Anyone?

@johnpoz Dear John, Thank you. My issue solved. I got confused and made everyone confuse. WAN- 203 Series LAN - 192 Series (192.192. series will change in few days to 192.168.) Currently Windows DC is running in that 192.192 series. So will change in few days. Please find the below link. https://forum.netgate.com/topic/134674/how-to-configure-3-ip-s-internet-restriction/20 Big Thanks to you John. No words to express my gratitude. Lokesh Kamath

Only 23days to find a problem.... I wish my bosses were as nice

I'm afraid I won't be of too much use here, but it did occur to me to ask whether you really mean 50MB (as in 50 megabytes per second, or 400 megabits per second)? I'm assuming that's the case, because 50 megabits per second certainly shouldn't be stressing anything. Additionally, is the connection symmetric (50 upstream too)? Also I don't know whether this is really an option, but if possible I might suggest backing up your configuration and performing a fresh installation. Then you can see whether the problem exists even when you're starting from zero with no packages installed.

IPsec is ... faster.

Hello, thanks to fill my great ignorance; with your help I resolved the issue. Now I have this in the rule for LAN interface: [image: 1535450236460-pfsense_rule_1-resized.png] and on the outbound NAT I set the correct interface: [image: 1535450278183-pfsense_rule_2-resized.png] But now please you can explain something about that? The first thing is how I can go out via the 88.45.191.140 path even if I am on the WAN interface; or better, when I do traceroute I see that correctly I go out through the "desired" path and not that it is of default. The second question if about the starting path, i.e.: with the configuration that I have done initially I've seen that the flow is: 192.168.0.3 (swi1) 192.168.0.31 (pfs1) network desired hop while now with the correct gateway setup on lan->net 7 rule I see only 192.168.7.7 (swi1 address hsrp for net 7) *network desired hop so it seems that the pfsense is not engaged. Thanks.

Using failover, you do have to call out the group in the firewall rule. So yes if you want to allow traffic to your local vlans and not go out the specific gateway this is how its done. Its gone over here https://www.netgate.com/docs/pfsense/routing/multi-wan.html And in the book with more detail - everyone now has access to the book... I would suggest you take a look ;) https://www.netgate.com/docs/pfsense/book/multiwan/index.html

According to my testing sticky connection is not working as you described. When opening several connections from one machine both wan gateways are being used. And there are persistent connections still active AND all connections are established within sticky connection timeout. If it is supposed to work client based it is not doing that in practice. And that causes issues when a single software opens multiple connections and those are routed through different wan gateways. One test I made was pretty clear: opening www.whatismyipaddress.com in two browsers -> different wans. A.

Hello @tejas you NAT outbound rules?

"OpenVPN-GW" is handled as a gateway group including all OpenVPN instances (servers and clients) on pfSesne. So if you running multiple OpenVPN instances on L assign an interface to the concerned one and use the gateway of it for policy routing. On pfSense R add an outbound NAT rule to the WAN interface for the source network opt1, translating source addresses to the WAN address.

So your internet connection is what exactly 10ge? Multiple gig over a 10ge interface.. Multiple smartjacks... How exactly is this isp connection with multiiple IPs presented to you? Is it a 802.3bz into a switch and you want to run multiple gig interfaces into the same switch on the same L2 to be able to leverage the higher than gig connection? Unless your bandwidth is higher than what your interface can handle at the physical layer - there is zero reason not to use just a vip or a vlan, etc. I have 100mbps internet with /24 for ips - why would I need multiple physical interfaces to use all those IPs if I have gig interface?

What does UBNT mean when they say "VLAN aware" mode. Tag the VLANs on a port on the XG-7100 switch. Tag the VLANs on a port on the UBNT switch. Cross-connect them.

@bnelsonjax i'm kind of new to pfsense but you setup a gateway group for your failover right? wan1 tier1 wan2 tier2 then you made a firewall rule for all traffic to that gateway group right? If so you just make another gateway group but this one is wan1 tier2 wan2 tier2 then when you make the firewall rule you specify the source as the voip device and assign it to the new gateway group you added. Edit: oh and you put the firewall rule above the old one of course on the list.

To answer my own question, I had to create a Virtual IP (IP Alias) with the single static IP address that the DNS record points to. Then, under VPN -> IPsec -> Mobile Clients -> Edit Phase 1, under 'Interface' the Virtual IP created is given as an option. I also changed the way the pfSense firewall/router obtains its IP address. The WAN interface now has a static private IP address (192.168.2.1) which is seen by my ISP's gateway device, along with the Virtual IP. (The gateway device is, of course, set properly so that traffic to pfSense isn't filtered or blocked). So now my IPsec VPN works with one of the static IPs, and traffic from the computers behind pfSense is seen as coming from the DHCP address assigned by my ISP, as I need it to.

I think i solved it .. from what you were saying and the helping and the how the rules go and then you mentioned thats normal goes to wan and also the vpn that got me thinking i need to block it it seems to be working i have VPN for my computer and bypass for the xbox and its open.. ill test more tommorow and get back to you but this is what i did seems to do the trick [image: 1534551220642-pp2-resized.jpg]