Generally, you set the lan outbound rule to use a failover group, but the firewall itself does not. This is usually not a problem, but there is a setting under advanced, misc. to allow gateway switching.

Thanks I have got it working now.

One of my colleagues set the VLAN id to 2 without telling me so I had to make sure everything matched up - added some static routes and it's working now.

Cheers.

Thank you for the response. I'll move forward with that solution. I'm sure I'll learn something in the process.

Cheers.

That's what I was afraid of. I guess I was just hoping there would be some way to "trick" it, like with a virtual IP, or something.  :-\

In that case, let me share one of the reasons for trying to do this: Currently, there are dozens of NAT rules and associated Firewall rules on the 'WAN' interface to allow the general public access to web-facing servers and applications. Users on this VLAN should also have access to the same web-facing servers and applications, but not other servers on the production VLAN (such as database servers, backup servers, etc.).  Anyway to accomplish this without manually duplicating each rule from the 'WAN' interface to the 'VLAN' interface's firewall rule tab?

Thanks!

Go to Firewall rules under initiating interface. Then put in add a firewall rule with following:

Interface: current interface that has, let's call it LAN1
Protocol: TCP
Source: any, or you could specify LAN1 addresses, or LAN1 network
Destination: any IP address, going to HTTP, port 80 to HTTP, port 80

Here's the trick now, go to Extra Options by clicking it. Some new info will pop down
Then go to Gateway and choose WAN2 for the pull down.

This is called policy routing. It's routing by rule, vs. routing by routes. This is not normally newbie recommended because you can really mess things up, but as long as you know what you're getting into, and how to undo it you should be ok.

You'll have to do this for 443 (SSL). No put those two high up in the list of rules.

Next, do one more rule near bottom and do the same thing but do any, any, and on extra options choose wan1 as the gateway.

I hope I explained that right, and please others jump in if I'm telling him something completely wrong.

I've used this in that past to route to different VPNs from certain devices.

thanks

Found this had already been answered in "floating rules to switch gateway" here:
https://forum.pfsense.org/index.php?topic=139752.0

Hi, i am facing the same issue. May I know is the NAT configuration giving me issue?

GW.PNG
GW.PNG_thumb

I think this is normally defined under Firewall-NAT-Outbound rules.  You can edit the "Auto-created" rules to do what you want as well.  (Assuming you have already created your 192.168 networks and assigned them under Interfaces)

Hello anyone has idea on how to do this?

What is it that isn't working?

Thanks!

Thanks for your responses.

Our current setup in a nutshell:

• Just running Trunk VLANs from the switches (Dell PowerConnect) all the way up to the pfSense VM.
• Each physical ESXi NIC port is tagged so it can carry all the VLANs.
• Each VLAN has its own vSphere Port Group and pfSense has a dedicated vNIC “Trunk” with VLAN ID 4095 and then we create other interfaces on top.
• Single vSphere vSwitch on each host. The edge router is our upstream provider gateway.

The WAN optimization appliance apparently requires 2 x vSwitches (LAN and WAN) however our WAN uplink is just an access port on the switch and then an interface on pfSense VM. It does not run on a separate vSwitch.

What is the best method to set this up with the In-line mode?


Am I allowed to run a command like the following?

ip route add default scope global nexthop via 192.168.3.1 dev em0 weight 1 nexthop via 192.168.3.100 dev em0 weight 1

The above command works in the linux version if you first run ip route del default and replace em0 with eth0.

How is the same done in pfsense?

Alternatively, how about using a pfsense VM to make the one NIC look like two virtual NIC's with different gateways associated, and a second pfsense VM that does standard multiwan?

Hi johnpoz,

thank you very much for pointing me in the right direction. I will check out Suricata and Snort inline. I was not aware of such an inline mode (which sounds very promising) and the default configuration of snort in pfsense felt more like adding a clever sniffer on some interface. I will keep you updated - if someone has other ideas for this scenario, please let me know.

Cheers,
Mario

Let me get this right… You have bunch of isp devices connected to a "dumb" switch?  And now you have that connected to 1 wan interface on pfsense?  And you want to put a bunch of different networks on your 1 wan interface?

Get yourself a smart switch and setup vlans for your different ISP connections.. Then setup vlans on your pfsense wan interface..

Initial signs are that unselecting the sticky connections did the trick. Thanks! I'm still learning. I thought the sticky connections enabled the load balancing too… didn't realize it'd still work without it on.