Sorry for delayed response. Was travelling for work. So today I was able to tinker with my set up a little more and was able to figure it out with your help. I was missing the PVID setting on my switch. I had to: 1. Configure the VLANs on both the router ans switch 2. Assign specific switch interfaces as members to my VLANs 3. Set the PVID for the ports I tagged Once I did that, I was able to plug my laptop into ports 1-12 and get assigned an ip of 10.11.12.x 13-18 an ip of 10.11.13.x 19-24 an ip of 10.11.14.x Now onto the rest. Thanks for the great info @Derelict! :D

What you are trying to do has nothing to do with the firewall as such. You will want to implement split dns for your clients. Probably the easiest way to do this would be via the clients' resolv.conf files, or equivalent.

Hi Heper, Thank you for help Now all connection online again Root Cause: Wrongly configure modem Solution: change modem [image: 1.png] [image: 1.png_thumb]

So your saying have a route but when you do a traceroute from the client its not taking that route.. Ping doesn't test that a route was followed or not.

Ok, I think this is what happened: Since the last failover, there was 8.8.8.8 state left active. And probably it was being used so frequently that it stayed active days after Failback. For me, it looked like new 8.8.8.8 queries were routed to the passive node, but actually, PFSense respected active state and routed new queries to WAN2. After deleting the remaining state manually, no more "weird" 8.8.8.8 traffic to WAN2. Axel.

According to my searches, PFSense only uses Round Robin. So the use case of load level based LB is not an option. Maybe there is a service for that(?) And for the second question: those failover groups are absolutely unnecessary if you only plan to use Load balancing. I think that quite a many PFSense has those unnecessary configurations just because they are mentioned everywhere just for an example of three kinds of setup. It's a bit shame that PFSense has nothing but round robin. Axel.

@wederer: Hello, please take a look at my setup in the attachement. Our DSL line is veeery unstable. That is why we have bought a LTE router which serves as a backup. Right now we still have to manually unplug the DSL router and plug in the LTE router which can cause quite a lot of downtime. In addition to that we use VOIP which is not integrated into our router, but managed by another hardware. This often results in a bad voice quality as the VOIP traffic is not being prioritized. So question 1: Is is possible to use the dsl router as the main router and the lte router as the backup and have this setup managed by pfSense? Can port forwarding, VPN and so on be managed by the pfSense or does it have to be configured in the dsl/lte router? Question 2: Is QoS management possible via the pfSense? Or do the other two routers "block" this feature? Any help is greatly appreciated! Answer on question 1: Yes you can do that. But my question is which one is more stable internet, the DSL or LTE? if LTE is more stable connection, you can setup route based policy to route all voice traffic to LTE then the rest of network will be going to DSL. This is a very common setup for multi-wan. I also have similar setup where I have 3 ISP, one dedicated for guest and NAS and one is used by Voip and the rest of them is for data. Answer question 2: you don't need QoS if you can setup like I mentioned on question 1 properly. The only QoS will be needed if you are using same internet for voice and data.

Sorry, the 192.168.1.0/24 subnet now passes traffic after I added the static route, but is not resolving DNS. So, if you're a client on 192.168.1.0/24, no DNS resolution. I tried putting PF Sense as the DNS IP (10.10.1.1) and also directly to the DNS provider and no luck. I'm still experimenting with this so I'll get back to you before I ask it again. I made a rule to tag DNS pass traffic on that interface to see if it's getting to PF via log checking. Will post when I see what's up.

In a nutshell a default gateway is the gateway used to try when there is no more specific route to get there.  But with GruensFroeschli here a bit of rephrasing or some more context would be needed to help you answer your question.

Generally, you set the lan outbound rule to use a failover group, but the firewall itself does not. This is usually not a problem, but there is a setting under advanced, misc. to allow gateway switching.

Thanks I have got it working now. One of my colleagues set the VLAN id to 2 without telling me so I had to make sure everything matched up - added some static routes and it's working now. Cheers.

Thank you for the response. I'll move forward with that solution. I'm sure I'll learn something in the process. Cheers.

That's what I was afraid of. I guess I was just hoping there would be some way to "trick" it, like with a virtual IP, or something.  :-\ In that case, let me share one of the reasons for trying to do this: Currently, there are dozens of NAT rules and associated Firewall rules on the 'WAN' interface to allow the general public access to web-facing servers and applications. Users on this VLAN should also have access to the same web-facing servers and applications, but not other servers on the production VLAN (such as database servers, backup servers, etc.).  Anyway to accomplish this without manually duplicating each rule from the 'WAN' interface to the 'VLAN' interface's firewall rule tab? Thanks!

Go to Firewall rules under initiating interface. Then put in add a firewall rule with following: Interface: current interface that has, let's call it LAN1 Protocol: TCP Source: any, or you could specify LAN1 addresses, or LAN1 network Destination: any IP address, going to HTTP, port 80 to HTTP, port 80 Here's the trick now, go to Extra Options by clicking it. Some new info will pop down Then go to Gateway and choose WAN2 for the pull down. This is called policy routing. It's routing by rule, vs. routing by routes. This is not normally newbie recommended because you can really mess things up, but as long as you know what you're getting into, and how to undo it you should be ok. You'll have to do this for 443 (SSL). No put those two high up in the list of rules. Next, do one more rule near bottom and do the same thing but do any, any, and on extra options choose wan1 as the gateway. I hope I explained that right, and please others jump in if I'm telling him something completely wrong. I've used this in that past to route to different VPNs from certain devices. thanks

Found this had already been answered in "floating rules to switch gateway" here: https://forum.pfsense.org/index.php?topic=139752.0

Hi, i am facing the same issue. May I know is the NAT configuration giving me issue? [image: GW.PNG] [image: GW.PNG_thumb]

I think this is normally defined under Firewall-NAT-Outbound rules.  You can edit the "Auto-created" rules to do what you want as well.  (Assuming you have already created your 192.168 networks and assigned them under Interfaces)