Problems like this bring out the tenacity monster in me and in the spirit of completion I am posting the solution to my own question in case anyone else has this same issue. It turns out that the LTE Gateway I set up did not like using the same IP address for the gatewayIP and the monitorIP. This is despite the fact that that this type of arrangement works for my cable wan connection. Perhaps it's because the IP provided by the mobile connection is an unaddressable IP i.e. 10.X.X.X. In any case by changing the monitorIP on the LTE Gateway to the IP address of one of the DNS servers on the LTE interface the LTE gateway is now online and failover works nicely. Now I just have to get some aerials for my dongle so that I can get an LTE signal from inside my comms cupboard. WCDMA is definitely not cutting it! :) :)

What exactly is the point of a pfsense box with just public IPs on it and no lan?  If it only has 1 network attached how is it routing/firewalling anything?  What are you using it for? Btu sure connect them together with a transit network and route whatever clients you wont out the the other pfsense box with the public /24

How does the openvpn traffic get to pfsense?  That would be pfsense "wan" interface.. The interface pfsense uses to get to or from other networks would be a wan interface..

Hello everyone, thank you for your support! Now i try to explain better that situation. Yesterday i found, maybe, a good idea that causes this block. Yes, the explanations were not very clear, but the reason is that I do not know my network very well. Anyway, yesterday from various pc i launched the tracert command and, yes,  my diagram isn't correct! For example : from a LAN 10.160.3.1 the result is this : 1    1 ms    1 ms    1 ms  10.160.3.201 2    3 ms    2 ms    2 ms  10.10.0.10 3    4 ms    4 ms    4 ms  10.10.0.2 4    4 ms    4 ms    7 ms  10.10.0.1 5    4 ms    9 ms    3 ms  10.160.99.36 so there are many other passages before the packet get to the PFSENSE and above all it is no longer the network that I imagined at the last step… From this LAN pfsense doesn't work and the pc can't surf on internet. And i believe i have to work in pfsense for make it work, but I do not know how to do it. Instead, from this other LAN, 10.160.2.0, the tracert result is this : 1    4 ms    6 ms    1 ms  10.160.2.201 2    <1 ms    <1 ms    <1 ms  10.160.99.36 and PFSENSE works like a charm. and obviously from the network, 10.160.99.0, the tracert command shows that there is only one passage from my pc to PFSENSE, and yes it works. Summing up, when I try to connect at pfsense from the networks that pass on this way doesn't work. 10.160.3.201 or 10.160.4.201 or 10.160.5.201 =  there are the gateway of the LAN 10.10.0.10 10.10.0.2 10.10.0.1 10.160.99.36 = PFSENSE I hope i was clear. Thanks a lot!

sorted!!! i made a stupid mistake when i was making the vpn interface (so i can use it as a gateway for my specific vpn traffic) i ticked both boxes under "reserved networks" which blocks rfc1918 but i dont want to block them as the virtual vpn ip im assigned is 10.8.0.2 which is a rfc1918 address i put back protonvpn interface back in the "ALLInt" so i can easily manage the rules under one tab as its long winded otherwise also in firewall > rules > outbound i had to make it hybrid and copy the wan and make another one for the protonvpn address as it didnt work otherwise see pic of what i did https://s10.postimg.org/jk6oiio7t/rule.png thanks for all your help in this Derelict much appreciated!

Setup your to vlans on your interface your going to connect to on pfsense and tag them 403 and 404.. And sure pfsense can run bgp… Did you not buy support?  I would suggest you call pfsense for help if you do not understand how to setup a vlan.. How are you involved in this project exactly if you do not understand what a vlan is? https://www.netgate.com/support/contact-support.html You cold for sure run your vlans over a lagg or port channel.. Why did you not mention the vlans before? That makes more sense.. Maybe you should contract someone to set this up for you... I would suggest you contact pfsense support, or hire someone local to get you up and running.

