Have you restarted the browsers? Already opened connections are not blocked when adding a block rule.
You may also kill the states on pfSense.

Static routes on the SG-1100 are only needed if the downstream routers do not do outbound NAT / masquerading on the upstream interface.

To add static routes go to System > Routing > Gateways and add a new gateway:
interface: LAN
Gateway: 192.168.5.10 (RT-68U)
enter a proper name
Also add the ERX IP as gateway to OPT1 interface.

Then switch to the "Static Routes" tab and add a route:
Destination network: 192.168.1.0/24
At Gateway select the RT-68U GW

Add additional static routes for all the networks behind the ERX with Gateway: ERX GW

My first suggestion would be to upgrade to 2.4.4-p2, but I don't think that alone would solve your problem.

I would set this up with a default gateway group using the 1Gbit gateway as tier 1 and the 10Mbit gateway as tier 2. This would ensure new connections use the prioritized 1Gbit gateway if it's up.

As pfSense is stateful it won't drop connections unless it has to, so existing connections won't jump over to the faster line as soon as it's back up by default.
If this is your wish, you should enable the setting on System->Advanced->Networking named Reset all states I guess. I have never tried that setting myself.

**Reset All States** Reset all states if WAN IP Address changes This option resets all states when a WAN IP Address changes instead of only states associated with the previous IP Address.

You should look at System->Routing->Gateways to see if the default gateway does switch back to tier 1 when the 1Gbit gateway comes back up.

@jimp
Thank you for your reply. You are correct, I didn't enable that because of the documentation warns about doing so on LAN interfaces.
In my case, this interface gives me access to some LAN subnets so I was counting on static routes. It didn't really cross my mind to add an upstream gateway as a potential WAN interface. I confirm your solution resolved the issue.

I really appreciate the work you guys put in this software and the time you take to answer questions in the forum. Thumbs up!

How are the two networks connected now? You can't send traffic through a gateway in another subnet like that. You need some kind of transit network. For example, if it's a dedicated circuit, you'd have that plugged into an additional NIC (or VLAN) on both pfSense firewalls, and then you'd have some other unrelated subnet to talk between them there. Then you use the address in that subnet as a gateway to reach the other.

If you have your LANs plugged together so they're all in the same Layer 2/flat network that is going to be a huge mess.

In Gateway, I created two connections in Gatewey Groups. I created a MultiWan group for two wan. I installed Tier 1 triggers, put Packet loss or High latency, Default gateway v4 set MultiWan in rules - lan / rule set my MultiWan. In General Setup registered dns on both wan. But does not work with pfsens ping ip, dns do not respond,
On the local computer, too, dns does not ping and ip, for example, 8.8.8.8 does not respond. I put in default getawey v4 instead of Multiwan for example wan2 everything works, you switch to multiwan by default it works but on WAN2 everything remains exactly in parentheses default, you reboot again the same fake.

The problem I'm hoping to solve is that my cell phones can't automatically discover devices that are on a different subnet. For instance, my NAS or my PC. With LAN and WIFI on different subnets, I have to manually enter IP addresses into Android apps to get them to work across subnets. Even with interface rules being wide open and no Windows/etc firewall in between. So I was hoping there was a way to get LAN and WIFI on the same subnet, yet keep the IP addresses distinct by using pools of 100-199 and 200-254. But that being impossible, the real end goal is to configure my network so that my phone can automatically discover the wired devices on the different subnet.

But it occurs to me now that that might be a limitation of Android, not of my pfSense configuration.

It depends on what the application is using for discovery. If the application is using broadcasts for discovery, then the issue you're having is happening by design and is due to a network standard, not an Android limitation or firewall rules.

In order for a device to access a different network, it has to pass through a router and routers drop all broadcast traffic by default.

So I was hoping there was a way to get LAN and WIFI on the same subnet, yet keep the IP addresses distinct by using pools of 100-199 and 200-254.

Unfortunately, there's no simple way to satisfy that request as written with standard gear due to multiple protocol standards. You can absolutely have your WiFi on the same subnet as your LAN and configure two different DHCP scopes, but the 2nd scope will just sit there unused until the first scope fills up. There's no way to force your WiFi clients to grab IP's from the 2nd scope in that scenario.

But that being impossible, the real end goal is to configure my network so that my phone can automatically discover the wired devices on the different subnet.>

If the application uses broadcasts for discovery, there's no way for a device to automatically discover other devices across subnets due to broadcast traffic being dropped by the router. So, you either have to enter IP's manually or hope that the application developer included a way to specify networks to include during discovery.

Your only other recourse would be DHCP reservations or configuring your wireless clients statically. Both of which would be a management nightmare.

If the main priority is keeping the functionality of apps that leverage broadcasts for discovery, then you may end up having to live with all clients mixed in on the same subnet and DHCP scope. It can make auditing and tracking things down a little more difficult, but it's not completely horrible.

Having said all of that, are there some things that can be implemented that may work in theory that involve a more advanced design and adding enterprise gear? Sure, but my guess is that spending a bunch of money on enterprise gear and added infrastructure is probably out of scope for this thread.

Derelict already explained this with his pic, but I'll add some specifics.

"System -> Routing -> Static Routes" should have a static route for all networks behind the Nexus with a gateway of 10.0.0.1 (Looks like this is done) "System -> Routing -> Gateways" should have an entry on OPT1 with a Gateway of 10.0.0.1 (Looks like this is done) Assuming you've enabled routing on the Nexus, remove the VLAN2 you created, re-configure e1/49 as a routed port then give it an IP of 10.0.0.1/30 Configure a default route (not a default-gateway) on your Nexus with the next hop of 10.0.0.2

That's it. I'm running this exact same setup at home. Just to reiterate what's on pic, all hosts behind the Nexus need to be using the IP configured on the SVI of each VLAN as their default gateway in order for the routing to work. You will also need to add helper addresses to each VLAN interface in order to provide DHCP behind the Nexus.

Yup. BGP in that case should be handled by a router that doesn't care what interface a packet arrives on because it is not maintaining firewall states.

ISP1 ISP2 + + + + BGP ROUTER + | | + FIREWALL

@dotdash said in Dual WAN Failover with 1 WAN port, is it possible?:

@pfrickroll said in Dual WAN Failover with 1 WAN port, is it possible?:

I even tried plugging it in in WAN port on pfsense with and turn on DHCP but nothing says "unknown". When i connect laptop into LAN port on hotspot everything works fine.

If it doesn't work on the physical WAN port then there's something wrong besides the vlan configuration. Not sure why it would work on a laptop but not on the firewall. Maybe try setting wan to dhcp, connecting wan to the hotspot, and rebooting pfsense. If you can get that to work, then try it on the vlan'd switch port.

The router just died today. Power LED keeps blinking and all LAN ports don't respond. I didn't even use it yet, going to return it.

Maybe, but the traffic shouldn't be handled by the modem anyway as it's local trafic. Maybe the old one did this, but in my opinion the pfSense should deliver the traffic at the camera system without any interaction of the modem. Am I correct?

Ruud.

@flighteven said in IPV4 Multicast not enable on 2.4.4-RELEASE-p2:

netstat -gs

Even though the command says no support. It's working fine! IGMPProxy and PIMD both work.

Hey all. Quite a few hours of mucking about and I got it workin!
Thanks for the help. Amazing.

Solved... Outbound rule was missing :)

@johnpoz said in Does anyone have a link to a good site for Multi WAN:

osed to public inter

Sorry I think it is just a bridge and on the HV1 and HV2 is untangle running as firewall if I remember correct.