@viragomann: There are only three things left to check: The network settings on clients and on pfSense (DHCP if used). Ensure that the network mask is set correctly and that the gateway is the pfSense LAN address. The firewall rules. But if you haven't changed anything there should still exist the default allow any-to-any rule on LAN. The outbound NAT. But in default settings, it should work also. There should exist a rule with source = LAN network and translation = WAN address. If that doesn't help you can check the routes on the client and run packet capture on pfSense to find out if packets destined for a web address arrive on the LAN interface. Tripled checked and all looks good.  A clean install using default settings should work right out of the gate, but for some reason doesn't.  I guess pfSense simply doesn't like this box for whatever reason.  Just odd that the firewall itself can reach the internet and not a single client can do the same.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Nobody?

Bring your interface up on pfsense, give it a network that does not overlap your lan network.  Are you really using a /16 on your lan??  Seems bit much.. So lets say create 192.168.10/24 on your other interface (opt1) and you call this wifi or something. Then connect your AP to this interface.. If you want other ssids to be on different vlans.  Then you would create vlans on pfsense, assign them to the interface (em2?)  Then on your AP create the other SSIDs using the same vlan ID, lets call it 100 that you used when you created the pfsense vlan. That really is all there is too it.  Other than creating rules on your opt and any vlan interfaces that allow the traffic you want.  And enabling dhcp on the interface and vlan interfaces as you see fit. Why would you try creating a bridge?  You would have ZERO reason to do this, and if you wanted your AP or specific ssid of your AP to be on your lan network then connect your AP to your switch..

How exactly did you setup OpenVPN? The logs are cut off so I can't see it all, but it looks like it's saying the OpenVPN server is not using a Server Certificate ("unsupported certificate purpose")

Anyone? :)

I do have natted ip routed only to WAN2 … and all personal devices too routed to WAN2 .... and the rest to WAN1+WAN2 .... i just finish adding a failover to WAN group .... so now VLAN 3 to 23 are on MULTIWAN and VLAN24 to 62 are on WAN2 hopefully this is increase the utilization on WAN2 .... LAN GOUP 1 = VLAN3 to 23 = MULTIWAN LAN GROUP2 = VLAN24 to 62 = WAN2 (FAILOVER ENABLED) and regarding services we have unbound and snort packages running on our pfsense ....

It works! I removed the port group (VLAN ID1) in VMware. And I had to apply the VLAN configuration on port 2. [image: mybBuk] https://ibb.co/mybBuk Thanks for your help!

Go away John. PS I reread this thread.  My pfsense has a point to point network to my layer 3 switch. There is no asymmetrical network.  pfsense forwards all traffic to my layer 3 switch so the L3 switch can route it. All my web pages now pop faster on the screen when using the RV320 router than when using my pfsense router on an old Xeon server motherboard.  Two years ago when I tested pfsense using testing web pages it was as fast or faster than the RV320 which now no longer holds true. So I have moved back to my old Cisco RV320 router. I just unplug one router and plug the other one in and I can tell the difference.  I do miss the time server in pfsense.

Thank you for help. We use static routing earlier but from time to time something is change so we want enable any routing protocol. Cisco routers also use ripv2. I resolved my problem. I added parameter "passive" in /etc/gateways to interface which i don't want advertise.

Probably this, assuming you're on net30 topology which you appear to be: https://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses Disable monitoring for that, or make sure you have a route pushed for the tunnel network and then setup a monitor address for .1 in the tunnel network, which might work.

I investigated this in detail and indeed looks like a bug, I created a bug report: #7719

Please read the topic  ;), I am using one interface with VLANs in order to have 2 WANs from one physical. Best regards Kostas

So you have: WAN1 WAN2 WANVSAT And a gateway group of WAN1 and WAN2 OpenVPN Client or Server? Presuming Client. And you have the OpenVPN Client bound to the gateway group containing WAN1 and WAN2? And if both gateways are down, the client connects via the VSAT? Which WAN is set as the default gateway? Do you have default gateway switching on? (System > Advanced, Miscellaneous)

As long as all the pfSense interfaces are separate with separate gateways (such as /30 networks with one address on each side) you should be able to put them all into a load balance group.