Thanks! It solved my problem.  :)

"All ports in switch are untagged for 10.0.1.0/24 (vlan1 and default vlan); tagged for 192.168.1.0/24 (vlan 2.)" How do you have the ports set??  And how did you create your vlan.. You assigned this vlan to your physical lan interface right?  See attached, I have multiple vlans on em2, and it also has its native (untagged) network wlan.. On the switch the port connected to em2 trunked where those the vlans are tagged and the native vlan is set to 20 (untagged).  Notice the ge10 interface is native or PVID is set to 20, ports that are directly connected to a device don't need to be tagged.  Only interface that connect to say another switch or interface with vlans on it need to have vlans tagged.  Ports that connect to end user device, say computer for example normally are set to be untagged in the vlan you want that port/device in.  If your tagging that traffic, then you would have to set the interface on that device to understand the tag.. Or its going to be using the untagged.. You stated that you have all ports untagged for vlan 1 (default vlan) and then also have tagged traffic on it.. That is not how I would normally do it for sure.. So in my case pfsense em2 is native on vlan 20, it then has the other vlan interfaces assigned to it 100,200,300  So any untagged traffic it sees is assume to be going to the physical interface.. Any traffic that is tagged will be seen with the vlan interface that its tagged for. As to connectivity between normal untagged traffic on interfaces and vlan interfaces be it on the same physical interface or different ones just require firewall rules to allow the traffic you want.  To be honest when first setting it up use of any any rules makes it easy that you actually have connectivity..  Keep in mind any software firewalls running on the different vlan/network segment most likely will be blocking traffic from another network.  Windows machines for example would block pings coming from a different network other than the network they are on.. So if they are on say 192.168.1.0/24 and you ping them 192.168.2.0/24 they would not answer until you setup their firewall to allow that. [image: vlans.png] [image: vlans.png_thumb] [image: tagging.png] [image: tagging.png_thumb]

Sorry for the confusion…. I have two site as stated above. Each site has there own 100/100 fiber internet connection. There is a 1GB fiber link between sites. I need SITE  1 to be able to access site 2 over the fiber. All vlans 10,20,30,40,50 are at each site on different subnet (currently I am using IPSec Tunnels over the Internet) What will be the best way to make the two sites route traffic over the fiber.. It created VLAN 224 at site 1 ip 10.0.0.253/24 on pfesense  and trucked the vlan on the port from pfsense to the switch. And on the switch port that connects the fiber to the other buiding and at the other site I did the same with VLAN 225 and interface ip 10.0.0.2/24 Do I need to create routes on the switch or just on pfsense

@kapara: You need to say allow any but from source network.  If you mirror the default lan rule on the second interface but use the correct source you should be fine So means that I need to allow from WAN (source) to any(destination) rule for both LAN_10 and LAN_192?

Send screenshots

If the latter you are going to need a third router. One that has both WAN subnets on interfaces and freely routes between them. It would be taking the place of "The Internet."

Hi Derelict, Thank you so much. It works. Cheers

when either 1 or 2 of the 3 wan is/are down, still the remaining wan should work

Will do  Derelict, thanx very much for your Expert Help…....  :)

Do you have any 1to1 nat setup?  If you assign that gateway to a pc and do a whatismyip which gateway shows up.  You really need to provide a detailed representation of your setup if you want someone to help.  People are not going to waste their time playing 20 questions.

It will be even the best method to ask one thing and then the next one, that all things would be able to be clear as possible to all users here in the forum. To ask all questions in one thread would be nice to in some situations but often it makes things more complicated for everybody that is involved except your self. Only my 2 cents. If you have three WAN interfaces and one LAN interface and you would not lead the LAN clients over specific WAN gateways, auth. by their MAC addresses, this will be two different things in my eyes, but able to realize for sure, but what I not understood is the following, why you want to filter at the WAN interface the MAC addresses coming from outside? As I was understanding it you will be identifying your LAN clients by their MAC addresses and route them then over a specific WAN interface or gateway. Can you please tell something more about that. In normal you will be setting up pfSense as the following for that actions in my eyes; create three WAN interfaces and gateways chose a proper load balancing method for that – Policy based routing -- service based routing -- session based routing Install Squid with user auth. and create for each user an account and set up there the MAC address. (alternatively you will be able to deal with internal static IP addresses, thats also able to do) set up the failover rules (please note, if both other WAN connections will be stopping their work all your traffic will be running over the last one and also the Apple TV over the SAT connection if this will be last working one) I would try out policy based routing in your case and then over MAC auth. and then if one or more WAN connections are failing all the clients would be able to route over the last one, that will be not able to do if the MAC address is bounded to one specific WAN interface as I know it. sample rules for load balancing and fail over (over the forum search function) nice HowTo for a multi WAN setup (little bit old but good explained with many pictures)

Of course. You can get around this by doing an outbound NAT on the 10.0.14.1 (VLAN1) interface so traffic to 10.0.14.6 appears to come from 10.0.14.1 which eliminates the need for the return traffic to be routed.

@chocoboss: But don't know why I can not unset default route, is that normal ? Every time I unstick default getway boom it automaticly reset as default. There is no such thing as having "no default route" using the GUI in pfSense AFAIK.  The default gw would only affect traffic originating from the firewall itself as long as you are using Gateway groups (Policy-based Routing). So if you uncheck your default gw it will assign another gw as your default.  This is expected and normal behavior.

Have your ISP route a subnet to one of your WAN addresses. You can then assign that subnet to the DMZ interface and firewall on WAN as desired.

Hmm.  I wonder if gateway switching would resolve my issue of not getting syslog notifications when my primary wan goes down at one client.