sorted!!! i made a stupid mistake when i was making the vpn interface (so i can use it as a gateway for my specific vpn traffic) i ticked both boxes under "reserved networks" which blocks rfc1918 but i dont want to block them as the virtual vpn ip im assigned is 10.8.0.2 which is a rfc1918 address i put back protonvpn interface back in the "ALLInt" so i can easily manage the rules under one tab as its long winded otherwise also in firewall > rules > outbound i had to make it hybrid and copy the wan and make another one for the protonvpn address as it didnt work otherwise see pic of what i did https://s10.postimg.org/jk6oiio7t/rule.png thanks for all your help in this Derelict much appreciated!

Setup your to vlans on your interface your going to connect to on pfsense and tag them 403 and 404.. And sure pfsense can run bgp… Did you not buy support?  I would suggest you call pfsense for help if you do not understand how to setup a vlan.. How are you involved in this project exactly if you do not understand what a vlan is? https://www.netgate.com/support/contact-support.html You cold for sure run your vlans over a lagg or port channel.. Why did you not mention the vlans before? That makes more sense.. Maybe you should contract someone to set this up for you... I would suggest you contact pfsense support, or hire someone local to get you up and running.

Too answer my own question in case someone else has this problem: My VPN provider pushed the route for the default gateway. This was visible in the routes section. I used this article to change the VPN connection https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway This made my pfsense works as expected (including the Squid) Thanks

Guys !!!!! i got all the success. Nice to get the helpful response. Attached current updated diagram, how it looks like. i know now Pfsense is something i'm gonna keep for many years for now. it made me feel like flying, other petty issues which i used to have, are resolved too. altogether, now i've got more control over my complete network. i hope this remains stable. i removed the extra cable running through the Dlink WI-FI to the cisco switch was of no use. ps - i had faulty NIC which i had to replace caused me 7 days of inconvenience. ;-) works like a charm. thanks Derelict [image: new-home.PNG] [image: new-home.PNG_thumb]

snailkhan@ i'm opening new fresh post if you feel it's not exactly the same scenario..but i guess similar issue existed for me when i tried accessing webgui for Pfsense using my lab network it didn't work. anyways i hope it works. Thanks for all your help. see you there.

What were you doing at the time you had this probem?

So, I've a INTERFACE called DDOS-GUARD, and that interface has a static IP, provided by DDOSGUARD, and my WAN has an other public IP, so I want to redirect all the traffic from the DDOS-GUARD interface to my lan server 192.168.15.240, I tired to do that in System -> Routing -> Static Routes. But when I did that, my lan server 192.168.15.240 didn't have internet connection.

@Ryu945: Any ideas on what is the proper way for a one network with all the LAN ports on it? Yes, that's called a switch. Not a router. @Ryu945: I see plenty of guides on VLANs but nothing on basic LANs. That's what you ment … well, because your "basic LANs" aka a switch, is nothing you will want to do in software. There's one exception in the netgate line of pfSense hardware currently and that is the SG-3100. It has 3 interfaces, WAN, LAN and Opt1 with LAN being a managed switch internally. Otherwise all pfSense devices are routers only.

Run your own BIND servers inside the firewall. In other words off the firewall. Not the BIND package on the firewall itself. Having your resolver traffic sourced from the firewall itself only makes things 1000% harder. pfSense policy routing is applied when traffic enters the firewall. If cannot be applied to traffic originating on the firewall itself. You will have to - at a minimum - explicitly set the source address or interface for the specific paths so the correct interface is used. That will be a real trick with a dynamic address such as your vpn provider link. Maybe it is possible if you can use the name of an assigned interface as the source and not the address itself. With the DNS server on the inside you could set up several STATIC local addresses on it and source from those different addresses based on the path you want the queries to take. The you can simply policy route the resolver traffic on the pfSense interface however you like. If you really want to use the BIND package, put another pfSense on the inside for just that purpose.

That will all depend. I can't imagine you will see any line-of-sight issues but I have never knowingly pointed a point-to-point through power lines. Distance to the lines will probably be key there. 15 feet is pretty close. The frequency should be way down at 60Hz though. Put that end up and do whatever the engenius equivalent of ubnt's airview is. If the channels are clear you should be ok. But you'll probably have to try it and see. Then you'll have to look again when everyone's air conditioners are running on a hot, August afternoon. The fix, if you run into trouble, is probably a mast to get the radio above them.

That seems like a silly way to do it. Yes you can use a separate interface but it won't do you any good with a /32. Did they really give you another /30? If the latter you could do this: WAN  24.52.70.234/29 <–-> 24.52.70.233 Gateway WAN2 2 24.52.70.42/30 <---> 24.52.70.41 Gateway You would set them up like any other multi-wan. You would need an outside switch. Seems pretty stupid to do that since it only results in one additional address for you at the cost of four addresses plus a router interface on your side. If they just routed 24.52.70.40/30 to 24.52.70.234 you could use all four addresses as VIPs and not have to mess around with multi-wan.

Yes, routing is only possible if any packets of both direction has to pass the router. PC –---- router 1 ------ [router 2] –---- internet

@GoldFish: @kcallis: I noticed that my WAN interface was still showing the 172.16.0.0/24 network as opposed the public address. I would look at the rules. Personally not a big fan of double nat Thank for suggesting to look at my rules. Of course, the issue wasn't my rules, but the search mode of looking for everything caused me to look for other things that were out of whack. I was looking at the Dashboard and noticed that I was seeing on top of the normal DNS servers, I was also seeing 127.0.0.1 (localhost). I took at look at System/General Setup and realized that I had not checked the Disable DNS Forwarder. One check of a box, and lo and behold packets were resolving and running out into the wild frontier of the internet. Another nice thing was that finally I was able to get the IP Passthrough working and now my WAN interface now shows the public IP address. Life is groovy!

There is an alternative way. First, you need build a custom kernel to enable multiple routing table. http://wiki.stocksy.co.uk/wiki/Multiple_default_routes_in_FreeBSD_without_BGP_or_similar Then use DNS forwarder (dnsmasq), which provide a nice feature called ipset. It will add the resolved IPs from matching hostname to a pf table. You also need to manually edit /etc/inc/filter.inc, to add a custom pf rule, which force IPs listed in a pf table go through a route other than the default WAN.

Why is it people buy great router/firewall device and then when it comes to wifi they just buy utter home luser crap? Buy wifi that can do vlans - then come back and ask how to use it if you need too ;)

Answer to self I did get it to work, by creating firewall rules in between the interfaces in the bridge (allow all any). But according to the pfsense docs: A bridged interface can filter traffic without being involved in the IP layer of the connection. By creating a FW rule, I opinion is that the IP Layer is involved somehow?