Put the Mikrotik in bridged mode only.  I have one downstream from my pfSense router and it's set up that way and works fine.  pfSense does the DHCP, DNS, NAT, etc.

I can say, that pfctl -i igb0 -k 192.168.65.0/24 is not working (not killing any states), if igb0 has ip not from 192.168.65.0/24 subnet. If it is WAN nic, it will have its own connections established as NAT states. There is several ways to solve that issue, but its stilll in test.

I figured it out. Thanks for all your help everyone  ;). If you want to know what was wrong or what I did send me a message.

@Derelict: Outbound NAT rules do not "point anything" anywhere. They do not route traffic. They determine what happens to the source address and port when traffic is already routed out that interface by the routing table, policy routing, etc. As in, "If the traffic source matches this, translate the source address and port like this on the way out this interface." If you are in manual outbound NAT mode it means just that: manual. You have to create all outbound NAT rules. Creating an interface will do nothing there. When going from auto NAt to manual Nat pfsense created all rules for me to see.  I'm just saying that after creating two new WAN interfaces and doing Auto NAT -> Manual Nat again, the new interfaces are not showing up automatically like all others did. I don't know if it is a bug, or if they do exist and by creating them manually I will be duplicating them because they simply are not visible (but exist) But thanks, you explained what I needed to know :)

Ok thanks

Son of a B. With the /24 this actually works.  No additional gateways. 1. Add virtual ip with /24 2. Add fw-rule src any, dst new.ip.add.ress type icmp/ping Test from the internet, you get an answer. Also tested to add the ip as a HAProxy ip, that works as well (need another fw-rule though).

states don't get killed when the main gets back online. new states should/will

You have a single network interface (LAN), with both gateways in the same network, accessible via the same interface. This does not do what you intend. For multi-wan you would expect multiple WAN interfaces and a seperate LAN interface like so: WAN1 X.X.X.1/28 gateway X.X.X.2 WAN2 Y.Y.Y.1/28 gateway Y.Y.Y.2 LAN 192.168.253.1/24

@DigitalDick: Hi, Thanks for replying. All devices are on the lan, so I'm using 192.168.1.13 to try to rdp to 192.168.1.11. Before I had PFSense installed I could RDP with no issues. Only mod I have made is a NAT rule to allow Plex out to the internet so its not heavily tweaked yet. Thanks, Rich So given I have made no changes, I took on board what you said….and I don't want to talk about it anymore, OK ! ! :( I thought id teamviewer on to said machine, turn off firewall and well hello, I could RDP, so made the chnges in the firewall on the remote machine and turned the firewall back on and all is good. Thank you sir ! I'm guessing the fact I had changed my "Wireles Connection Profile" acter connecting to PFsense It assumed I wasn't on the private network and had it as Public or something. Still though, thank you sir, I will go hang ones head in shame !

Sure seems like multiwan, one is his primary his layer 2 primary circuit to get somewhere and other is a vpn connection to that somewhere over an internet connection I would assume. So just treat it like 2 wan connections.

Additional information. When one of the links is offline, the log pfsense is flooded with this information: Sep 15 09:56:11 dpinger WAN2_DHCP 200.177.70.65: sendto error: 64

nothing in the sys log really jumps out at me, quality looks good and it even has better RTT times then the dsl lines do, 2.3.2-RELEASE, darkstat, iperf, ntopng, pfBlockerNG, squid, squidGuard are the only packages

so your using the resolver??  Did you modify your ACLs to allow for these other vlan/networks to use unbound? [image: acls.jpg] [image: acls.jpg_thumb]

@johnpoz: Pfsense is meant to be where your draytek are.. What your doing if natting is going to be terrible and you would have to port forward to allow traffic.  Did you disable natting on your pfsense? Dear.   Natting on Pfsense is active beacause I can ping is ok from Lan: 10.0.2.249 to Wan network of pfsens 2: 10.0.5.x. But it can't ping to wan adapter pfsense2 is 10.0.5.249 . I think the problem relate Pfsense 2.   Wan network of pfsense1 can't ping wan adpater of fpsense1. To do this I think don't need nat or route beacause it is like together subnet mask.   I think that steps I need to do is: 1. Ping Ok. From wan network of pfsense1 to wan adapter if pfsense1 2. Ping Ok. From wan network of pfsense 1 to Lan of pfsense 1 3. ping Ok. From wan network of pfsense 2 to Lan of pfsense 1 Thanks for your help. P/s: I don't check System/Advanced/Firewall & NAT Disable all packet filtering.

Well, you will still have WAN, you just won't assign igb1 to any pfSense interfaces so untagged traffic on that interface will be dropped. If you look at the interface names you will be using they will be igb1_vlan80 and igb1_vlan90.