That's far too vague to define. To separate the traffic you have to be able to identify it with firewall rules. Sometimes that's by port number (the majority of browsing is on tcp/80 and tcp/443), sometimes it's by source (a gaming console's traffic is undoubtedly almost entirely gaming), sometimes by destination if you know the address/netblock of a specific server and what it does.

Then kindly state what's broken instead of asking completely pointless questions about GUI colors… It won't work any better even if you make it green or pink.

Thanks again @viragomann- I think I've finally got it! I already had the gateway entered in pfSense with the LAN address but the piece I was missing was that the pfSense box had to have a virtual IP on the LAN interface that was within the 192.168.9.0/24 range in order for it to accept the static route.  After adding the virtual IP, I was able to add the static route and it looks like clients can ping LAN computers and receive the proper reply! Thanks for all your help!

If pfSense is the default gateway for both LANs there is no need to set static route. Just add appropriate Firewall rules to permit the wished access.

@UNet: I'm convinced that this feature simply does not work anywhere. This has worked in the past with 2.0, I remember. The comments of the following blog post kind of confirms it for me http://terraltech.com/multi-wan-load-balancing-with-pfsense/ Of course it still works. The comments on that post no doubt from Squid users, where it's not hitting those rules at all. You need to negate policy routing for LAN to LAN connectivity to work. https://doc.pfsense.org/index.php/Bypassing_Policy_Routing I'm guessing you're breaking your DNS maybe, if it's on one of the other internal subnets. Troubleshoot the issue, what works and what doesn't? IP connectivity to the Internet (ping 8.8.8.8/8.8.4.4/4.2.2.2)? DNS resolution work?

The main reason why it doesn't work as you expect is that fail-over & load balancing is done using group gateway but also rule at FW level which allows to specify this group gateway within these rules. With external proxy, it obviously benefits from such rule while with internal proxy that is not using any interface but 127.0.0.1, it doesn't work.

@doktornotor: I think it's pretty obvious this absolutely CANNOT work, pfSense or not, without doing another layer of NAT in between. Not exactly sure what's still being discussed here? You cannot have 3 boxes with the same IP and expect to the router to be able to distinguish among them.  ::) Someone pointed me out can you do that with RouterOS with something like this add destination=0.0.0.0/0 gateway=192.168.1.1%ether1 routing-mark=Adsl1 add destination=0.0.0.0/0 gateway=192.168.1.1%ether2 routing-mark=Adsl2 This is why I was asking. Btw I solved using a super ugly double NAT with multiple routers until we change ISP.

i was in prague, and was able to make everything work like a charm :D :D now, i have a question about multihoming & high availability. since i have TWO cogent connections, i have try the following setup (remember, the current WORKING setup is c1->fw1, c2->fw2 + carp) c1 –> switch --> fw1 (gateway1) c2 --> switch --> fw1 (gateway2) aggr_gateway: gateway1 + gateway2 used as lan gateway, with option 'member offline' bgp with 2 neighborhood i have configured a group, two cogent neightborood, 2 firewalls rule and on bgp log i see that my routes get announced on BOTH cogent connection. i can navigate, and receive packet (i suppose that it's the correct behaviour hehehe) now, if i unplug c1 from the switch, i can still 'exit' from behind firewall (i have set a gateway with redundancy, so c1 gw goes offline, and traffic switch to c2) but the INCOMING packet are lost (most of them) jsut to give you an idea, if i try to reach from public internet a webserver behind firewall (on my /25 network) pages get serverd 1 every 100 request :D it's that normal? on openbgp pdf (http://www.openbsd.org/papers/linuxtag06-network.pdf) this 'config layout' is in page 5, and i have followed the diagram quite strictly. i also can confirm that if both cables are connected everything work, it's basically when i unplug one cable that things goes wrong (so maybe, it's not how  high availability on 2 connection can be achived) this tests are pointless, i know, cos i am using TWO cogent cable, but i want to get a level3 cable to setup a real high aviability, so this one should be a good test. tnx for your assistance

i want each computer to be seen in internet with a ip from /27 (1ip from ISP1 / 1ip from ISP 2) This would be not able to do as I see it right, without using AS and BGP, and with using this you will see even also only one PC with one IP! But this way you wont go as you explained above. also internet connections to be used in a round robin manner between ISP(have the same speed) Load balancing between two or more ISPs would be running at a glance without problems and there are three common and mostly used methods to do so and realize it well, and yes the policy based routing is a so called round robin manner so please beware of using the real round robin method please!!! This is only for CARP or cluster based pfSense firewalls that has a switch in the front of the WAN ports and some modems connected to this switch also and then perhaps if two or more ports are building a static LAG (not over LACP) and this will be used then as one WAN Port. I can set from NAT to force a computer to be routed with an ip from /27 but the second ISP will not allow of course to use ip from ISP 1 and viceversa Yes for sure this is correct and there fore I was telling at some line above that is not able to realize with load balancing, perhaps you will find a way to let the pfSense acting as a traffic shaper or something like this.

