Well, yes. I first checked that ip redirects are sent, both firewalls would do that. I assured that the logs are all active, that looks ok. I still see no blocked traffic though, very strange. I will activate layer 3 switch in about 1.4 hours on the LAN, and hopefully this will resolve all of that. Although it would've been interesting to know what the issue is,…

This seems like a asynchronous routing issue to me…  so when you route traffic through pfsense to a lan IP as a gateway.  What keeps the return traffic from just going to the client directly? Better option here would be to just create routes on that client to use that lan IP as its gateway for networks you want to get to, or even default, etc.. if you have a downstream router that you want to use to get to internet or other networks for some clients then that router should be on a transit network between it and pfsense so you don't run into asynchronous routing.

It won't work…Quagga OSPF actually has two OSPF daemons, one for IPv4 the other for IPv6.  Sadly, the pfSense web gui only manages the config for the IPv4 ospfd. You need to manually edit ospf6d.conf, manually start ospf6d daemon, and if you're using CARP, etc good luck, there is no integration whatsoever.

using 8.8.8.8 as monitor ip for OPT1 allows me to ping 8.8.8.8 through OPT2, but it allows me to ping ONLY 8.8.8.8, no internet access (ping in any other external IP) [image: tVbyeas.png] both GW are UP, just restarted the server… still no access through OPT2-OPT1 [image: Qn52wfH.png]

@bullet92: I Alessandro. I have the same setup with pfSense 2.1.3 recently upgraded to 2.2.5 with no issues. Try with ping utility to ping somewhere to see if u have a REAL packet loss or problem with apinger. What setup are using now? hardware or VM? and what NIC? PS. DNS Google doesnt like to be pinged too much  ;D I had this problem in ALL configs, both Hardware and VM, and with ESX and Hyper-v. The ping are REALLY lost, i'm pinging from external pc, only one PPPoE interface respond, some packet respond from one, some other from the other one. The only workarround (simple, but not right) is to "push" the VLAN trought the hypervisor and publish the phisical nic as 2 sepearate nic in the VM. In phisical environment you have to add a dedicated nic. You can easly reproduce the problem that append only in a particular configuration: SINGLE NIC FOR 2 WAN Both WAN requires PPPoE Each Pfsense WAN have a VLAN I usually use HP1810 as switch, but with EEE turned OFF, I don't think that could be a switch problem, becouse pushing the VLAN trought hypervisor works like a charm with the same hw and sw configuration. Tnks Ale

"the other gateway is in the same lan  on 10.20.0.10" You don't set a gateway on a LAN interface, or it becomes a WAN..  So you just created a gateway using your LAN interface??  You didn't actual set the gateway on your LAN interface?? So you have a downstream router that has a interface in your lan (10.20.0/24)  Your lan interface in pfsense would NOT have a gateway set..  You have a possible problem with asynchronous routing if you don't connect this downstream router with a transit network.. So is this your network?  See below. Without a transit network you have issue that when client in 10.20.0/24 wants to talk to 192.168.1.0/24 he sends traffic pfsense 10.20.0.1, which sends to 10.20.0.10.. Now when 192.168.1.0/24 talks back it doesn't have to go through pfsense since that downstream router has interface in the 10.20.0/24 network directly.. This is problem!  Not only do you have a hairpin you also have asynchronous routing.. Your paths are different to and from where your going..  This is normally BAD!! Is this downstream router natting? Do you have a switch that supports vlans?  If so you could create a transit network via vlan..  See 2nd image showing a transit network to get to the 192.168.1.0/24 network. [image: yoursetup.png] [image: yoursetup.png_thumb] [image: transitnetwork.png] [image: transitnetwork.png_thumb]

And what part do you not understand about OUT OF STATE traffic? If you don't want to see it then turn off logging of default rule, create your own block rule that logs but only if SYN if no SYN then doesn't block or log but will fall through to the default and get blocked but not logged.

if the machines are windows, the built in firewall normally would block ping and file sharing from other segments as well.  Need to adjust the machines local firewall to allow the traffic you want even when pfsense has rules on both interfaces to allow the traffic.

I would revert to factory settings, then configure your WAN to the correct IPv4 Type to DHCP and get rid of your MTU settings.  There is nothing magical you have to do here.  It just works unless something is interfering or you have misconfigured it.

So not fully redundant, but it's a start. Also not the real thing, if the one Internet connection fails you will have no benefit from this point. But for sure if this might be a real goal or benefit for your network go the way that @Derelict was showing you. It would be the best choice to realize it like you might be able to do.

Hi, do you mean a configuration like mine? https://forum.pfsense.org/index.php?topic=101192.msg574529

No, you can't have the same gateway on two different interfaces.

@bucefal: Dear all, I searched for a similar topic, but I didn't find a clear instructions on how to combine L3 Switch with pfSense box. I have a 3COM 4500g layer3 switch with routing features which I want to use and a pfSense 2.2 (amd64) which I'm going to use as a firewall directly connected to my ISP.  I need to create several Vlans and all of them need internet access. vlan1 172.16.10.0/24, pfsense addr 172.16.10.1, switch addr 172.16.10.2 valn3 192.168.3.0/24, switch addr 192.168.3.2 vlan9 192.168.9.0/24, switch addr 192.168.9.2 So far I created the vlans on the switch and created a corresponding ipv4 interfaces for the switch and configured an access ports for the hosts. So my questions are: 1. Do I have to configure a trunk between the sw and the pfsense? I would.  Create a transit network interface on pfSense, say 172.31.242.1/29. Create a new VLAN on pfSense and the switch. Tag the VLAN on a trunk between the switch and pfSense (It could be untagged but just tag it now so you can simply add another VLAN in the future if you want.) Create a ve on the switch, say 172.31.242.4/29. Set default gateway on switch to 172.31.242.1. Create gateway on pfSense for 172.31.242.4. Create static routes for all your VLANs on pfSense pointing them at the switch gateway. 2. Do I need to assign the vlans and assign IP addresses for these vlans on the pfSense? If so which interface will be the default gateway - the one of the switch or the pfsense? Not if you are using the switch as a layer 3 router. 3. What kind of Firewall rules do I have to create on the pfsense box, so all vlans have internet access? The pass rules on the transit interface (172.31.242.1/29) have to pass all traffic from all networks. 4. Will I be able to route to all Vlans when connected via VPN connection (IPsec or PPTP)? Should be as simple as adding them as local networks. 5. Do I have to create a manual NAT outbound rule on the pfSense for each vlan? I believe 2.2 is pretty good at picking up the static routes in auto outbound mode, but just switch to manual and add rules for: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 If those are going out WAN you want them to NAT, so just NAT them all.  Put anything more specific than those on NAT rules above them.

google multicast google broadcast