Post screenshots of your: Firewall: Rules  LAN System: Gateways System: Gateway Groups

Ah, figured it out. I created a static route to the OFFICE network that uses a gateway pointing at the PFsense LAN interface IP and voila

But if each match stops further execution of rules, isn't it much less flexible than netfilter? No it's not. Just move block rule before allow and you will have all working.

You can get around the validation by adding the gateway from the Interfaces > LAN (or WAN) page, click the "add a new one" link by the gateway drop-down and it will let you add a gateway without the validation. Then you can re-select the proper gateway ('none' for LAN, or the right WAN gateway on WAN) and do what you want.

Ok sadly it's what I had expected. I didn't think of the bridging solution though, so thanks for that one, I'll probably try that approach. Thanks Bardelot

Please don't cross-post the same question to multiple boards. http://forum.pfsense.org/index.php/topic,44202.0.html

I will answer my own thread for forum-completeness  ;) Answer is "no" I can't do what is described in the picture above. This is due to both WANs having/being assigned the same gateway, see http://forum.pfsense.org/index.php/topic,44059.0.html etc. The "solution" I'm going with currently is to add a real cheap router inbetween the switch and WAN2 and then enable DMZ for the router to the WAN2 interface. This way pfSense won't use the same gateway for the two WAN ports (only trouble I have now is that there must be something wrong with my firewall rules since I can't port forward a connection from WAN2 to anything but the pfSense machine itself, but that is an other story).

I presume the provider means they're using those IPs for their HSRP, which just means you cannot use those IPs.

Ok so this ended up being an issue where the firewall auto created a dynamic gateway.  Thanks for the help

Sounds like the new subnet isn't being routed to you properly by your ISP, though not enough info there to tell you. Packet capture on WAN when trying to connect to it from the Internet, if you don't see it, you aren't getting it routed to you.

Using Squid would be my guess, that's not adequate for Squid. On another note, remove the gateway from both of your first two rules. You want them there to avoid the policy routing, but you do not want the gateway there, that'll break connectivity to directly connected hosts on that subnet.

@jimp: Any modem reported to work is listed here: http://doc.pfsense.org/index.php/Known_Working_3G_Modems If they aren't there, nobody has told us it works. Excellent.  Thank you.

i have the same problem

I believe I may have figured out the issue. Instead of having the policy based firewall rules directing traffic I removed them and let PFSense just use its routing table. I then changed the final policy based rule saying if NOT trying to access a remote office, go out the internet group of gateways.

Very soon, found a couple issues that had to be fixed yet that required a new round of images, which means a new round of testing. Hopefully this is the last batch.

@Jeda: but we can get out fine via the wan, so doesn't that infer that the DNS is working?  It's only between the two subnets that is problematic. I don't understand if the ping from the 10 subnet is showing up on the 20 subnet, and I see it with wireshark on the 20 subnet, why isn't the pc on the 20 subnet responding (same pc that wireshark is on).  so it's from 192.168.10.189 pc -> ping 192.168.20.198 Yes it does. Got mixed up with another issue. Sorry about that. Bloody windows firewall … always gets in the way.

It seems to work now without turning that feature on. Just had to restart the pfSense box :-)