@andipandi: WAN interface should have no leases at all? I don't see any error in the config you posted. You should check the subnet masks on your clients, they should be set to 255.255.255.0. Also, you should check your WiFi router, since this is the only interface that causes issues, perhaps it is that piece of hardware that has its own configuration wrong. Probably you can read some more from the firewall logs, they also tell you what traffic is blocked. If you just want LAN, LAN2 and WIFI_AP to be one large net, you could also just bridge them. (I think then you have to adjust the subnet mask again to include all nets.) I apologize for not enough a clear description of the problem. WAN, WAN2, WIFI interfaces receive leases from the ISP and operating normally. WIFI interface is Atheros AR2417 adapter. Subnet masks really 255.255.255.0. No additional WIFI router is not used, the access point is implemented by means of pfsense WIFI adapter Ralink RT2561S, if it is important. The firewall logs nothing about blocking packets from the LAN to WIFI_AP, which is strange. The experimental purposes, I tried to combine all three interfaces in a bridge, in this case, the problem disappears, but I need independent subnet. As I see it (maybe I'm wrong) the problem is in routing with WIFI_AP NIC. Thanks

FYI I also fixed the failover, it turns out when importing the config from the old firewall, some of the Virtual IP's got assigned to the wrong interface, which I think is why it was failing both when the primary went down. Reading the manual and understanding the basic theory is nothing like being thrown in the deep end with a real-world deployment, so I have learned a lot over the last 2 days.  Thanks again for your help.

DNS forwarding would still use the DNS server addresses provided by the inactive tier ISP as well 1. Probably 2. Yes Your only option would be to use some public DNS, like Google ones, or PublicDNS. If you need to resolve some entries through ISP servers only, you can add them to unbound overrides.

I made a diagram to show the described scenario visually: [image: pf_Sense_forum.png]

Post screencaps of your NAT rules and your WAN firewall rules.  It could be many things, based on your short problem description.

Which parts of the network do you control? Don't want to stirr up the soup but three routers seems … optimizable. Are "WiFi Bridge" and "Router of the Bridge" separate devices and is anything else hanging off of the Bridge Router other than your pfSense?

Your gateway and monitor IPs are the same. If you change the monitor IP to something like google DNS or something you should get a representation of when the gateway is up or down from PF.

Have you tried setting Data Payload to 1 in System / Routing / Gateways / Edit?

Meu pfsense(2.3.2-RELEASE-p1 (amd64) ) não funciona também, seleciono pela regra que host X deve sair pelo gateway Y e ele não obedece a regra criada. Como tenho outro pfsense(2.3.2) instalado em outra filial, efetuei o mesmo teste e para minha surpresa funcionou perfeitamente. Alguém sabe como resolver o problema? My pfsense (2.3.2-RELEASE-p1 (amd64)) does not work either, i selected for rule that host X must exit through the gateway Y. As I have another pfsense (2.3.2) installed in another branch, I performed the same test and to my surprise it worked perfectly. Does anyone know how to solve the problem?

I figured it out my by watching https://www.youtube.com/watch?v=zrBr0N0WrTY&t=378s

Resolved.. i cleared out the IPSec configure.. in the process discovered i had a typo in the address in the sophos side.

Ok, thanks for the clarification.

It's been a while, I know.  Yes, I can connect directly by IP address but I can't see the Samba share.  I'll come back with some more thoughts about my requirements in a few days ..

nvm got it! thanks for the help :D

Hence why this wasn't obvious  :D Below are my results of the original NIC card compared to the identical spare card: Original Card Results Speedtest while plugged directly into pfsense router for WiFi: 50 MB/s up/down Speed of file transfers between subnet A to subnet B plugged into interface: 100-300 KB/s Speedtest over WiFi (TrendNet AP): 15 MB/s Down - 17 MB/s Up Speed of file transfers between subnet A to subnet B over WiFi: 100-300 KB/s Spare Card Results Speedtest while plugged directly into pfsense router for WiFi: 50 MB/s up/down Speed of file transfers between subnet A to subnet B plugged into interface: 70-80 MB/s Speedtest over WiFi (TrendNet AP): 50 MB/s Down - 50 MB/s up/down Speed of file transfers between subnet A to subnet B over WiFi: 60-70 MB/s No other settings were changed on pfsense as this was simply a card swap. It doesn't make much sense to me either why I was getting full speeds on that NIC port to the internet when plugged directly into the interface but for some reason it was having a difficult time sending/receiving traffic from two segmented subnets and the WiFi wasn't nearly as fast even for this old AP. Once I recorded my results with the spare card I chalked it up as a faulty NIC port. Maybe some engineer can come on here and give me an explanation why I saw such a drastic difference between the two identical cards but I'm happy it's all set now. Hope that helps give you some clarification into my troubleshooting johnpoz