Answer to self I did get it to work, by creating firewall rules in between the interfaces in the bridge (allow all any). But according to the pfsense docs: A bridged interface can filter traffic without being involved in the IP layer of the connection. By creating a FW rule, I opinion is that the IP Layer is involved somehow?

That's exactly what those graphs represent. Trex generating approximately 350K states though 4- and 8- interface load balance configurations. Works fine.

Is there like any reason why you can't do this with just one firewall/router? What you now have is an asymmetric setup (assuming you had those correct routes set up at the draytek) where every host in between the draytek and pfSense will be talking to the hosts behind pfSense using different routes. For example PC1 when it wants to talk to VLAN20 will first go trough the draytek because it's the default gateway but the repiles to that traffic will never reach the draytek because pfSense knows to send those replies back directly to PC1. The proper way for this if you still want to have multiple routers is to use a transfer net between the draytek and pfSense with no hosts on that network.

dont worry about this now as im not going to do it this way no more the reason is because i would need to spend £££££ on a NAS to get a top dog one to install plex on so it can do the transcoding to 1080p

Sorry also I get free usage from the satellite provider from 00:00 till 06:00 am. Would it be possible to get all the traffic to go through the satellite WAN 1 interface during those times or between 01:00 am till 05:00 am. Cheers, Rajbps

I'm using the forwarder and have mine set up this way (I also have IPv6 set up) and was having the same problem until I added the last 2 entries. Under System/General Setup on the DNS server settings I have 6 entries. 2001:4860:4860::8888  WAN_DHCP6  (google IPv6) 2001:4860:4860::8844  WAN_DHCP6  (google IPv6) 208.67.222.222  WAN1_DHCP  (openDNS) 208.67.220.220  WAN1_DHCP  (openDNS) 8.8.8.8    WAN2_DHCP  (Google) 8.8.4.4    WAN2_DHCP  (Google) If I failover to WAN2 it will use those two google DNS servers, if I am running normally, it uses openDNS. Note, I don't know if I can have duplicate DNS server IPs with different interfaces. I've never tried.

Well, I got the last bit I wanted to work - I can now get into my 172.16.1.0/24 network :) How? I found this blog post: https://networkguy.de/?p=409 I based a static route on my Netgear router (Attach 1) on his 2nd picture with the "route -p" command listed at the bottom of the picture, mapping his numbers to approximately what I have in place on my network. Basically: I made a static route to the destination network (172.16.1.0/24), through the WAN IP of that pfSense router (192.168.1.101). The asymmetric routing is still there, but only in specific connections: The pfSense router (172.16.1.1) Ping Redirects the router and any computers in 10.0.0.0/24, but pings the entire 192.168.1.0/24 normally. VMs behind that router ping everything normally, including the 10.0.0.0/24. My iMac (192.168.1.5) has a Redirect Host to both subnets (10.0.0.0/24 and 172.16.1.0/24) My other pfSense router (10.0.0.1) Ping Redirects anything in 172.16.1.0/24 network. It also Ping Redirects any computers in 192.168.1.0/24, BUT it pings the router (192.168.1.1) normally. Any machines behind this router ping both of the other networks (172.16.1.0/24 and 192.168.1.0/24) normally. Again, my current router has no option for an additional interface (off the shelf model), but even with redirects, I managed to get everything to communicate, so that's definitely something to be happy about - just in time for class to start tomorrow night as well, so I'll be able to do plenty of network testing. Any thoughts about the weird redirects couldn't hurt - how can your router/gateway ping redirect to an entire network (first example), but all the machines behind it can ping that same network normally? Weird. Anyway, hope this can help someone, and thanks to everyone who helped me along to finally getting my stuff working (if not 100% cleanly.) -Bryan  

No it doesn't. Of course we can play in the game "provide more details" for example fro #1, here: https://forum.pfsense.org/index.php?topic=142162.0

You have also created an asymmetric routing scenario. https://forum.pfsense.org/index.php?topic=142090.msg775011#msg775011

MTNLfiberconnectionGW  Tier 1 CABLENET_PPPOE Tier 2 DVOISINTERNETGW Tier 3

No you do not need it.. Why do you need it?  If your going to put pfsense on that network, and the clients use a different gateway to get to get to other networks then that network becomes a transit.. Hosts on transit networks that need to use multiple gateways to get to other networks need to have host routing.. To tell them which gateway to use, if not then you end up with asymmetrical routing.. Why can pfsense not use the new transit network you create from the isa router to pfsense to get to the 192.168.100 network. If you want to run it the way your running it then you will have to create routes on every host in the 192.168.100 telling them which gateway to use - or you have asymmetrical mess.

Yes, you should be able to do that. You have to be connected to an address on the same VLAN. You can add a VLAN to a physical interface you are connected to on another VLAN.

Its confirmed its not working correctly. Recommendation is to use FRR instead of OpengBGP package. Now how to configure FRR? Its a bit intimidating…

It might work if you use policy-based routing for the 192.168.1.0/24 destination on the LAN interface, bypassing IPsec. It's a big might. It sounds like you tried that though. You might want to post what you've tried because, at a minimum, that should at least send the traffic out the correct gateway instead of IPsec. That's why it is not recommended you configure large swaths of space like 192.168.0.0/16 anywhere. Running into conflicts with other sites is pretty much inevitable when you do that.

:D why do i complicating things, you're perfectly right. It's now working. \o/ Thank you very much. Kevin