Problem here is that I do not just need public IP's behind the firewall. For ip 1.2.3.4 there needs to be forwarding based on port 1, but there needs to be natting based on port 2 So just forwarding all packet destined for ip 1.2.3.4 is not going to work because I´m missing out on nat then for this very same ip. PS: Tried to take a screenshot, but even this cannot be pasted into a reply.

I see. Thanks

Well then there's no problem with that. (Would stronly suggest to exclude the servers from Squid.)

I've determined the cause of the issue - I had my Outbound NAT set to MANUAL, set it to Automatic to allow outbound requests to generate rules automatically (thread I found the solution on is below) https://forum.pfsense.org/index.php?topic=122354.0 Sorry for taking up the space!

Yes u could use a common transit for all your routers

@JKnott: cisco loopback0 for GRE tunnel is useful since it act as logical interface and GRE tunnel source could use loopback0 interface IP. How could I do that on pfsense? Any reason you can't use the standard 127.0.0.1 & ::1 loopbacks? logical interface IP is different than localhost IP, you can't use 127.0.0.1 on GRE tunnel setting.

@andipandi: WAN interface should have no leases at all? I don't see any error in the config you posted. You should check the subnet masks on your clients, they should be set to 255.255.255.0. Also, you should check your WiFi router, since this is the only interface that causes issues, perhaps it is that piece of hardware that has its own configuration wrong. Probably you can read some more from the firewall logs, they also tell you what traffic is blocked. If you just want LAN, LAN2 and WIFI_AP to be one large net, you could also just bridge them. (I think then you have to adjust the subnet mask again to include all nets.) I apologize for not enough a clear description of the problem. WAN, WAN2, WIFI interfaces receive leases from the ISP and operating normally. WIFI interface is Atheros AR2417 adapter. Subnet masks really 255.255.255.0. No additional WIFI router is not used, the access point is implemented by means of pfsense WIFI adapter Ralink RT2561S, if it is important. The firewall logs nothing about blocking packets from the LAN to WIFI_AP, which is strange. The experimental purposes, I tried to combine all three interfaces in a bridge, in this case, the problem disappears, but I need independent subnet. As I see it (maybe I'm wrong) the problem is in routing with WIFI_AP NIC. Thanks

FYI I also fixed the failover, it turns out when importing the config from the old firewall, some of the Virtual IP's got assigned to the wrong interface, which I think is why it was failing both when the primary went down. Reading the manual and understanding the basic theory is nothing like being thrown in the deep end with a real-world deployment, so I have learned a lot over the last 2 days.  Thanks again for your help.

DNS forwarding would still use the DNS server addresses provided by the inactive tier ISP as well 1. Probably 2. Yes Your only option would be to use some public DNS, like Google ones, or PublicDNS. If you need to resolve some entries through ISP servers only, you can add them to unbound overrides.

I made a diagram to show the described scenario visually: [image: pf_Sense_forum.png]

Post screencaps of your NAT rules and your WAN firewall rules.  It could be many things, based on your short problem description.

Which parts of the network do you control? Don't want to stirr up the soup but three routers seems … optimizable. Are "WiFi Bridge" and "Router of the Bridge" separate devices and is anything else hanging off of the Bridge Router other than your pfSense?

Your gateway and monitor IPs are the same. If you change the monitor IP to something like google DNS or something you should get a representation of when the gateway is up or down from PF.