@cmb: The name of the interface has no impact on routing. That 's what I thought too  ;D before this! @cmb: That 192.168.x.5 is configured somewhere with a route. If not within OpenVPN itself, maybe as a DNS server IP specifying the VPN gateway. In normal "netstat -rn" i cant't see 192.168.x.5 (maybe because monitor configured in routing is itself and it isn't default router), but it is WAN1 gateway in a multi-wan setup, it's also one of DNSs configured in "general setup" and it is the server of my VPN. This routing issue appear only when my interface name have that name, maybe because of "_", i dont know why. If i had time i will try to replicate this issue on a VM.

@robina80: hi all, in the screenshot below is my route table on our procurve switch atm all out networks are going out via our tmg router (0.0.0.0/0 172.16.24.65) but i want to make a particular network go out via our other router pfsense (10.8.0.0/24 10.10.20.254) <<< what are these ? are these local lan subnets or pfsense boxes are on this subnet .. now if i do this will it mess up with the routes because atm the 10.8.0.0/24 has a gateway on the switch and so do all the other networks, so will all the other networks try to go out via the pfsense instead of the tmg which obviously i dont want to do thanks so much rob on second look i couldnt grasp your question.. perhaps you can draw a quick diagram of your network. but if you want to do pbr .. the pbr should be at the hp switch .. i doubt it supports it . what you can do is to do a pbr on tmg ..  so tmg will through traffic matchign certain criteria to pfsense.

I figured it out. pfsense won't let you use your original LAN IP address in addition to the VLAN interface ip. So I went "interface -> LAN". Under "IPv4 Configuration Type" i select "none". But the remaining VLANs interfaces kept their respective ips. I gave it a reboot and "voila" problem solved.

@Snailkhan: the vpi settings were on my adsl modem not on ddwrt. Was about to suggest that… ;)

@irj972: Am I correct in my understanding that if I create a router-on-a-stick setup with all the VLANS mapped across a 1 or 10gig link to pfsense, the pfsense box will still be doing all the routing basically using the cisco as a layer2 device. If I don't expose the different VLANS to the pfsense box, I don't know how I can select individual interfaces/VLANS to apply pfBlockerNG rules or selective routing via firewall rules to. It all comes down to who does the routing -> you configure a GW for a subnet If that IP belongs to an interface of pfSense, it will address pfSense for everything that is not in its subnet, and pfSense takes care of the routing (with or without NAT). If that IP belongs to an SVI on your L3 switch, you will be doing intervlan routing by that switch. For subnets unknown to the switch, it will forward to its default route (or not, depending on your config) In the scenario of pfSense doing the routing; The pro is you have all control in pfSense. The con is that you will need cpu power to process packets. In the scenario of your Cisco doing the routing: The pro is that routing is at wirespeed (HW assisted). The con is that all security between those routed subnets by the switch must be done in ACL's in the switch. Internet traffic is another story. Also a caveat is if dhcp is provided by pfSense, in its current form it cannot handle requests from non-local subnets. my 2 cents in a nutshell… ps: A mixed scenario is perfectly possible...

you have to add a rule to WAN to allow it to respond to pings the Block Private Networks rule on WAN will likely stop all inbound traffic from your real LAN

Virtual IPs don't seem to be affected by the LAN rules. However they do trigger floating rules. If you set a floating rule on the LAN interface from the Virtual IP to change the gateway, it may have a better chance of working since it's early in the chain. Floating rules on WAN don't work for changing the gateway.

Not sure what to tell you about "not working" this stuff really does "just work." Maybe you should back off the cool shit like multi-wan and failover until you have the basics like port forwards and rules down. Good list of things to check here: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

@chris4916: Sure but there is an extra difficulty with this design because of wifi link in the middle which also requires management, if I understand well  ;) No the real problem is that this is a multi wan/multi lan setup. if we simplyfy this and say that I want to create a new wan (wan3) in addition to the two existing and just want to access a modem in bridge mode with an internal management IP address of 192.168.100.1 on Wan3 then what I tried was 1. Create a new wan in DHCP mode - wan3 2. Create a new Virtual Ip type other on wan3 with address range 192.168.100.0/24 3. create a nat outbound rule on wan3 source=* destination=network/192.168.100.0/24 translation=192.168.100.0() 4. add rule on management lan to route 197.168.100.0 to firewall rather than wan1 this would appear to be bourn out by this post but it doesnt work for me. https://forum.pfsense.org/index.php?topic=26818.0

Then it's L2TP/IPsec and at the firewall level you should be working with udp/500, udp/4500, and ESP traffic. If you have policy routing it's possible the ESP traffic is taking a different path than the UDP traffic which breaks it. You need to setup a failover (not load balancing) rule for traffic to the remote VPN server, or maybe use sticky, or maybe your outbound NAT on WAN2 is different (no static port for udp/500 traffic?).

s pfSense able to do 2 DHCP servers (one for each subnet) or do I let the AP provide the DHCP for the second subnet? Yes. pfSense can do one DHCP server per interface. How are you going to connect the APs to two physical ports? What you want to do is usually accomplished with VLANs and managed switches. https://forum.pfsense.org/index.php?topic=88942.msg491700#msg491700

I just reread PCI compliance and it looks like I misread the requirement.  Only need egress firewall on the actual server which is already there.  I put everything back and it is working perfectly.  Love pfsense! :D

I seem to have difficulties with policy based routing in general. Given the diagram above, as is (so Firewalls B&D have NO connection into Management network through a dedicated interface), I did the two following tests: On Firewall B/D, I set a static route that sais: 10.0.2.0/24 has Gateway 10.0.0.4 I connect via SSH session from my client 10.0.0.123 (LAN) to 10.0.2.xxx into MGMT network. –> This works, connection stable, tcpdump looks very clean! On Firewall B/D, disabled the static route, created a RULE for: LAN network --> MGMT network and set the Gateway in the rule to 10.0.0.4 I connect via SSH session from my client 10.0.0.123 (LAN) to 10.0.2.xxx into MGMT network. --> Connection initially seems to be stable, but ssh client loses connection (freezes) after about 1 minute. When I look at tcpdump on the client, I see many many TCP retransmissions, DUP ACK and so on. This only happens with the policy based routing...any idea what might cause that?

Dude, for starters, adding a TCP rule does NOT allow ping… It uses ICMP. Sigh. Other than that, I don't have time for this, but - you don't want NAT, yet you are adding a gazillion of manual NAT stuff. You want routing, yet you did not add any routes/GWs to those subnets you have created on some towers or god knows what?

Hi, after packet capture, WAN2GW was not used for out. removed an old nat setting for port 25 ( had removed route but not nat.) reconfigured nat port 25 and 443 for WAN2GW and reconfigured the DMZ zone. all is working perfectly now. thanks for helping !!!

I'm not sure I understand you.  Yes, you can have a public IP from your ISP as a Virtual IP managed by pfSense, and use NAT to allow a LAN server to receive inbound traffic from your WAN to that virtual IP.  I wouldn't use 1:1 NAT unless you really need that much exposure.  A simple NAT and firewall rule is enough. https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

Hi, i've enclosed the config file in attachment. thanks for helping…. i had not cleared the states, will do this in a minute and let you know.. config-pfSense.flexus.be-20151029132819.xml.zip