Create a Alias for your "some devices" and use this Alias as Source in a Firewall Rule to Policy Route them out WAN1. -Rico

@M0L50N said in Block Mobile OpenVPN client connexion from target local network site!: @bingo600 That’s the first thing I though, but maybe that can cause another problem on my network? Maybe if I just block about OVPN port used for the connection?!? Yes you could do that too On "Inside Lan" - Block <OpenVPN Server Public IP> - UDP port <OpenVPN Server Port>

@Derelict thank you, its likely something in the docker / macvlan configuration I've not wrapped my head round yet then.

I really Thank you! I didn't think about that! That's why I post that question and I was sur someone like you had the answer! Thanks again, that works perfectly like that!

@johnpoz thank you. first part is done. I have the second wan port up, now just have to get the fail over.

So seems the problem was the triple NAT. I changed the topology in a way that clients after authentication will be placed into a VLAN directly connected to pfSense, with pfSense acting as DHCP server. Now clients don't experience timeouts or interruptions anymore, at least not when there is a low network load. Issues with WAN routers going fairly quickly remain, however, even though they withstand the load for a bit longer than before.

Maybe try pfBlocker and use it to create an alias using Microsofts ASN numbers, then policy route all the traffic through the secondary gateway.

Why do you need a router in your esxi? Your latest drawing doesn't make much sense to be honest. Now you just have 2 vlans off a router behind a double nat? If you have both networks directly connected to the same router, there is no transit network.. Only when 2 routers are connected and you have a network on router A, and a different network on router B and you want them to talk to each other. Then the network that connects A and B together is a transit network - you do not put hosts on it.. The top of your drawing there makes no sense.. So you have 3 routers? You have a 0/29 and a 8/29 for why??

@michaeljones32 said in Strange routing issue: I never realised Windows had this limitation. You can allow access from outside its subnet by adding a rule to the Windows firewall.

@Bob-Dig That confused me too.... until I realized that white dot is only the focus indicator. It's the blue dot that indicates what is set/selected.

@teamits its a different sotry where I cannot ping the gateway itself from my opt wan2 interface but i ca. ping it from diagnostics ping. the workaround I made is change monitor IP to google DNS.

@viragomann said in Multi WAN, TO VM NAS with seperate Firewall: Did you exchange external and internal IPs now deliberately? Suspect saying to have no access to Saveserver as Saveserver was before 172.16.0.3 and now it's 172.16.0.2 (forwarded from 144.76.93.234) yes it was deliberately, but it isnt working and i dont now why. im wondering, because the projectserver is always reachable.

Just get an AP and put your whole network behind pfsense.. Real networking cost a few bucks - but you can do it on the cheap..