Its confirmed its not working correctly. Recommendation is to use FRR instead of OpengBGP package. Now how to configure FRR? Its a bit intimidating…

It might work if you use policy-based routing for the 192.168.1.0/24 destination on the LAN interface, bypassing IPsec. It's a big might. It sounds like you tried that though. You might want to post what you've tried because, at a minimum, that should at least send the traffic out the correct gateway instead of IPsec. That's why it is not recommended you configure large swaths of space like 192.168.0.0/16 anywhere. Running into conflicts with other sites is pretty much inevitable when you do that.

:D why do i complicating things, you're perfectly right. It's now working. \o/ Thank you very much. Kevin

Sorry for opening an old topic.  Basically my problem was solved by disabling hardware checksum offloading, see: https://forum.pfsense.org/index.php?topic=87856.0

OK, so lets try some more specific questions, should the pfsense instance be in one of those subnets, and I just write routing rules to give it access to the other subnets. Or do I create a fourth subnet (maybe public?) to give it access. Presumably I need to set up an interface in pfsense for each subnet? How do I do that in AWS - I'm a bit lost with their strange way of doing things. How do I limit access to certain subnets / machines on a user by user basis. Would I do that in pfsense or in AWS. What makes sense here. I'm guessing someone must have struggled with this environment before.

You can always subnet a network down..  so that is a /23 so logical break would be /24, since your at 10.2.5 the break to /24 would create 10.2.4.0/24 and 10.2.5.0/24 Here is the thing.. What exactly are you going to do to subnet it down.. They are not routing that traffic to a routers of yours are they?  You are directly attached would be my assumption..  So unless you have some router in your classroom and they route that network to you via some other transit.. Then while sure its easy to subnet any network into smaller networks - your problem is more involved… And without more info its impossible to advice you what direction to go into. But if all you want is an isolated wifi network you could control - this would be as simple as connecting your typical wifi router which would nat the wifi clients to whatever IP it gets from your 10.2.5/23 network when you plug its wan in. Better would sure being this with pfsense box and some APs..  But any 20$ soho router you pick up at the computer store would be able to create an isolated wifi network on your current network.

Doh! That's exactly what it was, thank you Derelict. Didn't even think about that. It's working great now. Thanks again! Brooks

Yes. Number that interface as 192.168.2.1/24, create the necessary firewall rules on that interface, and connect another switch to it.

Then your problem is upstream. pfSense cannot control which interface reply traffic arrives on. It can only control which interface is used for sending. Based on the information given so far…. You will need to provide a lot more details to make a real diagnosis.

@ytn: Anyone have any ideas / suggestions? I am primarily trying to find a solution for the fiber modem bypass / bridging. Should I post this question in a different area? Thanks. I'm looking for the same solution but no one seems to have this worked out perfectly yet on pfSense that I can find.

My Cradlepoint goes offline regularly after not using it for a few hours.

Hello, in my case I was able to solve it like this: I noticed that I did not need the VPN gateway, so I enabled gateway monitoring and also enabled it to always be off. So the VPN gateway in my case and to the present moment was not identified as default gateway –------- Olá, no meu caso consegui resolver do seguinte modo: Notei que eu não precisava do gateway da VPN, então habilitei o monitoramento do gateway e também habilitei para ficar sempre off. Assim o gateway da VPN no meu caso e até o presente momento não foi identificado como default gateway

so, check the "non local gateway" in routing>gateway of each gateway. Becoz you got multiple wan from one isp routing. pfsense non sense of gateway routing from one isp. make sure separate each gateway route. sorry for my bad english.

Do note that traffic originating from the pfSense system itself will always use the default gateway. It's not possible to redirect locally originating traffic to a specific WAN connection or to a gateway group in pfSense/FreeBSD.