https://forum.pfsense.org/index.php?topic=110043.0

For incoming packet on any given interface it goes like this:

1. Address rewriting, rdr or nat rules.
2. Packet filtering by the filter rules. Rules can set route-to for the packets to take different route at 3.
3. Routing if the destination of the packet (after NAT mind you) is not a local address.

Outgoing is in the same order for 1. and 2. but routing has already happened obviously.

Thank you very much for the suggestions!
Finally i opted for a different solution…
I have created a LAGG interface for igb1+igb2 and trunk ports on cisco switch...applied the VLAN tags and everything is now working as expected!

Yes, I do!
Thanks for the suggestion, hope for a quick resolution!

Thanks for the quick response georgeman!

I looked up 'policy route negation rule' and the following how-to came up:

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Using on the info in the above link I created a pass rule on the LAN interface where the LAN subnet was the destination. When I placed this rule first the website accessible via WAN1 became available to LAN hosts.

From what I understand because the packets are destined for a NAT'd host via WAN interface and are therefore supposed to be 'reflected' back to the internal host without being routed to the Internet. Without the above rule the packets were hitting the load balancing LAN policy which sent them out the wrong gateway… Is this correct?

I am still getting used to pfSense's nuances... while I am happy that it is now working, does having a rule like this somehow open a big hole in our security?

Bonus Question: If I turn off NAT reflection would it be impossible for a LAN host to access an open TCP port on the WAN interface?

Thanks for the reply, but i resolved the issues with a reload of pfsense.

pfSense usually queries all the DNS servers simultaneously. If you have pfSense acting as a DNS forwarder (though dnsmasq or unbound), you cannot control in this way which server is queried depending on routing rules.

@dynamicuser:

I have asked them to route it to a next-hop IP of my pfSense WAN IP - 52.132.180.66, they have done this.

What does that exactly mean? Is there a local gateway on that new subnet?

I guess the ISP placed the new subnet on the same WAN link? You would need Virtual IPs if this is the case.

Create a failover group and a load balancer group. Have a rule matching https with a failover gateway before the rule with a balancer gateway.
You could also try the sticky option, but I haven't played with that in a long time.

google dynamic vlan radius, the ability to do this going to come down to the feature set of your switch.. If all you have is some dumb soho switch or even a entry level smart switch your most likely out of luck.

You need something with a decent feature set to support this on your switch.

If your wanting to do with via wifi ssid vlans, then your going to need a decent AP..  The unifi ap line has finally got around to implementing this, they have had some beta firmware out for a while now.  And I see they just added it to the 5.02 beta that is out for the controller.

What switch(es) do you have and what wifi if your wanting to do it on wifi.  And can help point you how to configure it.  your also going to need a radius server - which you can run on pfsense if you want.  I run radius on pfsense for auth on one of my wifi networks.

If looking for something to control switches for dynamic vlans or just a nac system check out packetfense.

On side note – "pfsense 2.1.5"  why do so many people not upgrade??  I just don't get it...

Hi, first sorry for my english.

I have a similar scenario, and I resolved in this way.

I create 2 VPN tunnel (peer to peer) one for ADSL (client and server both with the same setting) and the other one for MPLS (client and server both with the same setting) .
This permit create an adicional interface per each tunnel. This interface need to be enable but leave in blank all the settings, the interface will use the IP address confgured in the Open VPN P2P (either client and server) only need to put a name and enable.

Once you finish this the interfaces will appear at the dashboard, and if the tunnels are up they will you show the IP address used, dont forget open the ports used in firewall rules. This is only needed at server side of Open VPN. The client dont need listen port.

The last you need to do is create a gateway group with the gateways associated OPENVPN dynamic gateways, in the same tier if you want load balancing or diferent tiers y you want failover.

Once you create the gateway group, only need to assign it at one LAN roule in the firewall for example:

in site 1 you need to create a rule that permit traffic from any source to dstination 10.0.2.0/24 use gatewaygroup (this "gateway group" you find at advanced setting inside the firewall rule).

and in site 2 you need the opossiterule for example.
permit traffic from any source to destination 10.0.1.0/24 use gatewaygroup.

I worked a lot for this configuration. Both OpenVPN and VPN assigned interfaces dont need any firewall rules, leave it empty.

Saludos, Max.

Sorry again for the "English".

powercycle the printer / update firmware

some models have a terrible networking stack

Guessing you're letting it push you a default gateway, which you probably don't want.

That in and of itself doesn't suffice though (reply-to should route it back out correctly). Second issue, you probably have a static IP WAN with no gateway chosen under Interfaces>WAN, so it's not setting reply-to.

Set the monitor IP to something like 8.8.8.8, then it'll ensure it's bound to that interface.

Another easy way to do it is to use a dynamic routing protocol between your pfsense box and your l3 switch. RIP should do the trick just download routed package and advertise all routes you want discovered. You will have to look up instructions on your dell switch I'm not fimilar with it.

@Oats:

Looks like there is a bigger issue. My LAN connection is randomly going down so that I cannot even ping the firewall or SSH in.
Tried changing the NIC but no change.
Restarting the router gets me connected for a few minutes then dies. But my OPT1 connection is fine (I'm using it right now). LAN was fine a few days ago and just stopped working today.

No idea how to proceed.

UPDATE: Was consoled in and got the following message when the connection dropped:
watchdog timeout
msk1: prefetch unit stuck?
msk: initialization failed: no memory for Rx buffers
msk1: prefetch unit stuck?
msk: initialization failed: no memory for Rx buffers

going to try thishttps://forum.pfsense.org/index.php/topic,57238.0.html

UPDATE: stephenw10's fix above solved the dropping issue. Now back to the original issue.

Could be a personal firewall on one of your clients. I would try temporarily disabling it. If that fixes it just add an exception to allow the traffic.

If you're not using static IP addresses for the WAN, I don't think CARP or HA failover is possible.

vbentley's suggestion for WAN failover should still work, although I've never set it up

For a single pfSense host with multiple WAN connections use 'Gateway Groups' and configure load balancing, failover and firewall rules to use the Gateway Groups.

Figured it out… I had to configure a DansGuardian NAT rule to redirect all traffc from LAN to port 8080....Grrr.