@kapara: Did you look at the states?  Do you have s conflicting rule?  Why not force connections to OVH via a single gateway or via failover instead of both using same tier? Didn't look at the states which I will do now. I have tried in both NAT outbound and also a firewall rule, but obviously I don't know what I am doing!  If I want to force all outgoing connections to a certain domain (or a certain IP) to go via one WAN what is the best way?

Just make sure your rules specifying a gateway are only matching traffic you want to force to that gateway (group). Add rule(s) above that to pass traffic between internal networks.

You need to enable forwarding mode in Resolver, or default gateway switching.

IPsec does not route, so you can't use static routes. You need a separate Phase 2 entry for each distinct pairing of local and remote networks. The easiest way to reduce that is to summarize the remote networks. Are they all close by each other? Can you use a larger subnet mask to include all of them? Or at least reduce the number to something manageable?

I have done a lot of reading in regards to this issue, and pre-2.3 apinger was terrible and was often the issue. However, I had some pre-2.3 boxes working with failover, but there was no voip traffic on these boxes. This issue seems to be just for voip traffic. I have not been on site to do some more on depth testing. pfsense does not recognise that a gateway is down and does not switch. I can watch the state for voip traffic just sitting there and not changing. If I delete them manually, than it will failover to the second WAN connection but does not work automatically.

Also, on your identifiers, I usually manually type those, as different versions have captured and relayed this differently.

Try traffic shaping to within a megabit of your download. Most ISP's just drop packets once the max is hit, where as traffic shaping can be a much more smooth process. This is not a cure-all, softly queueing traffic might not drop it, but will add latency. Also, are you seeing any packet loss?

What do your phase2 entries look like per site? Do you have rule son the ipsec interfaces to allow such traffic?

@kapara: Are you doing 1to1 nat? With your IP for plex? Ah, I haven't tried that yet. Omg how did I not think of that…. I'll try it and post results here.

Seems that I solved the problem changing "State type" in "none" on the "Rule 1".

While technically you could assign addresses from the WAN subnet on a local interface using bridging, or add the IP addresses as VIPs and use 1:1 NAT, you would not want to do that in this case. A CCTV system and a printer are two prime examples of devices you should never, ever, under any circumstances expose to the Internet in that way. These devices usually have weak security, poorly maintained firmware, and bugs that would allow attackers on the Internet to breach your network. If you want to access them remotely, use a VPN – do not even setup port forwards for such things.

If you use pfctl -vss you will get the age of the state. That might be good information when troubleshooting this.

Maybe a rule on the IPSEC interface that says souce (remote ip) allow to destination (any) via the Cisco as it's gateway?

mDNS is multicast so in theory it should work if your VPN uses a tap(4) adapter that emulates an ethernet adapter with broadcast/multicast functionality.

The small sfp switch came in. Works great! /thread

A misconfigured outbound NAT could cause the same effect.

@viragomann: Change your pfSense WAN interface to 192.168.1.2/30 for the subnet of GW1 and add as virtual IP 192.168.1.6/30 for GW2. Now you can add separate filter rules for each WAN address and tag the packets coming in GW2 to direct responses back. That won't work to address reply-to though. Must be either a separate physical interface, or a tagged VLAN would work as well. No other option for proper reply-to functionality.

" that use the pfSense ip on the transfer VLAN as a GW." Huh??  How is that going to work - the gateway of any specific network/vlan would be an IP on that network/vlan. Do you mean they have a svi on the cisco switch in that specific vlan, and the gateway off the layer 3 switch is using the IP of pfsense in the transit network.  That is correct, but that is not how your statement reads. What are you rules on pfsense, and routes?  Are you pushing something out a specific gateway? What does this hypervisor trunk?  So you have vms in multiple vlans on there? So lets say you have 172.7.100 as vlan, and 172.17.110, and 172.17.120, 172.17.130..  These all point to say 172.17.x.1 as their gateway which all resides on the switch, except for the network that is hanging off pfsense, this 172.17.x.1 sits on pfsense.  And then you have a transit of say 192.168.0.0/30 So lets see your firewall rules for your home vlan and your transit network and your routes on pfsense.  So attached is how I would see your network, basically your esxi host is just switch with vlans hanging off of it that you have a trunk connecting that to your layer 3 cisco switch.  Where the vlans on that switch are all pointing to the svi on the cisco layer 3 for their respective vlans. Is this correct? [image: transitsetupvlans.png] [image: transitsetupvlans.png_thumb]