@klubar: Maybe I found the answer…. (?) Under Firewall / Rules / LAN, in Advanced Options I changed Gateway from "*" to LoadBalanceWAN (name of my Gateway Group). Is this the solution? That will do it, I'm still learning pfSense but in order to route traffic to a different gateway you modify the Firewall->Rules as you've done.

Or make a 192.168.2.0/24 interface and put the PCs on that. You can make it work but it's a crappy design and should just be fixed instead.

Thanks a lot! The "use sticky connections" solved my problem  :D :D

;D [image: nomad.jpg] [image: nomad.jpg_thumb]

Which is also why we recommend using public DNS servers :-)

So you think netflix uses 4 /24 networks?  Why would you not just use a /22 for those 4 networks?  How big is this alias?  Why would you not just route all traffic from your netflix media devices out the wan no matter what the dest?  Since netflix and all the others are cracking down on vpn traffic.. Your going to be fighting a loosing battle trying to keep tabs on every network that netflix uses ;)  Pretty sure its HUGE an adds addresses and removes networks on regular basis. Guess your going to have a issue trying to stream media from netflix off a pc, and vpn other traffic that is not neflix..  Vs if you were just playing netflix off your roku or HTPC, etc..

Hello, I've upgraded all my pfsense to the last build 2.3.2_1 I forgot to tell you that all my pfsense are virtualized on ESXi hosts. I've also attached in this post a screenshot of my routing table on the main site. [image: routing_table.JPG] [image: routing_table.JPG_thumb]

Thanks for the reply, So if i understood correctly I would need to go to pfSense then go to routing and find  a way to route the LAN to use only that Gateway? What very odd this is only happens when pfSense reboots, the only way to get it the way i want, if i reboot the lSP modem a few times which its a pain Thank you

UDATE: Restored pfSense to factory defaults. And the only thing I changed during the wizard was the time. As I live in Sweden I want Swedish time. I choose WAN and LAN as before. Same thing happens again. My Windows 10 icon tray says that I'm online. And I can ping any IP adress. But I can not ping any URL or access any URL in my browser. pfSense can ping any IP my computer can also ping any IP

So your pfsense wan network or transit is on 10.0.0/24 what is psfense IP??  You can for sure point to different gateways on this transit network that your calling your wan..  There was recently a thread about this.. "Pfsense will not let me add 10.0.0.1 interface since it's in the same subnet as the other gateway" I think your confusing terms here.. If you have an INTERFACE on pfsense that has IP address 10.0.0.1, no pfsense is not going to allow you to create another interface with IP address 10.0.0.2..  That is not a GATEWAY.. If your running the phones and data on the same network.. And you want phones to come in and hit pfsense on .2 vs .1 - then that would just be a VIP you create on that network.. Why are you running data and voip on the same network.. That is a BAD idea.. Your data and voip should be on different vlans plan and simple.. You should never use more than 1 network on the same wire.. If you can not do vlans – get some vlan capable switches and do it correctly!!!

so yeah i thought that was the case i have done that but it doesnt seem to be working for me https://forum.pfsense.org/index.php?topic=122788.0

LAN already has an Allow Any rule so your rule to allow to OPT1 is unnecessary.  I'm thinking your issue is local firewalls, not pfSense.  For example, Windows will block traffic out of its own subnet, so your 172.16.x.x traffic will be blocked by a Winbox on the 192.168.x.x network.

so you basically need failover ? you could do that with tiered gateways &policy routing the wiki title is for a multi-wan setup, but the same might be of use in your situation: https://doc.pfsense.org/index.php/Multi-WAN#Failover you might have to watch out for asymetric routing issues ( send by fiber, receive by vpn = not what you would want) the other option is to run a dynamic routing protocol (like ospf or bgp) to handle the re-routing when one link goes down

I ended up moving the CA and server certs to the PFsense and setup the OpenVPN server on it. Works OK now. My main point was to spread the load. The server that it used to run has a much better CPU than the router. It looks like the PFsense can saturate our 50MBIT connection, so thats fine. Thanks a lot for the insight!

you can edit the raw file itself. Thats what we did when we setup our BGP.

Depending on what you want to do.. You would have to create a monitor for your default gateway that goes somewhere outbound and not just your gateway address which is the default.  You then have another gateway setup that uses your other gateway 2 address. You shouldn't have to jump through these hoops.. The company you paid that put in the fortinet needs to do their job!!