@ytn:

Anyone have any ideas / suggestions?

I am primarily trying to find a solution for the fiber modem bypass / bridging.

Should I post this question in a different area?

Thanks.

I'm looking for the same solution but no one seems to have this worked out perfectly yet on pfSense that I can find.

My Cradlepoint goes offline regularly after not using it for a few hours.

Hello, in my case I was able to solve it like this:
I noticed that I did not need the VPN gateway, so I enabled gateway monitoring and also enabled it to always be off. So the VPN gateway in my case and to the present moment was not identified as default gateway

–-------
Olá, no meu caso consegui resolver do seguinte modo:
Notei que eu não precisava do gateway da VPN, então habilitei o monitoramento do gateway e também habilitei para ficar sempre off. Assim o gateway da VPN no meu caso e até o presente momento não foi identificado como default gateway

so, check the "non local gateway" in routing>gateway of each gateway. Becoz you got multiple wan from one isp routing. pfsense non sense of gateway routing from one isp. make sure separate each gateway route. sorry for my bad english.

Do note that traffic originating from the pfSense system itself will always use the default gateway. It's not possible to redirect locally originating traffic to a specific WAN connection or to a gateway group in pfSense/FreeBSD.

hi,

Yes I have kept the weight settings as default. It was required if I do a load balance between WAN B(~9 Mbps) n WAN C (~5 Mbps).
regards,
Ashima

Ugh.

On LAN1 reject destination LAN2 network then pass what you want below it.
On LAN1 reject destination LAN1 network then pass what you want below it.

Do not attempt to block traffic with pass rules. Explicitly block the traffic you want blocked with block/reject rules.

That said, your design is hosed.

If you want 10.0.20.0/24 and 10.1.20.0/24 to be firewalled, they need to be separate firewall interfaces. You are probably going to need a managed switch and the ability to tag multiple VLANs to vmware to accomplish what you want.

2 LANSs - need mutual exclusivity

You do not have two LANs. You have one LAN. Your hosts are out on the "WAN" as far as pfSense is concerned.

Thank you very much! Now its working perfect.

Many greets

Your users are probably not accessing the mail server by its IP but via its hostname, right? (like mail.example.com)
Have a look at split-DNS locally then.

You set up the peering with the provider(s). They will send you routes based on their configuration. You should talk your provider. If you aren't multi-homed, you can just get a default route from them.

Added a Rule to allow all AWS to Remote…..now traffic works but now the issue has flipped....adding a rule to the Remote site has no impact/effect for traffic going the other way.

AWS to Remote now works.....before it didn't

Remote to AWS now FAILS.....before it worked.

All I added was a rule on the AWS Side for each remote site Example..... Allow all traffic source 172.31.0.0/16 destination 10.0.96.0/19

I am confused I tried adding a static route on the Remote site....(using the same above example) but it won't take the open VPN ip as a gateway (192.168.0.40.1), and using 10.0.96.1 does nothing.

Not sure if pushing a route via the OpenVPN connection would solve this.

Do it right.

Tell your ISP to give you a small WAN interface subnet for your WAN interface, say a /29 or /30, and to route the /28 to that instead of putting so many addresses on the interface.

Then you can do what you want how it should be done without this hacky bridging.

Ah ok.. Then your good.. there should be no untagged traffic hitting that port the way you have it setup.. Just know that if any untagged traffic does get onto that port from pfsense it would go to your default vlan on the switch.

To follow through with good practice you should limit your trunk port to those specific vlan IDs, 10,11,20 and 50.

Trunk ports will allows allow for untagged traffic, and if you do not call out what vlan untagged should be assigned to with the native vlan command then untagged traffic will go to whatever the default vlan is on the switch.

I just run a native vlan on my interface, and then run vlans on top of that.  But your way is also very common.  I do believe Derelict is a fan of only tagged traffic and not using any untagged traffic.

Glad you got it all sorted.. In the cisco world if your not going to run a native or untagged vlan on the interface then you would normally use general for the port and assign the tagged vlans and setup the port to only accept tagged traffic, etc.  Where any untagged would go to garbage vlan ID.  Lots of different ways to skin the cat ;)

Also bit of a side note with just using trunk vs limiting the vlans on the trunk port.  Any other vlans you might be running on the switch - broadcast traffic could go down that port.  It won't go anywhere since pfsense doesn't have any vlans setup for other IDs.  But broadcast traffic would be sent down that trunk port since you have set for ALL vlans with just the trunk command.  Blanket trunk commands like that are normally frowned upon.  You normally limit the trunk to the specific vlans that that are ok to travel on that port.

Thanks for help guys

Is this the routing table you need?  Or dod I need to type something at the command line?

default 192.168.0.7 UGS 909 1500 igb0 8.8.8.8 192.168.0.7 UGHS 267666 1500 igb0 127.0.0.1 link#6 UH 391288 16384 lo0 192.168.0.0/24 link#1 U 8182 1500 igb0 192.168.0.8 link#1 UHS 0 16384 lo0 192.168.2.0/24 link#2 U 3033066 1500 igb1 192.168.2.1 link#2 UHS 0 16384 lo0 199.193.201.12 192.168.0.7 UGHS 175810 1500 igb0 208.67.220.220 192.168.0.5 UGHS 413247 1500 igb0

"MICHAELMAINPC uses 8.8.8.8 as Primary DNS. The secondary will be only requested if the primary is not reachable,"

I want to clarify this with some more info, since it comes up ALL THE TIME!!!  It is NEVER a good idea to set different ns on a client.  You can set multiple dns sure.. But they all need to be able to resolve the same info.. So if your going to use public fine - use public..  Google and Open for example… But you should never set a public and a local dns.. Since public is not going to be able to resolve your local stuff.

If you want failover and redundancy then point to multiple local dns that can all resolve your local stuff, let them forward or resolve for all public stuff.

You really can never be sure when a client will query the NS listed..  And as mentioned if you ask google for say www.somelocaldomain.tld its going to send back NX.. Client will cache that that domain is not valid, its not going to ask any other ns it has listed for that.. Until such time that neg cache expires, etc.

You will only be asking for problems trying to use different NS that can not resolve the same stuff.. Point your local clients to local dns, let the local dns go find the public info..

you can manually add your gateway for the interface then edit the gateway and under advanced settings check "use non-local gateway" (pfsense 2.4.2)