I have read it can be done with a standard firewall rule as per this thread:

https://forum.pfsense.org/index.php?topic=112350.0

I will give it a shot when we get the second WAN!

@kapara:

Did you look at the states?  Do you have s conflicting rule?  Why not force connections to OVH via a single gateway or via failover instead of both using same tier?

Didn't look at the states which I will do now.
I have tried in both NAT outbound and also a firewall rule, but obviously I don't know what I am doing!  If I want to force all outgoing connections to a certain domain (or a certain IP) to go via one WAN what is the best way?

Just make sure your rules specifying a gateway are only matching traffic you want to force to that gateway (group). Add rule(s) above that to pass traffic between internal networks.

You need to enable forwarding mode in Resolver, or default gateway switching.

IPsec does not route, so you can't use static routes. You need a separate Phase 2 entry for each distinct pairing of local and remote networks.

The easiest way to reduce that is to summarize the remote networks. Are they all close by each other? Can you use a larger subnet mask to include all of them? Or at least reduce the number to something manageable?

I have done a lot of reading in regards to this issue, and pre-2.3 apinger was terrible and was often the issue.

However, I had some pre-2.3 boxes working with failover, but there was no voip traffic on these boxes.

This issue seems to be just for voip traffic. I have not been on site to do some more on depth testing. pfsense does not recognise that a gateway is down and does not switch. I can watch the state for voip traffic just sitting there and not changing. If I delete them manually, than it will failover to the second WAN connection but does not work automatically.

Also, on your identifiers, I usually manually type those, as different versions have captured and relayed this differently.

Try traffic shaping to within a megabit of your download. Most ISP's just drop packets once the max is hit, where as traffic shaping can be a much more smooth process. This is not a cure-all, softly queueing traffic might not drop it, but will add latency. Also, are you seeing any packet loss?

What do your phase2 entries look like per site? Do you have rule son the ipsec interfaces to allow such traffic?

@kapara:

Are you doing 1to1 nat? With your IP for plex?

Ah, I haven't tried that yet. Omg how did I not think of that…. I'll try it and post results here.

Seems that I solved the problem changing "State type" in "none" on the "Rule 1".

While technically you could assign addresses from the WAN subnet on a local interface using bridging, or add the IP addresses as VIPs and use 1:1 NAT, you would not want to do that in this case.

A CCTV system and a printer are two prime examples of devices you should never, ever, under any circumstances expose to the Internet in that way. These devices usually have weak security, poorly maintained firmware, and bugs that would allow attackers on the Internet to breach your network.

If you want to access them remotely, use a VPN – do not even setup port forwards for such things.

If you use pfctl -vss you will get the age of the state. That might be good information when troubleshooting this.

Maybe a rule on the IPSEC interface that says souce (remote ip) allow to destination (any) via the Cisco as it's gateway?

mDNS is multicast so in theory it should work if your VPN uses a tap(4) adapter that emulates an ethernet adapter with broadcast/multicast functionality.

The small sfp switch came in.

Works great!

/thread

A misconfigured outbound NAT could cause the same effect.