time.