Thanks for the info and all the help. Cheers. 8)

That would be great. Might see if I can spin up a test setup & see what happens.

Thank you!  :D

Your help will always be appreciated here, at least by me anyway!

I'm happy to share anytime! I'm one of the odd-balls that is doing everything with actual hardware and NO Virtualization…

I hear ya; learning new information all the time! However this is all new to me and this community has been absolutely crucial!

I'm the type of person that simply loves to learn something new anytime or even all the time!  :D

Good luck to you as well in your endeavors!

Should this be listed as a bug, or is this an intended feature?  If UDP maintains state longer than the default timeout, it seems like a bug.

what a bumber…... imported 2006 networks, have discovered i need to add a new one but there is a gui bug.

Have tried to add via Edge and Firefox on Windows and Linux, but experience the following;

page load time is long when adding the network, is takes a while to respond and firefox gives "a webserver is slowing down your browser" page refreshes and the new network is not added

The work around was to add the new address to the import list in excel, and create a new alias from scratch.

When I changed the oubound nat rule from using the WLWAN to the WAN interface, it started working.

That is because that is how it works. No mystery here. Outbound NAT on the WLWAN interface NATs traffic going out WLWAN, not WAN.

Outbound NAT does zero to affect what traffic is routed where. It only defines what translations take place when traffic flows out that interface.

moved to https://forum.pfsense.org/index.php?topic=139588.0

The rule should be active on both, so you can also access FW1 while FW2 is master. However, since you will have activated NAT rule sync in System > High Availability Sync you only need to set it on FW1 and must set up a rule, which can work on both.

Assuming you want to access your firewall by their LAN IPs:
First add an alias for both LAN IPs, the master and backup. Firewall > Aliases > IP. Call it e.g. FW1_2_LAN.
Go to Firewall > NAT > Outbound. If the Outbound NAT Mode is set to Automatic check "Hybrid Outbound NAT rule generation" and hit Save below.
Then add a new rule:
Interface: LAN
Protocol: TCP
Source: <vpn tunnel="" subnet="">Destination: "Network" and enter "FW1_2_LAN" (the alias you've added first)
Translation Address: Interface address
Save the rule.

Now source addresses of outgoing packets leaving the masters LAN interface destined for the backups LAN are translated to the masters LAN address, so the backup sends its responses back to the master and they are directed back to the VPN client. This also works reverse on the other firewall while it's the master and the vpn client is connected to it.</vpn>

@johnpoz:

"MultiWAN with Gateway Groups , Tier 1 WAN 1  and Tier 2 WAN 2"
"When I do a traceroute from a windows computer from LAN to DMZ the packets go outside the WAN .. "

Well yeah.. If your forcing traffic out a gateway how would it get to your other local network "dmz"

Just create a rule above the rule that is forcing your lan out the gateway to allow the access you want into the dmz.

Thanks for the tip! Now it works with a new rule to allow traffic from LAN to DMZ, without forcing dual wan gateway, on top of default rule to internet.

BR,
Adrian

Pfsense 2 vcore…
A small share,  2vcore...
plex - 4vcores

It can take it.  Its fast.  Assuming its just 1 or 2 people on the plex at a time.

You bought a fast machine.

So lets repeat, since clearly your not grasping this

"IPv4 *  OPT1 net  *  WAN net  *  *  none            "

No that is NOT correct.. wan net is just that!  The wan net.. That would explain why it works via proxy..  Wan net is not the internet… Its just the network your wan is on..  Create an ANY ANY rule on opt1, just like your lan.. but use opt1 net as source network.

Lets say your wan is 1.2.3.4/24… Wan net is means you could only talk to devices with IP 1.2.3.1-254...  That is the WAN net, this is NOT the interent...  The internet is ANY!!!  Since pretty much the internet could be ANY public IP address..

You have no rule listed that would allow you to say googledns 8.8.8.8 or say forums.pfsense.org forum.pfsense.org [208.123.73.18]

Your internet is only working via proxy because pfsense itself can get to the internet, and with proxy your just asking pfsense - hey go to this place for me..  If you want to get there direct than you have to allow that on the firewall.

How hard its it put up a screenshot?  From those can not tell if those are blocked or allowed..

You can see here I allow ping to wlan guest address, ipv4 and ipv6
I allow access to my ntp servers that are on different vlans ipv4 and ipv6
I allow the guest to go to public DNS, I hand out google in the dhcp server for this guest wifi network.  Via rule that is allow for anything NOT rfc1918(see alias created)
I then block (reject actually with logging) any other access to any other firewall IP, be it lan, wan, or any other vlan IP.
I then allow guests to go anywhere else as long as not rfc1918, or my local IPv6 networks.

Where in you rules top down, first rule to trigger wins - no other rules allowed would your clients be able to go to any IP on the internet..  This is why the rules out of the box on pfsense are ANY ANY on the lan…

examplerules.png
examplerules.png_thumb

They're using weird lingo.

I have a subnet of IPs routed to me as well.

Have many ports do you have on your pfSense box?

Also, I don't think anything is coming in over L2TP.

Port were used enough, provide VPN. IP check before.