@dynamicuser: I have asked them to route it to a next-hop IP of my pfSense WAN IP - 52.132.180.66, they have done this. What does that exactly mean? Is there a local gateway on that new subnet? I guess the ISP placed the new subnet on the same WAN link? You would need Virtual IPs if this is the case.

Create a failover group and a load balancer group. Have a rule matching https with a failover gateway before the rule with a balancer gateway. You could also try the sticky option, but I haven't played with that in a long time.

google dynamic vlan radius, the ability to do this going to come down to the feature set of your switch.. If all you have is some dumb soho switch or even a entry level smart switch your most likely out of luck. You need something with a decent feature set to support this on your switch. If your wanting to do with via wifi ssid vlans, then your going to need a decent AP..  The unifi ap line has finally got around to implementing this, they have had some beta firmware out for a while now.  And I see they just added it to the 5.02 beta that is out for the controller. What switch(es) do you have and what wifi if your wanting to do it on wifi.  And can help point you how to configure it.  your also going to need a radius server - which you can run on pfsense if you want.  I run radius on pfsense for auth on one of my wifi networks. If looking for something to control switches for dynamic vlans or just a nac system check out packetfense. On side note – "pfsense 2.1.5"  why do so many people not upgrade??  I just don't get it...

Hi, first sorry for my english. I have a similar scenario, and I resolved in this way. I create 2 VPN tunnel (peer to peer) one for ADSL (client and server both with the same setting) and the other one for MPLS (client and server both with the same setting) . This permit create an adicional interface per each tunnel. This interface need to be enable but leave in blank all the settings, the interface will use the IP address confgured in the Open VPN P2P (either client and server) only need to put a name and enable. Once you finish this the interfaces will appear at the dashboard, and if the tunnels are up they will you show the IP address used, dont forget open the ports used in firewall rules. This is only needed at server side of Open VPN. The client dont need listen port. The last you need to do is create a gateway group with the gateways associated OPENVPN dynamic gateways, in the same tier if you want load balancing or diferent tiers y you want failover. Once you create the gateway group, only need to assign it at one LAN roule in the firewall for example: in site 1 you need to create a rule that permit traffic from any source to dstination 10.0.2.0/24 use gatewaygroup (this "gateway group" you find at advanced setting inside the firewall rule). and in site 2 you need the opossiterule for example. permit traffic from any source to destination 10.0.1.0/24 use gatewaygroup. I worked a lot for this configuration. Both OpenVPN and VPN assigned interfaces dont need any firewall rules, leave it empty. Saludos, Max. Sorry again for the "English".

powercycle the printer / update firmware some models have a terrible networking stack

Guessing you're letting it push you a default gateway, which you probably don't want. That in and of itself doesn't suffice though (reply-to should route it back out correctly). Second issue, you probably have a static IP WAN with no gateway chosen under Interfaces>WAN, so it's not setting reply-to.

Set the monitor IP to something like 8.8.8.8, then it'll ensure it's bound to that interface.

Another easy way to do it is to use a dynamic routing protocol between your pfsense box and your l3 switch. RIP should do the trick just download routed package and advertise all routes you want discovered. You will have to look up instructions on your dell switch I'm not fimilar with it.

@Oats: Looks like there is a bigger issue. My LAN connection is randomly going down so that I cannot even ping the firewall or SSH in. Tried changing the NIC but no change. Restarting the router gets me connected for a few minutes then dies. But my OPT1 connection is fine (I'm using it right now). LAN was fine a few days ago and just stopped working today. No idea how to proceed. UPDATE: Was consoled in and got the following message when the connection dropped: watchdog timeout msk1: prefetch unit stuck? msk: initialization failed: no memory for Rx buffers msk1: prefetch unit stuck? msk: initialization failed: no memory for Rx buffers going to try thishttps://forum.pfsense.org/index.php/topic,57238.0.html UPDATE: stephenw10's fix above solved the dropping issue. Now back to the original issue. Could be a personal firewall on one of your clients. I would try temporarily disabling it. If that fixes it just add an exception to allow the traffic.

If you're not using static IP addresses for the WAN, I don't think CARP or HA failover is possible. vbentley's suggestion for WAN failover should still work, although I've never set it up For a single pfSense host with multiple WAN connections use 'Gateway Groups' and configure load balancing, failover and firewall rules to use the Gateway Groups.

Figured it out… I had to configure a DansGuardian NAT rule to redirect all traffc from LAN to port 8080....Grrr.

route-to (rules specifying a gateway) doesn't necessarily follow the rules of routing traffic that normal routing of the OS will. If passing broadcast traffic with a rule with a gateway, it will forward that traffic as instructed. Where your architecture is poor and you have HA, that can result in a routing loop that's akin to a broadcast storm. Block broadcast traffic before matching pass rules specifying a gateway in that case.

Problem solved, Thank you a lot!

@cmb: https://forum.pfsense.org/index.php?topic=110043.0 I thought I searched hard enough, but apparently not. :( Thank you!

In the meantime you can set up host overrides in DNS resolver so you can connect to \hostname\share. Your recent history might be enough to make it easy to work with. That or just \1.2.3.4\share DNS resolver host overrides work great on smaller networks. MS really needs to build in AD lite for home networks. IPv6 makes it much harder to "just use IP addresses."

Some further info I have found on closer examination of /var/log/ppp.log [opt1] Bundle: No NCPs left. Closing links… [opt1] IPCP: state change Closing –> Initial [opt1_link0] LCP: SendTerminateAck #52 [opt1_link0] LCP: LayerDown [opt1_link0] PPPoE: connection closed [opt1_link0] Link: DOWN event [opt1_link0] LCP: Down event [opt1_link0] LCP: state change Stopping –> Starting [opt1_link0] Link: reconnection attempt 1 in 3 seconds It also turns out it is less random than I had thought. It is every 4.5mins. I was thinking it might be this https://redmine.pfsense.org/issues/3821  but that issue is apparently resolved in 2.1.5 which I am running. Any ideas here?

Or if 2 interfaces are connected to the same layer 2, you could also setup a lagg.. Your not thinking the interfaces of your firewall/router are switch ports are you??  If you need more ports, get a switch!!!  Interfaces on pfsense should be network interfaces..

In your last setup, you've set the tomato settings to tag VID 30 on port 2, and nothing else.. Where do you define where VID 30 originates? in the SSID settings? Also, did you add rules to that GUEST interface to allow traffic to enter pfsense?