Action: pass Interface: LAN Source: 192.168.100.100 Gateway: wan2 with doing it this way and also having Destination port range set to default (other) with nothing inputted. it wont open all ports to that computer correct?

knight, I too ran into the same issue, but am having some trouble. Currently all traffic is sent over OpenVPN to PIA. I am very new to pfSense (had it a whole 2 days now) and it is not clear to me exactly how to implement this rule. Any help you can offer is greatly appreciated. In the rules i see the following: Action: Pass Disabled: unchecked Interface: LAN TCP/IP Version: IPv4 Source:  Not sure what I should put here Destination: again, not sure what i should put here Advanced Features: many options here Thanks, -Edit Got if figured out and working! The key was to remove the two default rules pertaining to LAN traffic and adding one for the streaming services, and one for everything else. both rules required selected the appropriate gateway in advanced options.  Included are my rules for anyone else trying to figure this out. [image: 0seQZ5v.png]

From the description of your config, it sounds correct, but without screenshots of the gateway config, gateway group config, and rules it's difficult to say what it might be. Also be aware that packages like squid that intercept traffic will only leave via the default gateway since that traffic originates from the firewall and cannot be balanced.

I would consider tagging the internet traffic across the bridges and putting the management of the units on a VLAN interface. I would tag them both but the ubiquiti gear seems to prefer untagged management. Internet source switch: Modem: Untagged VLAN 100 Ubiquiti: bridge Untagged VLAN 200 Tagged VLAN 100 Bridges SSID on Tagged VLAN 100 Management: untagged Remote switch: pfSense: Tagged 100 & 200 Ubiquiti: bridge Untagged VLAN 200 Tagged VLAN 100 pfSense: WAN: VLAN 100 on eth0 BRIDGE_MGMT: VLAN 200 on eth0 10.100.X.X

@mkaliyannan: we have a setup like this :  ISP router with unmanged ports  –-- > managed switch--------------> Single NIC (emo)  WAN.  <–-Pfsense router --->  2nd NIC( em1) ----------> Internal LAN Subnets. I want to know is it possible to configure multiple WAN using VLAN from the switch to pfsense using single NIC ? Like this: https://www.youtube.com/watch?v=zrBr0N0WrTY (single ISP with multiple static IPs)

And dealing with the same thing and I am looking at having a script developed that would monitor the 2 interfaces and kill all states in a specific subnet or vlan to force the to re-register when the main gateway comes back up.

@Derelict: Use an outside switch and two pfSense interfaces. One on 90.182.100.240 / 29  GW 90.182.100.241 and one on  90.182.101.240 / 29  GW 90.182.101.241 I need to add that even this is ugly and really should be two different broadcast domains to two different ISP interfaces. But it will probably work as long as there is not traffic going out and back in the same interface. If there is traffic between the two /29s you will probably have problems.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

After much tinkering all it took was to "Enable Forwarding Mode" under DNS Query Forwarding in the DNS Resolver settings.

Figured it out.  The MGMT interface has the mask wrong: set to /23 (network) instead of /32 (host) so the firewall was routing through it.  Changing to /32 and applying immediately fixed the route.

Well … I got brave and deleted the incorrect gateway instance in System > Routing. It was automagically replaced with the correct ISP gateway. Status > Gateways looks good now also. Correct GW IP, and status is Online. No drama !

CMB, thanks for getting back to me. Please excuse my ignorance, this is like trying learn Latin. When you refer to LAN rules, are you referring to the LAN Interface? Thank you very much.

i did create the 2 vlans 3,4 on the switch  and mention theip default gateway will be the lan ip for pfsense 192.168.1.1,However. i can't get an ip whenever i connect a pc to any switchport belong to 3 or 4. related to my lan nic it should be working fine as long as it accept already the subinterface ?

Not Sure on HTTPS, but by enabling Sticky Connection fix it, Still Testing …

Installed it, and it works now!!  8) Thanks

It turns out that access a CRM system the company (SugarCRM), the user's session is terminated under 10s, and the system reports the following error: "Your session was terminated due to a significant change in your IP address.". Someone has gone through this problem and know how to solve? In normal or usually if this might be commercial based work, the network admin will create a VPN tunnel over IPSec, L2TP/IPSec or OpenVPN and the complete CRM data will go only through this VPN tunnel then, this might be better to targeting such a traffic. Perhaps this might be something also for you and the SugarCRM company? I'm having problems with the use of two Internet links set to tier 1 in "groups". With two Internet links you could do proper load balancing for well, but you must decide your self for one of the three main versions of load balancing to go with; policy based routing (would be good for you) session based routing (only good for servers) service based routing (would be also matching your criteria) The source was shown in this older thread here: Here's what you need to do, under system -> Routing -> Gateway Groups Create a first group with description name "BALANCE", And set Tier 1 for both "wan's" and Trigger level to "latency or packet loss" [this for load balance]" Create a second group, description name "Wan1 Fail Wan2 Use"  and priority set wan1 to Tier1 and wan2 to Tier2, set "Trigger level" to member down. Create a third group, description name "Wan2 Fail Wan1 use" and priority set wan1 to Tier2 and Wan2 to Tier1, set "Trigger level" to member down. Now Coming Firewall Rules –> LAN, you need to create a three new rules, LIKE 1) BALANCE RULE Interfaces: Lan Protocol: ANY Source: LAN SUBNET Destination ports: ANY Gateway;BALANCE 2) FAILOVER RULE 1 Interfaces: Lan Protocol: ANY Source Address: ANY Destination ports: ANY Gateway;Wan1 Fail Wan2 Use 3) FAILOVER RULE 2 Interfaces: Lan Protocol: ANY Source Address: ANY Destination ports: ANY Gateway;Wan2 Fail Wan1 use Make sure to place them on top of the lan rules! This is more them enough for fail-overs.

Policy routing is a per connection action, not a per-packet action. Once a state is made the decision has been made and stored in the state, you can't take different action on reply packets. Although what you're suggestion wouldn't really work even if that were possible. What exactly are you attempting to accomplish?