@GoldFish: @kcallis: I noticed that my WAN interface was still showing the 172.16.0.0/24 network as opposed the public address. I would look at the rules. Personally not a big fan of double nat Thank for suggesting to look at my rules. Of course, the issue wasn't my rules, but the search mode of looking for everything caused me to look for other things that were out of whack. I was looking at the Dashboard and noticed that I was seeing on top of the normal DNS servers, I was also seeing 127.0.0.1 (localhost). I took at look at System/General Setup and realized that I had not checked the Disable DNS Forwarder. One check of a box, and lo and behold packets were resolving and running out into the wild frontier of the internet. Another nice thing was that finally I was able to get the IP Passthrough working and now my WAN interface now shows the public IP address. Life is groovy!

There is an alternative way. First, you need build a custom kernel to enable multiple routing table. http://wiki.stocksy.co.uk/wiki/Multiple_default_routes_in_FreeBSD_without_BGP_or_similar Then use DNS forwarder (dnsmasq), which provide a nice feature called ipset. It will add the resolved IPs from matching hostname to a pf table. You also need to manually edit /etc/inc/filter.inc, to add a custom pf rule, which force IPs listed in a pf table go through a route other than the default WAN.

Why is it people buy great router/firewall device and then when it comes to wifi they just buy utter home luser crap? Buy wifi that can do vlans - then come back and ask how to use it if you need too ;)

Answer to self I did get it to work, by creating firewall rules in between the interfaces in the bridge (allow all any). But according to the pfsense docs: A bridged interface can filter traffic without being involved in the IP layer of the connection. By creating a FW rule, I opinion is that the IP Layer is involved somehow?

That's exactly what those graphs represent. Trex generating approximately 350K states though 4- and 8- interface load balance configurations. Works fine.

Is there like any reason why you can't do this with just one firewall/router? What you now have is an asymmetric setup (assuming you had those correct routes set up at the draytek) where every host in between the draytek and pfSense will be talking to the hosts behind pfSense using different routes. For example PC1 when it wants to talk to VLAN20 will first go trough the draytek because it's the default gateway but the repiles to that traffic will never reach the draytek because pfSense knows to send those replies back directly to PC1. The proper way for this if you still want to have multiple routers is to use a transfer net between the draytek and pfSense with no hosts on that network.

dont worry about this now as im not going to do it this way no more the reason is because i would need to spend £££££ on a NAS to get a top dog one to install plex on so it can do the transcoding to 1080p

Sorry also I get free usage from the satellite provider from 00:00 till 06:00 am. Would it be possible to get all the traffic to go through the satellite WAN 1 interface during those times or between 01:00 am till 05:00 am. Cheers, Rajbps

I'm using the forwarder and have mine set up this way (I also have IPv6 set up) and was having the same problem until I added the last 2 entries. Under System/General Setup on the DNS server settings I have 6 entries. 2001:4860:4860::8888  WAN_DHCP6  (google IPv6) 2001:4860:4860::8844  WAN_DHCP6  (google IPv6) 208.67.222.222  WAN1_DHCP  (openDNS) 208.67.220.220  WAN1_DHCP  (openDNS) 8.8.8.8    WAN2_DHCP  (Google) 8.8.4.4    WAN2_DHCP  (Google) If I failover to WAN2 it will use those two google DNS servers, if I am running normally, it uses openDNS. Note, I don't know if I can have duplicate DNS server IPs with different interfaces. I've never tried.

Well, I got the last bit I wanted to work - I can now get into my 172.16.1.0/24 network :) How? I found this blog post: https://networkguy.de/?p=409 I based a static route on my Netgear router (Attach 1) on his 2nd picture with the "route -p" command listed at the bottom of the picture, mapping his numbers to approximately what I have in place on my network. Basically: I made a static route to the destination network (172.16.1.0/24), through the WAN IP of that pfSense router (192.168.1.101). The asymmetric routing is still there, but only in specific connections: The pfSense router (172.16.1.1) Ping Redirects the router and any computers in 10.0.0.0/24, but pings the entire 192.168.1.0/24 normally. VMs behind that router ping everything normally, including the 10.0.0.0/24. My iMac (192.168.1.5) has a Redirect Host to both subnets (10.0.0.0/24 and 172.16.1.0/24) My other pfSense router (10.0.0.1) Ping Redirects anything in 172.16.1.0/24 network. It also Ping Redirects any computers in 192.168.1.0/24, BUT it pings the router (192.168.1.1) normally. Any machines behind this router ping both of the other networks (172.16.1.0/24 and 192.168.1.0/24) normally. Again, my current router has no option for an additional interface (off the shelf model), but even with redirects, I managed to get everything to communicate, so that's definitely something to be happy about - just in time for class to start tomorrow night as well, so I'll be able to do plenty of network testing. Any thoughts about the weird redirects couldn't hurt - how can your router/gateway ping redirect to an entire network (first example), but all the machines behind it can ping that same network normally? Weird. Anyway, hope this can help someone, and thanks to everyone who helped me along to finally getting my stuff working (if not 100% cleanly.) -Bryan  

No it doesn't. Of course we can play in the game "provide more details" for example fro #1, here: https://forum.pfsense.org/index.php?topic=142162.0

You have also created an asymmetric routing scenario. https://forum.pfsense.org/index.php?topic=142090.msg775011#msg775011

MTNLfiberconnectionGW  Tier 1 CABLENET_PPPOE Tier 2 DVOISINTERNETGW Tier 3

No you do not need it.. Why do you need it?  If your going to put pfsense on that network, and the clients use a different gateway to get to get to other networks then that network becomes a transit.. Hosts on transit networks that need to use multiple gateways to get to other networks need to have host routing.. To tell them which gateway to use, if not then you end up with asymmetrical routing.. Why can pfsense not use the new transit network you create from the isa router to pfsense to get to the 192.168.100 network. If you want to run it the way your running it then you will have to create routes on every host in the 192.168.100 telling them which gateway to use - or you have asymmetrical mess.

Yes, you should be able to do that. You have to be connected to an address on the same VLAN. You can add a VLAN to a physical interface you are connected to on another VLAN.