Thank you!

That was actually much easier than I thought.  I guess I was over thinking it.

Ryan

@n.vakili:

Problem solved! and thanks for the reply. the problem was not with the switch

Solution on enabling routing between vlans:

add gateways for each vlan in System->Routing menu then in each vlan interface enable "up streem gateway" to that vlan's ip address then add the default rules  on vlans to enable internet access ( this will also make access to vlans ). these two rules for each vlan:

IPv4*  ART(myVLAN) net  *  *  *  *  none      To share internet

IPv6*  *  *  *  *  *  none      To share internet

none of those other rules is required.

uhm what now ? because that advice seems awful if it is what i think it is.
you should never use gateways for directly attached networks. you shouldn't need to manually add routes for directly attached networks.

if for whatever reason, this works for you: its gonna bite you in the ass at one point or another. please find a sane solution to your network problem.
i'm sure if you provide enough details, that the folks on this forum will be able to help

Thank you. I got it working!

Next, if I could only get my port forwards to work properly.

You can setup 1 to 1 nat and then create rules pointing to internal IP to allow specific traffic.

yes, it is possible to specify ports while policy routing

Hi !

I just got it working actually….accidentially I would say...

I was trying to figure out why all this happened so I temporarily removed the 0.0.0.0/0 route (default) via the normal DSL gateway.

I instead added default route via tun0

Ofcourse this led to traffic flowing as expected following the default route over tun0, even the replies...

Now the really strange this happens :) I wanted to reset the default gateway by up/downing the WAN fxp0 interface and regained the IP for default gateway, BUT, and here´s the strange thing....everything still works as expected.....strange I thought and checked the routingtable (I was expecting traffic to fail in reply as I´ve written above)

What I found bugs me alot...

Destination        Gateway            Flags      Netif Expire
default            10.42.43.254      UGS        tun0

The default route is OK via 10.42.43.254 as this is the DSL router, but look at the Netif for this.....

I really have no answer to what really is happening other than I am happy everything now works as I wanted....In theory this should not work at all...

Can you explain this ?

If I understand correctly, having this bug fixed would allow Load Balancing + Transparent Proxy to work again. This pfSense functionality is IMO quite important in many "real world" scenarios, like for example when setting up Guest WIFIs.

luckman212: did you find the time yet to try to replicate the bug on stock FreeBSD, like Jim Pingle described in his ticket post? Unfortunately, I have zero FreeBSD knowledge, but I'd be willing to invest some time to setup a test system if someone would be prepared to help a little.

cuteredstorm: I don't fully understand your message in the other thread. Did you manage to get the functionality working by using some kind of workaround? If so, could you please describe the workaround in more detail?

I was really sure having all the right setting checked over and over again. then i narrowed the problem down to a faulty router at LAN2 (just doesn't respond to ping outside of LAN2) and 2 workstations running Windows 8.1 and 10. You would not believe replying to ICMP Echo Requests had been disabled in the default firewall policy  ??? So, problem solved.

Thanx anyway Heper.

That's complicated from a router perspective because it's the host itself that has to policy-route the traffic if I'm understanding correctly.

Or you need to set up a transport network between router A and router B so the default gateway on the host is either router A or router B and that router can make policy routing decisions for you and send the traffic to the other router based on policy rouuting rules.

Derelict,  >:(

I think we have got winner!!! ;D

I was about to throw the Tyan GS10 through the window along withe the firewall :P

You mentioned to check other factors that might block web access.

I was thinking about a misconfigured NAT or rule, you said it could be anything, well it turned out to be the resolver ::)

I should have known that as I was a former IPCop user.

Derelict I would say BRAVO, I have learned alot about pfsense in a short time and will continue expoiting it to some degree at least.

I will move forward to the access lists, and fine tuning

Many thanks

Sincerely,

IRIXos
I HATE FreeBSD desktops

Thanks. It works perfect.
I tried without adding a VIP and as Johnpoz writes, it works fine without VIP.

Thank you very much.

That is the option.

How to do so varies depends on the modem, but generally they all have an option to be put into a NAT mode, where the modem will obtain your public IP, and have a private IP subnet internally. Look up the manual for your modem.

Already Solved Thank You very much! ;)

All you need are phase 2 entries on IPsec to cover the additional traffic flows:

Site A gets an additional P2 for 10.0.1.0/24 to 10.0.2.0/24.
Site B gets an additional P2 for 10.0.2.0/24 to 10.0.1.0/24.

OpenVPN server also needs 10.0.2.0/24 set as a local network so the client gets a route.

Then so long as the firewall rules allow the traffic it'll flow

Hi,

Thank you, that really opened new options for me. For anyone else looking:

yes, you need to explicitly specify the upstream gateway on the interface

this is not enough, when you have floating rules accross both interfaces (provider A and B), but want different paths. So create separate rules :)

I am tracing from pfsense.

What do you mean with LAN Rules?
I test often with the FW turned off.

So when I trace the 10.112.220 the GW 192.168.33.3 should apear as the first hop.

Is my route wrong?

In System -> routing I:

Configured my two GWs on the WAN Interface and the 192.168.33.1 is the default one. then I clicked on the "Routes" tab and configured the route: 10.112.116/0./24      GW: my second GW      interface: my WAN interface

is there anything else to be done?

Markus