OK, so lets try some more specific questions, should the pfsense instance be in one of those subnets, and I just write routing rules to give it access to the other subnets. Or do I create a fourth subnet (maybe public?) to give it access. Presumably I need to set up an interface in pfsense for each subnet? How do I do that in AWS - I'm a bit lost with their strange way of doing things. How do I limit access to certain subnets / machines on a user by user basis. Would I do that in pfsense or in AWS. What makes sense here. I'm guessing someone must have struggled with this environment before.

You can always subnet a network down..  so that is a /23 so logical break would be /24, since your at 10.2.5 the break to /24 would create 10.2.4.0/24 and 10.2.5.0/24 Here is the thing.. What exactly are you going to do to subnet it down.. They are not routing that traffic to a routers of yours are they?  You are directly attached would be my assumption..  So unless you have some router in your classroom and they route that network to you via some other transit.. Then while sure its easy to subnet any network into smaller networks - your problem is more involved… And without more info its impossible to advice you what direction to go into. But if all you want is an isolated wifi network you could control - this would be as simple as connecting your typical wifi router which would nat the wifi clients to whatever IP it gets from your 10.2.5/23 network when you plug its wan in. Better would sure being this with pfsense box and some APs..  But any 20$ soho router you pick up at the computer store would be able to create an isolated wifi network on your current network.

Doh! That's exactly what it was, thank you Derelict. Didn't even think about that. It's working great now. Thanks again! Brooks

Yes. Number that interface as 192.168.2.1/24, create the necessary firewall rules on that interface, and connect another switch to it.

Then your problem is upstream. pfSense cannot control which interface reply traffic arrives on. It can only control which interface is used for sending. Based on the information given so far…. You will need to provide a lot more details to make a real diagnosis.

@ytn: Anyone have any ideas / suggestions? I am primarily trying to find a solution for the fiber modem bypass / bridging. Should I post this question in a different area? Thanks. I'm looking for the same solution but no one seems to have this worked out perfectly yet on pfSense that I can find.

My Cradlepoint goes offline regularly after not using it for a few hours.

Hello, in my case I was able to solve it like this: I noticed that I did not need the VPN gateway, so I enabled gateway monitoring and also enabled it to always be off. So the VPN gateway in my case and to the present moment was not identified as default gateway –------- Olá, no meu caso consegui resolver do seguinte modo: Notei que eu não precisava do gateway da VPN, então habilitei o monitoramento do gateway e também habilitei para ficar sempre off. Assim o gateway da VPN no meu caso e até o presente momento não foi identificado como default gateway

so, check the "non local gateway" in routing>gateway of each gateway. Becoz you got multiple wan from one isp routing. pfsense non sense of gateway routing from one isp. make sure separate each gateway route. sorry for my bad english.

Do note that traffic originating from the pfSense system itself will always use the default gateway. It's not possible to redirect locally originating traffic to a specific WAN connection or to a gateway group in pfSense/FreeBSD.

hi, Yes I have kept the weight settings as default. It was required if I do a load balance between WAN B(~9 Mbps) n WAN C (~5 Mbps). regards, Ashima

Ugh. On LAN1 reject destination LAN2 network then pass what you want below it. On LAN1 reject destination LAN1 network then pass what you want below it. Do not attempt to block traffic with pass rules. Explicitly block the traffic you want blocked with block/reject rules. That said, your design is hosed. If you want 10.0.20.0/24 and 10.1.20.0/24 to be firewalled, they need to be separate firewall interfaces. You are probably going to need a managed switch and the ability to tag multiple VLANs to vmware to accomplish what you want. 2 LANSs - need mutual exclusivity You do not have two LANs. You have one LAN. Your hosts are out on the "WAN" as far as pfSense is concerned.

Thank you very much! Now its working perfect. Many greets

Your users are probably not accessing the mail server by its IP but via its hostname, right? (like mail.example.com) Have a look at split-DNS locally then.