so can you make other connections to these routers, what routers do you have? If you can make another connection to these routers then you don't even need pfsense, unless you were wanting to firewall between the segments.  If your wanting to put pfsense downstream it can be done but more of pita.  And you going to be hairpinning connections and not optimal setup and you can have asymmetrical routing issues without transit network unless you did host routing If your routers can have another interface with a different network its really simple. So on router 1 you create routes 192.168.2.0/24 172.16.0.2 192.168.3.0/24 172.16.0.3 on middle router 192.168.1.0/24 172.16.0.1 192.168.3.0/24 172.16.0.3 router on the right 192.168.2.0/24 172.16.0.2 192.168.1.0/24 172.16.0.1 Bing bang zoom all your networks are connected..  If you trying to put pfsense downstream of them all its kind of pita and you have issues with asymmetrical.. Unless your switches can do vlans and your routers can do vlans if you only have 1 interface.. If not I would prob put pfsense upstream and use it for your wan connections - this would allow you leverage both your wan connections in a load balance or failover setup.  See 2nd attachment. [image: join3seg.jpg] [image: join3seg.jpg_thumb] [image: join3seg-a.jpg] [image: join3seg-a.jpg_thumb]

OK. I just fixed the access from pfSense to the server. Now using the Test Port I do get response from the server on the port. Now I will try the port forwarding all again. Thanks :)

May I add that u can use tcp_outgoing_address squid option to do what u want, refer to http://www.squid-cache.org/Doc/config/tcp_outgoing_address for more info.

I see John's made more progress so I'll abandon this thread.

The link between the two should be a new subnet on a new interface/vlan interface, not something out of one of the existing ones.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Thanks for your replies, I figured what was the problem, the firewall rules on the target workstations were allowing replies to their own subnets only. That's why it worked with nat only and not with the routing. As soon as I changed them problem was gone. Finally I can move forward now, I wouldn't have liked to leave double nat on, that a bit of an ugly workaround. Thanks again.

Turns out it was either a  bug with 2.1.x or the upgrade to 2.2.x fixed a corrupt config or something. After the upgrade, both bindings are able to connect to the PBX simultaneously (as they should), and fail-back now works (with some additional SIP config).

It was actually a static ARP entry matter - once i went to DHCP leases, selected the AP, and edited it to add it as an "ARP Table Static Entry", they know appear "online" on the DCHP Leases page, out of the available DHCP range but well within the total /25 range :-) Now if i could just get pfsense to forward the DNS names so that i can could see the actual device name in my DDWRT APs (rather than just ***** as a name, and then the actual subnet ip the wifi device is)…

Ok, after many attempt maybe I found a solution that in some conditions works fine. I describe it here for reference for others: It works with a physical desktop switch, it does not work with a VNMware virtual switch (even with promiscuos mode enabled) I recap scenario: A) One physical WAN NIC available (192.168.1.254) B) Many gateways each representing an internet connection (192.168.1.1,192.168.1.2,….) C) Archieve failover/lb of the gateways using only 1 physical nic Solution: use BRIDGE interface Create one bridge interface per each gateway minus one (will be assigned to WAN NIC) - Go to Interfaces > (Assign) > Bridges > + sign Go to interface assignements and  configure each interface with one IP on the public segnment (i.e. 192.168.1.253,192.168.1.252....) with NO gateway If you have 3 gateways to set up, you will end up with WAN NIC (192.168.1.254) + 2 OPT interfaces (192.168.1.253 and 192.168.1.252) At this point standard wan load balancing guide should apply (just check that outbound nat is configured accordingly): you will have to use one interface for each gateway

i know this is an old post of mines… but i am still doing the planning.. i have given up on doing any type of bonding .. if i have to do that i would have to use some external service.. my question now is regards to load balancing... in my setup i am aiming to get 3 connections from 2ISP ... each would be 200Mb/20Mb... Most of the traffic we would be handling would be from out backup service customers.... Would pfsense be able to load balance outbound return traffic ? as in a customer makes a request to download a backup... the request comes in on the main ip on isp line 1.... but the outbound traffic on line 1 is at 75%... would pfsense send the return traffic over isp line 2 (which has a lower usage) or isp line 3 depending on the outbound usage ?? now all my traffic is going through https/ssl ... so i am open to ideas... If its possible .. i would just build a mid range supermicro box with a xeon processor and some ram to do it. any pointers will be greatly appreciated .

Yes the routes are displayed in the routing table: 10.0.88.0/24 10.0.88.2 UGS 0 1500 ovpns1 They appear even in Quagga Zebra Routes: K>* 10.0.88.0/24 via 10.0.88.2, ovpns1 But I can't see them in Quagga OSPF Database. So it's normal that their not announced; Adding routes using the GUI is not really what I need. In deed when add routes to the zebra daemon I can see them announced. I have tried adding static routes to quagga ospf in debian and their are announced with no problems!! (What I'm trying to do is annoncing client routes once their connected to my openvpn server. So I need to add static routes)

This is router issue i think. No, it's not.  You said you are trying to get DHCP working on your Windows 2012 server and you turned off DHCP on pfSense.  So now that your LAN clients can't talk to your DHCP server, that's somehow pfSense's fault?

@tim.mcmanus: I know you don't want to merge pfSense instances into one, but that's honestly the easiest way to do it.  Then you can have WAN1, WAN2, LAN1, LAN2, and do the routing that way. Thanks for the screenshot. I tried again adding a vSwitch and interfaces to both boxes and still couldn't get the rules to pass packets between them.  It should have worked but it didn't.  I looked at the routing table and it looked like the rule was too far down in the table and never got triggered, which would explain why the packets went out to the internet. In the end I mostly did as you suggested.    I added the VMs that were attached to the second rounter into the first router so they can connect.  Then I added an interface to the second router as wan2 on the first router.  Then I added a rule to the first router to push traffic to the second router and out through WAN2.  A little kludgy but it works.  The DHCP is the only issue with the setup now, but I just used static IPs and it works ok.  Not as isolated as previously but its working now. Thx again for the help.

No, it is not possible to have "the same network settings" for "8 individual networks", how on earth would you imagine that to work?

Ok. Left everything overnight without touching the config ( pfsense -> L3 ) switch: Seems everything is ok. Bandwidth tests (using speedtest and your link ) are attached. Please note that the four (4) WAN interfaces are DSL ( 8mb/768kb , 13mb/1mb, 10mb/768kb, 8mb/768kb ). Would love to have faster, dedicated links but Internet its too expensive in my side of the world :-) [image: speed.jpg_thumb] [image: speed.jpg]

The short answer is yes, you need a distribution switch between the provider equipment and the firewalls. You could use two switches, or vlans on a single switch.

You should be able to do this with pfSense but be aware that if two servers are using the same public IP address and same port, that will create a problem. For example, if Server1 and Server2 are web servers, you cannot host both web servers using the same IP address because pfSense will not know which server to route the request to.  If you map port 80 to both servers behind the firewall, when pfSense hits the first port 80 forwarding rule, traffic will go to that server. So just be aware that collapsing public IP addresses into one single address may cause issues if servers behind pfSense are using or expecting data from the same incoming ports.