I have all my opt interfaces renamed.. that has nothing to do with your problem..  Unless maybe your trying to call 2 the same name? Some are physical nics, others are vlans on physical nics - see attached. [image: interfacenames.png] [image: interfacenames.png_thumb]

Hi Two things come in mind when i see your setup. Did you configure the VLANs on the client side properly? The packets need to be tagged with the correct VLAN id (automatically or by the client) and accepted on that Port on the Switch. Do you see the blocked Traffic in the firewall log? Then you are missing a firewall or NAT rule to allow traffic to the Internet or other subnets. Everything else seems correct. I can not tell you the VLAN setup on the ESX side, as I currently have no ESX by hand to check or test some settings.

I figured it was that simple. Thanks!!

The issue is solved. In Static mapping, I had to select IP blocks different than my ADSL modems. As you see above, my Modems (WAN Interfaces) sit on 192.168.2.x and 192.168.3.x So, when I set Static mappings for my client devices as 192.168.2.x and 3.x; those devices fail to access internet. I choose 192.168.0.X or 192.168.4.X, and devices succesfully connected to internet. Thanks for helps.

This has helped us solve the problem: TIPS: [1] Diagnostics/Misc Go to Status -> Interfaces Go to Diagnostics -> Routes https://forum.pfsense.org/index.php?topic=43982.15 In System -> General Setup a. Uncheck: Allow DNS server list to be overridden by DHCP/PPP on WAN REF: https://forum.pfsense.org/index.php?topic=43982.0 b. Try setting "Use gateway" to none for the Google DNS servers [2] DNS Resolver -> Set "Enable Forwarding Mode:" to true: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN configurations unless default gateway switching is enabled. REF: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver [3] System -> Advanced -> Miscellaneous -> Load Balancing Set Enable default gateway switching to true: If the default gateway goes down, switch the default gateway to another available one. This is not enabled by default, as it's unnecessary in most all scenarios, which instead use gateway groups. REF: https://forum.pfsense.org/index.php?topic=72445.0 REF: https://forum.pfsense.org/index.php?topic=45081.0

your 2950 is only layer 2, it will not do L3 that I am aware of.. so you have 250 and 251/24 running on the same layer 2 or do you have this setup with vlans using pfsense to route these? Why don't you just connect your buildings with a transit network between your pfsense and then you could just use policy based routing for any client in building A to use the internet in B, or you could have B use internet A if you wanted, etc.. Since you show a client on that 251 segment this is clearly not a transit network. If you connected your building correctly, simple routing/firewall rules to allow whatever you want to use whatever wan connection in either location.  You could have multiple networks in each location, etc. Done correctly you would never have to change a clients gateway, done correctly you could even leverage the wan in each location for load balancing, nor would you have to do any natting between your rfc1918 address space, etc. etc. [image: transitconnectbuilding.png] [image: transitconnectbuilding.png_thumb]

My guess is just lack of understanding.. Or some mindset that is still stuck in the classes of IP ranges that has been completely meaningless since what the early 90's when cidr came out - just boggles my mind that they still even talk about class in books and school.. You would never in a million years put that many clients on a broadcast domain, the only place I could really see such masks are in route summaries and or allocations of networks to a site, etc.

"route delete x.x.x.x" where x.x.x.x is the network address in question.

reply-to     The reply-to option is similar to route-to, but routes packets that pass in the opposite direction (replies) to the specified interface. Opposite direction is only defined in the context of a state entry, and reply-to is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforcement). Pretty sure pfSense makes sure that's the case where possible.

OK my explanation of the issue was wrong. I ended it with this statement "Perhaps this could be set using an alias that references the interface gateway?" referring to the reply-to setting for WAN rules. Well that was not the issue as the system does exactly what i asked. The issue I was having is that the default gateway on the secondary firewall was being changed via the XMLRPC sync. Not sure how I could still reach the secondary firewall unless the route was not being change in the routing table which may be due to a bug I have reported before. Anyway the fix for my issue would to simply allow specific routes to be ignored for config sync. Otherwise I can enter routes on each pfSense system in the clutter manually. So i guess this has really become a feature request. Thanks, Chris

@chris4916: If you don't even tell "what doesn't work", then helping is quite difficult  ;) Sorry for not being clear. When I configure the outbound connections using PPPoE, pfSense does establish a connection on each of the 4 outbound lines. The IP addresses are assigned to the interfaces correctly. However, when trying to test out the load balancing, it is noted that with multiple torrents having enough seeds, all traffic is being directed to a maximum of two outbound lines. Same with a multi-threaded http download using Internet Download Manager. What seems to get it to work is to use only two of the interfaces, one from 59.x.x.x gateway and the other from 117.x.x.x gateway in PPPoE mode. So now, I have two PPPoE interfaces and two of the other modems are configured in PPPoE mode directly with the pfSense interface on DMZ mode for both of them. Using this method, I am indeed able to load balance all the four outbound lines and utilise the entire available bandwidth on each of them. I may be wrong here but it appears to me that pfSense still cannot load balance if the WAN Gateway IPs are the same? Please correct me if I am wrong so that I can devote some more time to get it to work in the correct way and get rid of two tiered NAT that I am currently having to use on two of the interfaces. Thanks for looking and responding.

IP conflict on eth2. Make sure no other device is using 10.1.9.12 on second telekom router. Try a different static IP address

Firewall>lan>new rule>destination port (sftp)>default gateway> select any 1 gateway loadbalance grouping will not work on ftp

@bluerain: My setup: ISP Modem > ISP Router (Only 1 LAN port is activated by the ISP) > Switch Hub (Used because the ISP Router has only 1 LAN port activated) >  Linksys E3000 (ISP Static IP & DHCP Enabled) > PFSense Server (WAN DHCP from E3000 & LAN for clients) > Clients (DHCP from PFSense / Others are  static) Multiple possibilities of things going wrong: 1. ISP router, Linksys router and pfsense lan need to use different lan subnets. If they're on the same subnet they could conflict. 2. Make sure the firewall of routers before pfsense are turned off and let pfsense handle firewalling (this is what is pfsense best at) 3. DHCP could also be a conflict, you could assign your pfsense box a static IP on WAN side and disable DHCP server for linksys 4. You essentially have two devices performing NAT on your network even before pfsense gets to the traffic. Maybe plug in pfsense box directly to ISP modem and take it from there. If you could show a diagram of traffic flow with the lan subnets and default gateways of all the devices if could give a clearer picture

EDIT: these are the pics to make it work if anyone has the same issue The VLANS 3 AND VLANS 4 on the switch I have on port 1 my pfSense PORT 14,16,18 my AP-LR PORT 20 my powerbeam I tagged ONLY on the VLANS 3(invitados) and VLANS 4 (dispositivos) and make sure the primarly default NOTHING IS TAGGED that vlan everything has to be untagged Hope this helps see pictures [image: Clipboarder.2016.01.09-013.png] [image: Clipboarder.2016.01.09-013.png_thumb] [image: Clipboarder.2016.01.09-014.png] [image: Clipboarder.2016.01.09-014.png_thumb] [image: Clipboarder.2016.01.09-016.png] [image: Clipboarder.2016.01.09-016.png_thumb]