Thanks a lot for replying.

I think I got it. The key word is 'internal interface': it means the LAN interface. So I have to edit the default LAN rule and set the gateway group instead of tge default gw. Yesyerday I've done that but something unexpected happened: all hosts on lan was unable to comunicate (ping each other). Some like that happens in case of loop in the switch. Monday I'll double check my configuration. My pfsense is installed on an alix (so physical, no virtual). All 3 nic are connected to the switcn amd I had no problem till I set the gateway group on the lan default rule. Any hint is wellcome.

@johnpoz: yeah can be done with just 1.. Not sure why you think it couldn't? Your using a reverse proxy from the outside into your dmz. I realised that is more easy to do this whith only one pfSense in HA clúster. Thankls for help.

For egas_tt only It was a design issue. Basically 2 interface DGs cannot be set to point at each other. 1 of the 2 need have no if-dg. Osfp helps avoiding to create default routes. Wonderful Pfsense ! :o 8) ::)

I have managed to get 8.5Mbps. :) :) :) the problem was on squid!!!!

i think i found the problem. my pfsense interface is displayed in french. i try to change the language to english to take screenshots and surprise, the gateway choice is back. so there is a bug with some foreign language interface.

I think he means the switches SVI is 10.1.10.1?? If your switch is L3 and doing the routing between your downstream vlsns, then it would need an interface with IP in each of these vlans.  This SVI becomes the gateway devices in these vlans. The network between pfsense and this downstream router now is just transit. A /24 is a huge transit - you do not have hosts on these network do you.  If so you going to have asymmetrical routing unless you create routes on each host. For pfsense to be an upstream router the interface that is the transit needs to allow for the downstream networks.  And if you changed the outbound nat rules from auto you will have to adjust those after you create your gateway and route(s) on pfsense telling it which networks are downstream.

It was idle OpenVPN connection from third machine from the LAN keeping tunnel and packets going!!

As an aside I would still be tempted to IPsec the traffic even though the wireless might be encrypted. You could use IPsec transport mode for that.

I just updated to latest 2.4 hoping to use the brand new IGMP proxy. But unlukly I'm facing the same problems. Same errors of m4rv1n. I read that in the past was possible to use IGMP proxy. Is there any chance to get it working again?

Anyone? If you don't understand my question, feel free to ask.

you may be also like it k-12 tool is a free online tool which provides help to college and school district technology directors, state leader who can view broadband services and bandwidth information for school. All IP Address ranges are technically routable. that a private network with an RFC 1918 IP range can reach the public internet without needing these private network routers to be published. You can use them with routing protocols like OSPF, BGP. https://babasupport.org/routers/tp-link-customer-service/778 provide you best solution for all technical issues that may be the router, software etc.

try: System -> Advanced -> Miscellaneous : [v] Enable default gateway switching  - check on works for me 2.2.5-RELEASE (i386) built on Wed Nov 04 15:50:18 CST 2015 FreeBSD 10.1-RELEASE-p24

@IB: 3. How I can check gateway state externally? In Zabbix agent or SNMP monitor I can check interfaces only, no gateway. Write own script (with ping, dpinger, etc) only? Or method for check pfsense gateway state exists? By log monitoring (see #2), or some command execution? In Zabbix you could try adding a trigger for something like {pfsense:net.if.out[igb1].last()}=0 using the Template OS FreeBSD > Network Interfaces to tell if there's been no outbound traffic on an interface for a period of time.  I think you need the Zabbix agent package installed for this to work, but not positive. I have something like this monitoring both WAN interfaces and it seems to do the trick. Bill

@jbcel: Hi burnsl, from what I have been told here it will not work if you have your public IPs inside your pfSense machine, at least the data will not leave WAN1 and come back over WAN2 but will use the internal route from WAN1 to WAN2 - so this is not suitable to make a speed test. If your public IPs are not inside pfSense you should set the gateway to WAN1 in a ftp rule for LAN to WAN2 IP . Jens Understood now. I just spun up a free AWS instance and put filezilla on it.  (so much easier)

don't do it on floating… policy routing should be done on the interface the traffic enters pfsense on..