I have figured a work around for my issue. It would appear that this is a common issue with Pfsense and if you follow the steps laid out here you will have 1/2 the solution. https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F The second part of the solution is you have to setup a virtual IP address that corresponds to your network connection with a separate IP address and they assign that IP address to your NIX machines. So 192.168.1.1 would have a virtual IP address of 192.168.1.2 or what ever IP address you choose to use assigned as a default gateway. The windows machines do not have this issue and can continue to us the internal IP address.

::)  That was it, thanks. I feel stupid now.

If you add the other ISP-connected device as a gateway on LAN, it should be possible to use gateway groups for that. You will also need to check the box under System > Advanced, Firewall/NAT tab to bypass the firewall rules for traffic on the same interface (and perhaps add manual rules, see https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules ) The other device would also need to perform NAT for the local LAN as well. It's a bit ugly and error prone, but in theory it should work.

now i have deployed the traffic shaping and added a proxy in transparent mode, then it want to use the default GW again Again my suggestion from former post, being able to set a GW group as default GW (I am using squid3)

Can you post screen shots of your firewall rules.  That might help with troubleshooting. I created a specific rule on both my LAN and LAN2 networks to pass traffic between them.  See the attached screen shot.  It's above the gateway rule so that internal traffic hits that rule first.  

Not sure why I can access the pfSense portal but not ping it Firewall rule on pfSense interface allowing only TCP and not any?

Heh, you are only about the 12 millionth person to be bitten by the local firewall.

@afreaken: well this may be unnecessary. I replaced the box on this side with a pfsense box and the timeouts stopped. It may have been an issue with the linux box on this side. Will post with updates after it's been running overnight. Well things have been running smoothly for the past few days, things are looking good.

It should do this with it's default setup.  I have multi-WAN and LAN, and the policies I set up on the WAN side are the same as the WAN2 connection.  Basic rules will route traffic out the same interface it arrived from.  Normally you'd need to create a rule to route out a different interface. See the two enclosed screen shots.  Look for port 548 being opened on both the WAN and WAN2 interfaces.  Traffic coming in from either one of these interfaces on port 548 will hit that server and it will also route out the same interface by default.    

I have a rule like this on my network.  I was too lazy to move the server from one subnet to the next, so I had to create the route.  See enclosed screen shot. The server is at 10.0.1.240.  

@sebna: But, correct me if I am wrong - it does not matter that both internal DNS look-up to same forwarders which are google dns servers? You are correct. If your servers are configured properly and they have access to reach the root servers, and due to the distributed nature of DNS, it should work.

Hi Guys, I have a situation here, Site A PFSense Firewall: Local Lan:- 10.10.1.0/24 Site B Fortigate Firewall: Local Lan: 10.10.2.0/24 Now, both the sites are connected via IPSec VPN Tunnel. I have configured OpenVPN road warrior on Site A PFSense to access Site A network remotely & i am able to access Site A network without any issues. My question is how will i be able to reach Fortigate site B local network 10.10.2.0/24 from home. I have also followed this URL & configured push route command on PFSense Site A firewall & configured a phase 2 entry on Fortigate Site B firewall: https://forum.pfsense.org/index.php?topic=26036.0 But i am not able to connect Fortigate Site B 10.10.2.0/24 network from home network. Please help me. Thanks!

Where is pfSense in all of this?

HAProxy solved the problem!

You also need to add a firewall rule to the IPSEC interface (On both ends) that allows traffic to/from the OpenVPN network. Also sharing IP addresses with us means nothing without a network map.

You have to have a default gateway. It will normally be one of the gateways in the load-balancing group. If most of your traffic is directed to the load-balancing gateway group by policy-routing rules, then pretty only pfSense itself will be using the default gateway. N/A, you don't need to remove it. No bonus points for me. It is just a weighted round-robin, so in a place with only a few users a few people doing big downloads might happen to all get their states on the same WAN. If users are using "download manager" type apps that startup multiple threads downloading different bits of a file, then those threads will start quickly one after the other and are almost certain to end up spread around the gateway group members.

Question: how hard could it be to code an app to PING an IP and show an accurate result? It's an OpenSource project - you can complete the license agreement and get access to the pfsense-tools repo. Look through the apinger source code and work out what goes wrong with the running average latency and packet loss calculation. Many people will be very grateful.

If the client is receiving the cert from pfSense, that means somehow they are not reaching the load balancing daemon. Because relayd operates using NAT rules, if you are testing from LAN to servers on the LAN then there can be problems with that approach. You may have better luck with a full proxy like HAProxy.