@DJBenson: Am I right in assuming if I use a port alias containing 25,465 and 587 and assign that to the rule you suggested, any other traffic originating from the mail server will still load balance (i.e. normal HTTP/S traffic)? Yes, set the destination for smtp, etc and the other traffic will progress to the default rule. You may want to put https on a failover group (not load balanced) to avoid the problems you saw with banking sites, etc.

Hi Jim, Regarding all the tests my colleague has made and his results, do you think it could be a bug ? Thank you :-)

What dok said ;) That is not how you would set it up.. If you want 192.168.1/24 to be your internal network - then it would go behind pfsense..  Just like your wifi network..  You can have another firewall between pfsense and the internet if you want.. kind of pointless..  But you end up with like the attached.  Now you can firewall or talk between your segments all you want.  You can run a captive portal on the wifi segment, etc. You don't put devices on a transit network between 2 routers.  If you do then they have put routes on them to tell them which router to use for which network.  If your pfsense is natting now you also have to port forward to allow traffic from your transit into your downstream network.  Your prob going to have asymmetrical issues because you miss a route on 1 of your hosts in your transit.. If you want to use pfsense as a downstream router/firewall and have a segment hang off the upstream router then you would connect them with a transit, but now your going to have to create routing on your upstream router.. See 2nd pic.. I wouldn't be natting at psfense in this case.  Your upstream router would do the natting for any networks behind it.  So there is more config on upstream router in this setup. [image: transitnetwork.png_thumb] [image: typicalsetup.png] [image: typicalsetup.png_thumb] [image: transitnetwork.png]

Help you with why asymmetrical causes issues in applications?  Yeah its going  to be hit and miss - its a borked config, there is little use trying to make it work.

Cool, there is actually a HOWTO for this! The "Configure a new Interface" part I had right but I didn't know about the "Configure NAT" part. The information in it is a bit outdated, I selected Hybrid instead and now it's working!  

Sorry, did a bit more research and found this thread: https://forum.pfsense.org/index.php?topic=37451.0 Fixed it with increase the threshold values.

Thanks guys, I got the solution.

Your design is broken. Put "Plex Devices" on another interface so your routers can route properly or maintain all the necessary gateways and routes on them.

You should use firewall rules to separate the traffic of mission critical devices and set the fail-over group as gateway, while the gateway rule for all other lan hosts will be your wan1.

So your asus wifi router is in front of pfsense, or behind it?  There should be no devices connected to your asus router if that is your internet connection and you want to now use pfsense.  Pfsense can use a double nat, but things have to be behind it to be "protected"  If going to use the asus behind pfsense for your wifi, then you would jsut use it as an access point not a router.

should that topic to be moved on another forum subsection? Firewalling Traffic Shaping I'm not sure that it's on the best place for the moment, since it's concerned by firewalling, shamping, and multiwan…

New pfSense has three LAN rules, in this order: Allow connections to the Web GUI on the LAN interface of the pfSense from any subnet Allow traffic that is sourced from an IP address in the same subnet as the interface (implied rule at the end of the list, does not normally explicitly appear) drop all traffic that didn't match one of the allow rules You need to either change the default allow rule to allow every subnet you want, or add another rule that allows the subnet you're interested in. Note that if your computers on the other subnet don't have some way to route traffic to the pfSense, you won't be moving traffic this way probably (like if those computers want internet access through this pfSense).  You may want a virtual IP address on the LAN interface so that the pfsense has an IP address on both subnets to use, or something like that.

I think that you misunderstood. I am not trying to force ALL traffic to use the VPN just browsing and basic services I want routed to the VPN both http and https especially, and my daughters' games and Netflix. Every thing else must go out on the unencrypted satellite connection.

Solved the problem and hope this is helpful to others… Rebooting the "modems" on 74.92.10.128 and 74.92.16.120 solved the problem. Maybe something to do with APP? What was confusing me was that the "WAN" port worked.

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

I finally found the problem… There was never any problems with my config. My ISP had routed the subnet through the wrong gateway!