Hi Ashima, Thank you very much for your reply. It now works perfectly! Every LAN interface now has different IP ranges en go through one WAN interface as seperate WAN IP addresses! Chris4916, I might have explained it the wrong way. I didn't want multiple WAN interfaces. I just wanted one WAN interface with multiple WAN IP addresses going through it for the different LAN interfaces. So now I have just one WAN interface with a static IP of xxx.xxx.xxx.62. Through this interface I have virtualized 3 WAN IP's: xxx.xxx.xxx.58 for LAN interface 1 (with internal range 192.168.1.0); xxx.xxx.xxx.59 for LAN interface 2 (with internal range 192.168.2.0); xxx.xxx.xxx.60 for LAN interface 3 (with internal range 192.168.3.0). So all LAN interfaces go through one WAN interface, but as seperate WAN IP's, which is what I wanted :) Do you know understand what I mean? If not, just let me know and I might be able to clarify in another way :) In any case, it's working now thanks to multiple inputs from multiple users and forums, for that thank you!

Ok, thanks for your advise. I will try this out and see if it helps.

We had an half-success, in the Ipsec rules we put only Tcp in the "pass" rule, with "any" we can ping from remote office to headquarters, put from headquarters when we ping, the reply comes from 192.168.0.239 …

Hello Everyone I solved the issue by changing the order of my DNS server. I made 10.52.64.3 as primary DNS  and 8.8.8.8 as secondary DNS server for all my dhcp clients. Thanks for all the effort. with regards, Ashima.

https://doc.pfsense.org/index.php/What_is_policy_routing https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

"anyway my host has an ip of 192.168.2.2, pfsense is natted thru vmware, so it has a wan ip of 192.168.2.4" How do you expect that to work exactly if there is a NAT??  You can not put same network on both sides of a NAT What version of player/workstation are you running.. I don't believe current versions of player allow you to edit the vmnets - but you can still pick between nat and bridged.  See attached image So here is the thing if you want pfsense wan to be same network as your normal network 192.168.2.0/24 then the nic in vmware player/workstation needs to be bridged to your interface on you host machine that is connected to this network. Now how exactly is this 192.168.10 network attached to your host machine???  This is another virtual nic in your pfsense VM.. What are the settings on that nic.. What physical nic is it attached too, or is it also Natted? How you would normally set this up is your host would have 2 physical nics..  Your pfsense vm wan nic would be bridged to the physical nic that is connected to a network that has internet access.  Now your host machine can either have binding to this nic and IP on this interface. Or it can have its binding and connection to the hosts 2nd nic and also bridged to the physical network.. This puts the HOST behind pfsense for internet access on pfsense LAN.  But if your going to have the host in front of pfsense on its WAN network then there should be NO binding on the 2nd host nic for anything other than the vmware bridging protocol – see 2nd image If you host has connections in both of your networks both 192.168.2 and 192.168.10 and your trying to connect to its 192.168.2.2 address from a box on connected to its 192.168.10 network.. Your going to have issues.. So it answers you back from its other interface and you have what amounts to a asymmetrical routing issue Please post up your vmware settings for your pfsense VM like my first pic.  Exactly what vmware product are you using player/workstation 10,11,12 ?? And please validate what physical nics your stuff is connected to on your HOST PC..  And an ipconfig /all from your host pc wouldn't hurt either. [image: vmwarenetworktype.png] [image: vmwarenetworktype.png_thumb] [image: phsyicalnicnobindings.png] [image: phsyicalnicnobindings.png_thumb]

So it has been about a year now on this. Has there been any progress on something of the like? Quick edit:  I would like to setup something similar between my house and my parents. Parents run dual dsl @ 6/0.5 (Thanks AT&T!)  where as I am in a more modernized part of civilization and have a modest 300/25. It would be nice to be able to tunnel their traffic through my house by creating some sort of VPN bond to my place.