Action: pass
Interface: LAN
Source: 192.168.100.100
Gateway: wan2

with doing it this way and also having Destination port range set to default (other) with nothing inputted. it wont open all ports to that computer correct?

knight, I too ran into the same issue, but am having some trouble. Currently all traffic is sent over OpenVPN to PIA.

I am very new to pfSense (had it a whole 2 days now) and it is not clear to me exactly how to implement this rule. Any help you can offer is greatly appreciated.

In the rules i see the following:

Action: Pass
Disabled: unchecked
Interface: LAN
TCP/IP Version: IPv4
Source:  Not sure what I should put here
Destination: again, not sure what i should put here

Advanced Features: many options here

Thanks,

-Edit
Got if figured out and working!
The key was to remove the two default rules pertaining to LAN traffic and adding one for the streaming services, and one for everything else. both rules required selected the appropriate gateway in advanced options.  Included are my rules for anyone else trying to figure this out.

From the description of your config, it sounds correct, but without screenshots of the gateway config, gateway group config, and rules it's difficult to say what it might be.

Also be aware that packages like squid that intercept traffic will only leave via the default gateway since that traffic originates from the firewall and cannot be balanced.

I would consider tagging the internet traffic across the bridges and putting the management of the units on a VLAN interface. I would tag them both but the ubiquiti gear seems to prefer untagged management.

Internet source switch:

Modem: Untagged VLAN 100
Ubiquiti: bridge Untagged VLAN 200 Tagged VLAN 100

Bridges

SSID on Tagged VLAN 100
Management: untagged

Remote switch:
pfSense: Tagged 100 & 200
Ubiquiti: bridge Untagged VLAN 200 Tagged VLAN 100

pfSense:

WAN: VLAN 100 on eth0
BRIDGE_MGMT: VLAN 200 on eth0 10.100.X.X

@mkaliyannan:

we have a setup like this :  ISP router with unmanged ports  –-- > managed switch--------------> Single NIC (emo)  WAN.  <–-Pfsense router --->  2nd NIC( em1) ----------> Internal LAN Subnets.

I want to know is it possible to configure multiple WAN using VLAN from the switch to pfsense using single NIC ?

Like this:
https://www.youtube.com/watch?v=zrBr0N0WrTY
(single ISP with multiple static IPs)

And dealing with the same thing and I am looking at having a script developed that would monitor the 2 interfaces and kill all states in a specific subnet or vlan to force the to re-register when the main gateway comes back up.

@Derelict:

Use an outside switch and two pfSense interfaces.
One on 90.182.100.240 / 29  GW 90.182.100.241
and one on  90.182.101.240 / 29  GW 90.182.101.241

I need to add that even this is ugly and really should be two different broadcast domains to two different ISP interfaces. But it will probably work as long as there is not traffic going out and back in the same interface. If there is traffic between the two /29s you will probably have problems.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

After much tinkering all it took was to "Enable Forwarding Mode" under DNS Query Forwarding in the DNS Resolver settings.

Figured it out.  The MGMT interface has the mask wrong: set to /23 (network) instead of /32 (host) so the firewall was routing through it.  Changing to /32 and applying immediately fixed the route.

Well … I got brave and deleted the incorrect gateway instance in System > Routing. It was automagically replaced with the correct ISP gateway.

Status > Gateways looks good now also. Correct GW IP, and status is Online.

No drama !

CMB, thanks for getting back to me. Please excuse my ignorance, this is like trying learn Latin.

When you refer to LAN rules, are you referring to the LAN Interface?

Thank you very much.

i did create the 2 vlans 3,4 on the switch  and mention theip default gateway will be the lan ip for pfsense 192.168.1.1,However. i can't get an ip whenever i connect a pc to any switchport belong to 3 or 4.
related to my lan nic it should be working fine as long as it accept already the subinterface ?

Not Sure on HTTPS, but by enabling Sticky Connection fix it, Still Testing …

Installed it, and it works now!!  8)

Thanks

It turns out that access a CRM system the company (SugarCRM), the user's session is terminated under 10s, and the system reports the following error: "Your session was terminated due to a significant change in your IP address.". Someone has gone through this problem and know how to solve?

In normal or usually if this might be commercial based work, the network admin will
create a VPN tunnel over IPSec, L2TP/IPSec or OpenVPN and the complete CRM data
will go only through this VPN tunnel then, this might be better to targeting such a traffic.
Perhaps this might be something also for you and the SugarCRM company?

I'm having problems with the use of two Internet links set to tier 1 in "groups".

With two Internet links you could do proper load balancing for well, but you must decide your
self for one of the three main versions of load balancing to go with;

policy based routing (would be good for you) session based routing (only good for servers) service based routing (would be also matching your criteria)

The source was shown in this older thread here:
Here's what you need to do, under system -> Routing -> Gateway Groups

Create a first group with description name "BALANCE", And set Tier 1 for both "wan's" and Trigger level to "latency or packet loss" [this for load balance]"

Create a second group, description name "Wan1 Fail Wan2 Use"  and priority set wan1 to Tier1 and wan2 to Tier2, set "Trigger level" to member down.

Create a third group, description name "Wan2 Fail Wan1 use" and priority set wan1 to Tier2 and Wan2 to Tier1, set "Trigger level" to member down.

Now Coming Firewall Rules –> LAN, you need to create a three new rules,

LIKE 1) BALANCE RULE
Interfaces: Lan
Protocol: ANY
Source: LAN SUBNET
Destination ports: ANY
Gateway;BALANCE

2) FAILOVER RULE 1
Interfaces: Lan
Protocol: ANY
Source Address: ANY
Destination ports: ANY
Gateway;Wan1 Fail Wan2 Use

3) FAILOVER RULE 2
Interfaces: Lan
Protocol: ANY
Source Address: ANY
Destination ports: ANY
Gateway;Wan2 Fail Wan1 use

Make sure to place them on top of the lan rules!
This is more them enough for fail-overs.