Thanks for your answers @heper: your openvpn is a transit-network …. packets go THROUGH it instead of TO. Yes I understand this. It was kind of a "shortcut" : it was shorter to talk about "OpenVPN" rather than about "the machine connected through OpenVPN" @johnpoz: So looks to me you have this - see attached. Your drawing is really better than mine (except I do not see Internet as such a dark cloud)  ;)  Yes it is my network config. The reason I have such a config is because pfSense1 and server1 are virtual machines hosted on host1, while pfSense2 and server2 are virtual machines hosted on host2. Host2 acts as a backup of host1, and I wanted the settings of server2 (and all the other servers, configured that way), to be ready and operationnal. @johnpoz: I would not suggest trying to create a route on pfsense 2 point to the tunnel network 10.0.100/24 to pfsense 1 lan IP So is this the reason why the static route I set on pfSense2 (as described before - adding a "green arrow" on your drawing from pfSense2 to pfSense1) does not work ? Is there a (short) explanation why a "simple" static route will not do the trick ? I was expecting that if there is a "sign" in pfSense2 saying "to go to OpenVPN : follow the direction to pfSense1", and when you're in pfSense1, ask someone…

aaaah… ok. that i work for me. i have a dedicated server with ESXi and i have 6 VMs Servers and all the server is behind the pfSense.

I finally solved it. I mixed up two gateways. My mistake. Thanks for your help and interest. I really appreciate it.

Honestly that diagram has me scratching my head. It should look more like this unless you have some really fancy modems with dedicated management interfaces. [image: dual.png] [image: dual.png_thumb]

@cmb: Traffic from the host itself doesn't follow your gateway groups. If you have default gateway switching enabled, it switches the default to the next gateway in the list, in top to bottom order. When you say "in top to bottom order" are you talking alphabetically or what? Because AFAICT there is no way to re-order them in the list. I've had this problem/question myself for a while. Seems there should be a checkbox on the GW config page that says "Skip this gateway during failover events" or something to that effect.  Because there is nothing in the GUI that defines whether a particular GW is "internet facing" or not.  And we have seen that when pfSense itself has no internet connectivity, the GUI can become extremely slow or unresponsive.

A static route for each gateway is set towards their respective monitor IP. You need to pick different ones. ( There are enough anycast addresses available)

2.3.1-RELEASE (amd64) built on Tue May 17 18:46:53 CDT 2016 FreeBSD 10.3-RELEASE-p3 I can confirm this one is solved  :) Before update: MONITOR: LBGWGroup is down, omitting from routing group SCRGW After update: MONITOR: SCRGW is down, omitting from routing group LBGWGroup

personally i would have done the vlan option but some of our switches are not vlan capable. we are using dns and that's probably what is causing the issue here. im going to try and keep pushing the switch over sooner than later.

https://doc.pfsense.org/index.php/Multi-WAN

Each interface can have its own user/pass combination. If you only have 1 physical interface you might get away with vlans

You could force certain services, say HTTP, HTTP, SMTP, FTP etc. to go out WAN2 and thus leave WAN available for gamers, by setting specific LAN firewall rules to use specific WAN2 gateway under advanced –> Gateway options on each firewall rule for certain services. I know it's not exactly what you are looking for, but, it will help. You could take it one step further and create 2 gateway groups WANgamers with WANgw in it Tier 1 and WAN2gw in it Tier2 and a second gateway group called say WANgeneral with WAN2gw in it Tier 1 and WANgw in Tier 2. That way, each Gateway Group will have redundancy and failover to the other WAN, but, prefer to use a different WAN gateway normally. Then, your firewall rules will ALWAYS reference a specific gateway group, either WANgamers (which prefers to use WAN) or the WANgeneral gateway group which prefers to use WAN2. I hope that helps.

pfSense (like most other routers) does not aggregate ; it balances (hence the name). so basically, a single connection will never exceed the max speed of a single WAN. With multiple connections, a single client will be able to get the speed of both wans  (2 downloads/with torrents/ google's spdy/ …)

I tried already to create on the other site as well a firewall rule with the gateways configured. I also removed the static route. Problem is that these rules don't get evaluated because of the states for traffic coming back. I don't know if what I want to achieve is possible at all. Thanks!

Pls flowup link http://www.pfsensevietnam.com/2016/05/pfsense-install-on-vmware-esxi-as.html

Well after a few hours of reading and googling, I have come up with a way that works….. Is it right?...not sure but it works On the captive portal router,  I have set a new gateway with a non-local route (under advance settings) and address of 192.168.20.1, then i set up a static route to send all traffic for 192.168.10.18/32 thru the new non local gateway.  Finally I have set a new rule under the wan to only allow 192.168.10.18/32 ports 1812 & 1813. And poof it works. I hope this help anyone else that is trying to do something like this :-) Dickie

In my case I have a blocks that are not being used on an interface directly. Some are being used for NAT. I have a superset route that includes these blocks. If I put them in with null as the gateway, then the NATs don't work. If I don't have them in as a route then the NATs are used in the correct conditions, but in all other conditions the traffic is forwarded to the hop for the supernet. Thanks, Rhongomiant