At least use hybrid if you need something special. Only place manual really makes sense is HA. And even then it's easier to leave it on auto until all the interfaces are defined then switch to manual.

Like I said, it's just hypothetical, trying to understand some things. I usually build networks with only 1 router, and let the physical devices like switches, ap's and such be in a backbone network (vlan1) while the devices and clients are on other vlans. But what if I want to offload a modest router that is being used for some high throughput backups for example, by adding a second router just for that purpose. I guess transfer network would be a solution, yes. Will consider that in my scenario. Thanks!

Ok found my solution, Go at the bottom and click on the advance options There add the following SourceIP=X.X.X.X AND THEN SAVE The X.X.X.X should be the ip address of the gateway via which you want the traffic to go out of Hope this helps someone. Rajbps

You might ask them to put that list on their webserver it a plain-text format. That way you could just periodically update a URL type alias from their site. Absent that, yes, you will probably need to keep the alias updated yourself.

That sounds completely convoluted but you don't control NAT sourced from a specific network on rules on that network. You control them with Outbound NAT. The easiest way is to probably enable Hybrid mode then make a NO NAT rule for the public source addresses on that WAN address. There is no such thing as 'classic Multinet.' Putting tewo layer 3 networks on one layer 2 is something that should only be used to do something like transition to new addressing. It should not be used as a permanent solution to anything.

ok i found the AS numbers for xfinity live tv AS7922

No man, not that Alias! That sets only an alias name for one or multiple IPs, but doesn't assign the IP to the interface. Go to Firewall > Virtual IPs.Here you can add virtual IPs to interfaces. Select type "IP Alias", select the WAN interface and enter one of your additional public IPs and the mask and save it. Add the second one in the same way.

Hi Chris, I was under the assumption that routing it all through my management network would work. But I must have introduces something assymetric there I think. I followed your advices and created a seperate vlan on my PFSense for transit. Configured it on my switch with vlan interface IP. I then created the gateway on pfsense and was able to route the network I created as a test. Next step is reconfiguring all servers with their new default gateway. Thanks you so much. very happy.

Just for clarity, rules that match the OpenVPN tab do not get reply-to at all so the replies are routed according to the routing table. That usually means they go out the default gateway. Rules matching the assigned interface tab (which means they weren't matched by the OpenVPN tab or processing would have stopped there) get reply-to on the states. Glad it's working.

You either need to get a routed subnet, use 1:1 NAT, or bridge the interfaces. In order of most- to least-preferable.

So where are you rules on your lan?  And sorry but pfsense would have to have routes showing that it needs to go down the vpn to get to those remote sites or lan2 would never be able to get there. My guess is your forcing your lan out your wan gateway via rule on lan interface.

You did not say you performed the step of actually assigning the VLAN interfaces to the pfSense interfaces in Interfaces > Assignments.

Yes, this is possible.

This ticket will be close. Failover is working, I tested his work used ping, but it will close on my firewall :))

I was keeping an eye out for that yesterday but 1.2.4 wasn't in ports the last time I looked. Now that it's there we'll get that updated. FRR is definitely the way to go, though. It's based on quagga so the transition should be smooth if you decide to switch.