Too answer my own question in case someone else has this problem: My VPN provider pushed the route for the default gateway. This was visible in the routes section. I used this article to change the VPN connection https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway This made my pfsense works as expected (including the Squid) Thanks

Guys !!!!! i got all the success. Nice to get the helpful response. Attached current updated diagram, how it looks like. i know now Pfsense is something i'm gonna keep for many years for now. it made me feel like flying, other petty issues which i used to have, are resolved too. altogether, now i've got more control over my complete network. i hope this remains stable. i removed the extra cable running through the Dlink WI-FI to the cisco switch was of no use. ps - i had faulty NIC which i had to replace caused me 7 days of inconvenience. ;-) works like a charm. thanks Derelict [image: new-home.PNG] [image: new-home.PNG_thumb]

snailkhan@ i'm opening new fresh post if you feel it's not exactly the same scenario..but i guess similar issue existed for me when i tried accessing webgui for Pfsense using my lab network it didn't work. anyways i hope it works. Thanks for all your help. see you there.

What were you doing at the time you had this probem?

So, I've a INTERFACE called DDOS-GUARD, and that interface has a static IP, provided by DDOSGUARD, and my WAN has an other public IP, so I want to redirect all the traffic from the DDOS-GUARD interface to my lan server 192.168.15.240, I tired to do that in System -> Routing -> Static Routes. But when I did that, my lan server 192.168.15.240 didn't have internet connection.

@Ryu945: Any ideas on what is the proper way for a one network with all the LAN ports on it? Yes, that's called a switch. Not a router. @Ryu945: I see plenty of guides on VLANs but nothing on basic LANs. That's what you ment … well, because your "basic LANs" aka a switch, is nothing you will want to do in software. There's one exception in the netgate line of pfSense hardware currently and that is the SG-3100. It has 3 interfaces, WAN, LAN and Opt1 with LAN being a managed switch internally. Otherwise all pfSense devices are routers only.

Run your own BIND servers inside the firewall. In other words off the firewall. Not the BIND package on the firewall itself. Having your resolver traffic sourced from the firewall itself only makes things 1000% harder. pfSense policy routing is applied when traffic enters the firewall. If cannot be applied to traffic originating on the firewall itself. You will have to - at a minimum - explicitly set the source address or interface for the specific paths so the correct interface is used. That will be a real trick with a dynamic address such as your vpn provider link. Maybe it is possible if you can use the name of an assigned interface as the source and not the address itself. With the DNS server on the inside you could set up several STATIC local addresses on it and source from those different addresses based on the path you want the queries to take. The you can simply policy route the resolver traffic on the pfSense interface however you like. If you really want to use the BIND package, put another pfSense on the inside for just that purpose.

That will all depend. I can't imagine you will see any line-of-sight issues but I have never knowingly pointed a point-to-point through power lines. Distance to the lines will probably be key there. 15 feet is pretty close. The frequency should be way down at 60Hz though. Put that end up and do whatever the engenius equivalent of ubnt's airview is. If the channels are clear you should be ok. But you'll probably have to try it and see. Then you'll have to look again when everyone's air conditioners are running on a hot, August afternoon. The fix, if you run into trouble, is probably a mast to get the radio above them.

That seems like a silly way to do it. Yes you can use a separate interface but it won't do you any good with a /32. Did they really give you another /30? If the latter you could do this: WAN  24.52.70.234/29 <–-> 24.52.70.233 Gateway WAN2 2 24.52.70.42/30 <---> 24.52.70.41 Gateway You would set them up like any other multi-wan. You would need an outside switch. Seems pretty stupid to do that since it only results in one additional address for you at the cost of four addresses plus a router interface on your side. If they just routed 24.52.70.40/30 to 24.52.70.234 you could use all four addresses as VIPs and not have to mess around with multi-wan.

Yes, routing is only possible if any packets of both direction has to pass the router. PC –---- router 1 ------ [router 2] –---- internet