What sort of traffic is it? You are better off not policy routing (rules on gateway set to "default", not a specific gateway) in these cases. Though routing on WAN can be complicated sometimes due to how the outbound WAN rules have route-to on them. Maybe try an floating rule, outbound, quick, on WAN, matching the destination network and without a gateway set on the rule. You might also have to add a "do not NAT" type rule so that your private-to-private traffic does not get source NAT applied. If the two internal networks are on separate VLANs within the same switch setup, also consider using a tagged VLAN as a means of handing off traffic between the firewall rules to avoid using WAN.

@Derelict: Does the "main VLAN" have public, routeable IP addresses? If so then you want to disable outbound NAT on WAN for traffic sourced from those IP addresses. https://doc.pfsense.org/index.php/How_can_I_use_public_IPs_on_the_LAN If not, I'm not sure what you're asking. ~~Thanks for the answer Derelict! Yes, I have public IP routeable on that vlan and I have nothing set in Firewall > NAT, Outbound. Only this is enough or I need to create a rule?~~ EDIT: SOLUTION http://www.eliaspereira.eti.br/2016/10/filtro-tcp-no-gw-principal-outbound-no.html ;D I made a rule in "Firewall: NAT: Outbound" with the following settings: [image: nd8lBea.png]

Thanks a lot for the information i've done a Plan B, i've configured NAT in the Firewall for traffic from 192.168.3.0/24 intended to PfSense LAN address

So it's an IPSec VPN. You should have mentioned this. I'm not familiar with IPSec on pfSense, but there is a special topic in this forum: https://forum.pfsense.org/index.php?board=16.0

Hi, in the last days i did some tests and research. I got another Astaro ASG220 Apploance for testing and there i made the following experience. On our Appliance we had pfSense embedded installed on a 4GB USB2.0 Stick. On the borrowed one i installed pfSense on a spare HDD that was connected on the Appliances OnBoard IDE Port. I reinstalled the current releae and imported the config of our faulty Appliance. After correcting some Interface Assignments i switched over to this Appliance and on All Ports we got the correct Internet Speed. Then i plugged another spare IDE HDD in our faulty Appliance and reinstalled pfSense. Then i reimported the current config and corrected some assignments like in the borrowed Appliance. I switched back and i got the full Internet Speed with our Appliance, too. The only Difference is, that now pfSense does not boot up from USB-Stick (embedded Version) but from HDD (classic Install). But why has the USB-System such performance flaws, when it boots up in RAM? Thanks for your help! The problem itself is solved now!  :D

Hi Tim, Yes I did build and test it out.  The main 'issue' I have is that the connectivity and vpn out the device 'pf_internet' from 'pf_internal' is used for other services too. If, on the device 'pf_internal' 192.168.166.x interface, I set a gateway of pf_internet (192.168.166.x) but with a monitor of an IP across the tunnel, I believe yes, this would work.  However, if only the tunnel to that remote IP being monitored goes down, I run the risk of causing failover for other services, even when the rest of the connections are up. – I hope you understand what I mean? My workaround for the moment is to have static routes, specific for the remote IP, disabled on pf_internal.  In the case of failure of ther tunnel, the static routes are simply enabled. --- Yes, I know....  Manual intervention like this is not ideal, I'm just not seeing any other way around this scenario.

You really cannot make an inside interface wwith public addresses with a single /29 on WAN. The best you can do is 1:1 NAT addresses to inside hosts. Some people bridge WAN so they can put hosts on public IP addresses. Not a fan. If they were to route another subnet to an address on that /29 you could use that subnet on an inside interface, use VIPs on WAN, or basically do whatever you want.

Easiest way would be to just create separate Guest and Secure vlans. Leave Guest at your Linksys, and route Secure to your core.

You want a slow booter, the 3850's are like waiting for a pot to boil while watching it..

You need to bypass policy routing when you set the gateway groups. That means, for instance, a pass rule on LAN_1 that passes traffic to LAN_3 that does not set a gateway (meaning it's set to the default gateway). After that you can place the rule that passes traffic to any (the internet) and sets the gateway group. Traffic routed to a specific gateway, or policy routed, is sent to that gateway with no further checks. https://doc.pfsense.org/index.php/What_is_policy_routing https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

On 2.3.2 64-bit. Similar problem as GoldServe. Whenever Wan1/2 failover occurs I get hit with 3 pairs of the same log messages in succession.  Any way to have PfSense log just one entry pair?  Does it log for every gateway with monitoring enabled even though it's not included in the failover tiers? 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan1Failover 2016-09-28 16:07:53 Daemon.Error pfsense Sep 28 16:07:53 php-fpm[51147]: /rc.dyndns.update: MONITOR: WAN2GW is down, omitting from routing group Wan2Failover

@heper: there is no direct reason to 'cascade' failover rules below balancing rules if they are meant to match the same traffic …. pointless waste of time. Great, thanks for your insight. thats odd. do you have a dns server set for each wan? (general settings) no clue if this is a known issue or something specific in your situation, never encountered it myself Yes, i have DNS servers for each Wan under general settings. I will try and dig some more.

The order is correct. Make sure you do the same thing on LAN2 so the LAN2 traffic can pass to LAN1.

I found the solution now: it had been a problem with "inline mode" in suricata. I changed it back to legacy mode and now everything is as it should be: it blocks under certain conditions, makes a log entry and cuts the connection to the offender (not the whole network).

Yeah its pretty easy.  I assume your going to double nat, unless your planning on using that new vlan as transit network?