@hebein glad to help you! I think log analyzing will help to reach 100%)

Put the other members of the gateway group on a lower tier. If you have them all on tier 1 then it won't switch when the down member comes back.

Well, the only rule that has seen any traffic at all is the Default allow LAN to any rule, so nothing is being blocked. That's why I suggested you try looking at it from the Synology side.

Sure with the HA proxy you can do that. I do it now for a couple different fqdn. But that is going to work with http protocols, not going to be able to work with say smtp.

Add each WAN IPs you want to use to the WAN interface. Firewall >Virtual IPs. Use type "IP Alias". Go to Firewall >NAT >Outbound. Switch into the manual mode. pfSense should take over the automically generated rules for each of your subnets into the manual mode. Edit each one, go down to the translation address and select the outbound IP from the drop-town you want to assign the respective source network.

Create the vlans on pfsense, with the IDs of your vlans and then assign them to the physical interface that is connected to switch.

nobody with ideas?

Thanks. I'll see what I can do.

This was not the fix. needed to adjust a routing statement in the VPN router to include the full / 24 I had mistakenly set it to /28

Okay, my bad. This seems to be an issue with my APs versus pfSense. When I run test-ipv6.com on a wired client, it passes. I'd delete this post, but it errors out. My apologies for the diversion.

Yeah you normally do not have access to manipulate routing inside the mpls network. But you could ask. Proxy on your end, which you just run on pfsense would be easier way to go for sure ;) Other solution would be to create a tunnel between their end your end where you could route internet through the tunnel. This removes any routing concerns inside the mpls path.. You could do openvpn from the branch pfsense to yours.

If it makes multiple outbound connections and the protocol doesn't like it coming from two different addresses you will have problems. If it only makes one connection it should be fine. Try it and see? If it gives you issues you can policy route just that traffic out one WAN. You might also try sticky connections. https://docs.netgate.com/pfsense/en/latest/book/multiwan/load-balancing-and-failover.html#problems-with-load-balancing

You have to use the tag because, as that blog describes, traffic heading out WAN has already had outbound NAT applied by the time the outbound floating rule is checked so you lose the ability to match on the hosts' inside IP addresses.

@Milan-M said in LAN Routes just disappear: LANs 3-5 have been created by going to "Firewall -> Rules -> LAN" and creating the rules there. That is not how you create anything.. Creating other lan would be done via interface assignments, be it a physical interface or a vlan you assign. If you have other networks that are downstream that you want to get to via some other downstream router, then you wuld need to create a gateway in routing, and then the route(s) telling the networks at are available via that gateway. Yes you would need to create rules to allow them access.. But that is not what "creates" them or routes to them. Btw your rule there for "lan" isn't going to do anything - the source is set for the lan address, not the network.. So that says hey pfsense if you see traffic from your own lan address allow it ) Never going to work that way..