https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

After much tinkering all it took was to "Enable Forwarding Mode" under DNS Query Forwarding in the DNS Resolver settings.

Figured it out.  The MGMT interface has the mask wrong: set to /23 (network) instead of /32 (host) so the firewall was routing through it.  Changing to /32 and applying immediately fixed the route.

Well … I got brave and deleted the incorrect gateway instance in System > Routing. It was automagically replaced with the correct ISP gateway.

Status > Gateways looks good now also. Correct GW IP, and status is Online.

No drama !

CMB, thanks for getting back to me. Please excuse my ignorance, this is like trying learn Latin.

When you refer to LAN rules, are you referring to the LAN Interface?

Thank you very much.

i did create the 2 vlans 3,4 on the switch  and mention theip default gateway will be the lan ip for pfsense 192.168.1.1,However. i can't get an ip whenever i connect a pc to any switchport belong to 3 or 4.
related to my lan nic it should be working fine as long as it accept already the subinterface ?

Not Sure on HTTPS, but by enabling Sticky Connection fix it, Still Testing …

Installed it, and it works now!!  8)

Thanks

It turns out that access a CRM system the company (SugarCRM), the user's session is terminated under 10s, and the system reports the following error: "Your session was terminated due to a significant change in your IP address.". Someone has gone through this problem and know how to solve?

In normal or usually if this might be commercial based work, the network admin will
create a VPN tunnel over IPSec, L2TP/IPSec or OpenVPN and the complete CRM data
will go only through this VPN tunnel then, this might be better to targeting such a traffic.
Perhaps this might be something also for you and the SugarCRM company?

I'm having problems with the use of two Internet links set to tier 1 in "groups".

With two Internet links you could do proper load balancing for well, but you must decide your
self for one of the three main versions of load balancing to go with;

policy based routing (would be good for you) session based routing (only good for servers) service based routing (would be also matching your criteria)

The source was shown in this older thread here:
Here's what you need to do, under system -> Routing -> Gateway Groups

Create a first group with description name "BALANCE", And set Tier 1 for both "wan's" and Trigger level to "latency or packet loss" [this for load balance]"

Create a second group, description name "Wan1 Fail Wan2 Use"  and priority set wan1 to Tier1 and wan2 to Tier2, set "Trigger level" to member down.

Create a third group, description name "Wan2 Fail Wan1 use" and priority set wan1 to Tier2 and Wan2 to Tier1, set "Trigger level" to member down.

Now Coming Firewall Rules –> LAN, you need to create a three new rules,

LIKE 1) BALANCE RULE
Interfaces: Lan
Protocol: ANY
Source: LAN SUBNET
Destination ports: ANY
Gateway;BALANCE

2) FAILOVER RULE 1
Interfaces: Lan
Protocol: ANY
Source Address: ANY
Destination ports: ANY
Gateway;Wan1 Fail Wan2 Use

3) FAILOVER RULE 2
Interfaces: Lan
Protocol: ANY
Source Address: ANY
Destination ports: ANY
Gateway;Wan2 Fail Wan1 use

Make sure to place them on top of the lan rules!
This is more them enough for fail-overs.

Policy routing is a per connection action, not a per-packet action. Once a state is made the decision has been made and stored in the state, you can't take different action on reply packets.

Although what you're suggestion wouldn't really work even if that were possible. What exactly are you attempting to accomplish?

-in multi-wan-loadbalancing scenarios you avoid balancing https sites or use stick connections.

When I use this scenario cited by you, I face problems with some websites, pro example, there is a site that is dropping connections, stating that I am using two simultaneous connections, even using stick connections.

Note: I'm doing this balaceamento "System: Gateway Groups", with two links marked as Tier 1.

@rubic:

You can not have two gateways to the same destination due to FreeBSD  internal routing table organization, wich is trie. ECMP implemented in 8.0 is rather an exeption than a common practice. Not impemented in pfSense.
Why do you need that? I mean, what disadvantage is to have one working path to the destination? In case you need something like failover, use dynamic routing protocol like OSPF.

Hi, thanks for the concise answer.

Well we're working on a particular deployment where dynamic routing is not an option due to certain limitation with the routers we're using. This will get fixed but as of now, we can't use routing protocols. The thing is, we need the 2 redudant paths either on ECMP or Active/Standby.

What about my second question, any insight about that?

Thanks again.

Thanks for the reply.  I'm not sure.  I setup a span on the switch and connected it to another NIC on the server and set that Virtual machine on that specific NIC.  The problem I will have now is that I'm not sure how to bridge the two vSwitches, so I can access pfSense on by the web.

@filipemotta:

Hi All,

I have two links and any vlans that I separated then selecting the gateway on the LAN rule firewall.

i.e:

gateway
IPv4 * 192.168.0.0/24 * * *           *      
IPv4 * 192.168.4.0/24 * * * WAN_DSL_PPPOE

These rules actually are using NAT to navigate on the internet, that is each vlan uses the specific link.

My problem is that when i enabling squid + squidGuard all vlans use the default gateway. How can i solve this?

Thanks a lot !!

To help others professional around this solutions I found this in the pfsense document page:

By default, traffic using a proxy such as Squid will bypass policy routing and use the default route for traffic at all times. It also bypasses expected outbound NAT and leaves via the WAN IP address directly.
Policy routing traffic from the firewall itself is not currently possible, and as such, load balancing is not possible. Failover can be achieved in many cases by using default gateway switching under System > Advanced on the Miscellaneous tab.

So, It is not possible. I will try to install squid external pfsense and than pass the traffic to pfsense after proxy filter.