Look under Firewall - Virtual IP. https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses Usually IP Alias is what you want.

You can use aliases for this. Firewall > Aliases > IP. Add an alias, call it e.g. DirectToWAN and add the ranges 192.168.1.10-192.168.1.50 and 192.168.1.100-192.168.1.254 to it. Add another one and call it e.g. DirectToVPN and add the range 192.168.1.50-192.168.1.99. Use these aliases for sources (single host or alias) in your firewall rules.

pfSense deals with static IP addresses just fine. Maybe you did not properly program a default gateway on your switch? A switch in layer 2 mode is usually managed by the address on its management VLAN. Set its default gateway to the pfSense interface address on the same VLAN.

Got it.  Turns out Watchguard distributes its global DNS server addresses to all DHCP clients, even if you have others configured on that interface.  I just left the global ones blank and configured them on a per-interface basis.  Thank you so much for your help!

I have this exact setup, and the same logging issue. A Pace 5268AC router on AT&T Gigapower on a Netgate 2440 with pfSense 2.3.2. I am setting the AT&T router in DMZPlus mode, which passes all traffic to the selected internal device (in my case pfSense 2440). This makes the DHCP server in the AT&T router assigns the WAN port of the 2440 the public internet IP from the AT&T router (oddly enough). As mentioned by the OP, this is causing this system log error in pfSense: arp: xx:xx:xx:xx:xx:xx is using my IP address n.n.n.n on igb0! xx:xx:xx:xx:xx:xx is the arp address of the lan port on the AT&T router, and n.n.n.n is the public internet IP. Its passing traffic fine in this configuration. I guess I can also understand why the error would get logged, but would love to understand how this setup works, and if I should be concerned enough to change it. The goal with the setup is to put the AT&T router into as a close of a bridge mode as I can. .

Thank you! I thought there had to be something intrinsically wrong with making those parallel connections. I could see the scrolling errors on the bridge interface after making just the second connection. Glad someone smarter than me could talk me down. Thanks again!

Dpinger results are based on the average of all probes within the time period (default 60 seconds). Dpinger itself only has one set of thresholds for latency/loss, which are generated from the "high" thresholds in the UI. These are used to determine gateway down types of situations (errors). The warning state is based on the "low" threshold values, and is determined by the higher level logic when it polls for current latency/loss values.

I already added the rule(s) on my LAN Interface… I configured the advanced options under gateway settings but it still doesn't work...

if you force a gateway, be it default or a group or whatever.. You have to allow rules above that if you want your clients to talk to other networks off pfsense that are not reachable through that gateway your forcing traffic through.  Is that simple!

No double NAT as NAT only takes place on the pfSense router. Assuming you've purchased a Ubiquity access-point, you'll need to do this :- pfSense Create a VLAN per subnet via Interfaces -> VLANs and tag each one with a different number. Assign the interface and give it a meaningful name. Apply IP addresses to the interface. Switch Create the VLANs on the switch using the same VLAN tag numbers Create a trunk port containing all the VLANs you want to pass from the router to the switch, also do this if you're connecting another switch to the switch that connects to the pfSense router, untagged PVID & tagged. My pfSense box connects to GE1, the ap GE2 and another switch to GE8 via an ethernet over power gizmo. Configure the trunk port that the AP connects to it carries the VLANs you require, if you were only ever to use one subnet you could set it at an switch port untagged PVID but IMO its better to set it up as a trunk so you can add additional subnets if required ( up to 4 per Ubiquity AP group ) Unifi Controller Create the SSID/SSIDs you require via Settings -> Wireless Networks, click on Advanced Options, tick VLAN and put the VLAN ID in. AP Connect it the the switch port, its IP address needs to come from an untagged VLAN.            

"PIA"

you are right ! Thank you.

The attack is called bad tunnel I Have been in contact with VPN company's as all there windows servers (all versions of windows from W95 to W10) are getting a attack throw ports 135, 136, 137, 138, 139, 455, 500 but mainly port 137 dew to them running windows under windows 10 anniversary update. BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how  IE and Edge browsers support webpages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) – all of which when lumped together make the network vulnerable to a BadTunnel attack. Here’s an attack scenario, as explained in Yu’s technical paper: 1.  Alice and Bob can be located anywhere on their network, and have firewall and NAT devices in-between, as long as Bob’s 137/UDP port is reachable by Alice. 2.  Bob closes 139 and 445 port, but listens on 137/UDP port. 3.  Alice is convinced to access a file URI or UNC path that points to Bob, and another hostname based URI such as “http://WPAD/x.jpg” or “http://FileServer/x.jpg”. Alice will send a NBNS NBSTAT query to Bob, and also send a NBNS NB query to the LAN broadcast address. 4.  If Bob blocks access to 139 and 445 port using a firewall, Alice will send a NBNS NBSTAT query after approximately 22 seconds. If Bob instead closed 139 and 445 port by disabling Server Windows service or NetBIOS over TCP/IP protocol, Alice do not need to wait for connection to time out before send the query. info taken from this page: https://goo.gl/OZnC9b Here is a google search if you want to read up on it more: https://goo.gl/ZTNH26

Thanks. I was misinterpreting this passage in the book: When a gateway has failed, by default pfSense will flush all states for connections using that gateway. That mechanism will force clients to reconnect, and in doing so they will use a gateway that is online instead of a gateway that is down. This currently only works one-way, meaning that it can move connections off of a failing gateway, but it cannot force them back if the original gateway comes back online. Didn't read that as only applying to existing connections. As long as new connections go by the currently favored gateway, I'm happy.

Thank you doktornotor, it worked for me. I cleaned all the gateways and rebooted and it worked.