So there would be no way of using ipfw on the WAN interface as well and using that to block once the quota had been reached?

This post is a few weeks old so i'm not sure you've fixed this, but…. If your pfSense box has room for a 3rd NIC (OPT1) then you could configure you network like this [WAN]–-PfSense---[LAN]–-Switch|----Pc1                 |                                  |----Pc2             [WLAN]                            |–--Pc3                 |                 |----------------------Router AP1|----Pc4                                                               |.....Mobiles                                                               |.....Pc3 Your rules on your LAN would not change. You would simply configure rules on your WLAN interface to allow the Wireless clients appropriate access out the WAN GW. your Wish list would be as follows: 1.    To have all the rules in the PFSense Rules would be set on each individual interface (i.e. WAN, LAN, WLAN) 2.    Make sure that no one can access the LAN with network 192.168.2.0 See Comment #6 3.    Make sure that no one can access the WLAN with network 192.168.1.0 See Comment #6 4.    Manage all rules and in PFSense See comment #1 5.    DHCP for all subnets in PFSense With a 3rd NIC (OPT1) interface added, you can configure different DHCP rules for each interface 6.    WLAN and LAN can talk freely with each other Points 2 & 3 would be isolated as per my setup suggestion above; but point 6 somewhat contradicts the two subnets not accessing eachother.

That did the trick, Thanks. Chris

Hello, My ISP has assigned the VLANs in the "router" they supplied. I have 4 ports, 1 of which is for internet. VLAN is handled in that router. If you want to skip the ISP supplied router, you need to establish which VLANs they use, and assign them in pfSense to various ports. This would mean that you would have to connect your IPTV box to pfSense.

Thanks BB! Got this in the logs when all interfaces were "saved" once again. Aug 3 10:34:59 radvd[26818]: removing /var/run/radvd.pid Aug 3 10:34:59 radvd[26818]: sendmsg: Operation not permitted Aug 3 10:34:59 radvd[26818]: sending stop adverts Aug 3 10:34:59 radvd[26818]: Exiting, sigterm or sigint received. I will see if it continues.

@Supermule: Why not just use outbound NAT to route the traffic via WAN2? Wouldn't he still need a rule to route the traffic out WAN2, when the default gateway is on WAN1?

This is not working in 2.1.4 when routing from OPT1 interface to WAN VIP

ah, no expensive!!! What other advantages give me? Very interesting

I use alias' as well on the opt1 interface that I renamed DMZ. So the routing is from one alias to VIP on WAN interface. But even routing from the OPT1/DMZ interface using any instead of alias but keeping the VIP on the WAN, still render it useless regarding traffic redirection to VIP.

You can use VLANS on pfsense instead af aliases. Just assign vlans under interfaces and choose the parent interface. Then pfsense will handle the routing. Unless you traverse traffic via switched hardware then vlan hardware support should be ok.

So I tried adding MAC address control in both firewalls for one of my Roku3 devices. Firewall1 was set to deny access to the MAC in the DHCP server settings and Firewall2 was set to "deny unknown clients" in it's DHCP server. I set the static IP assignment in Firewall2 to only the one device. Cleared the ARP cache in both firewalls, rebooted the Roku, verified the IP and gateway assignment in the Roku once it restarted. Tried testing it and…..... it is stilling accessing the internet through Firewall1?!?!!?!?!?  I am going to try blocking all access to the LAN interface on Firewall1 to this device and see if that makes any progress. Hopefully it will force the traffic out the other firewall like it should be.

@jimp: You can't load balance the traffic out both WANs using one public IP address (without BGP or other means that are far beyond what you're talking about) You can force a specific PC out a specific WAN by adding a rule above the current rules to match them and send their traffic out one gateway (or a failover group that prefers one gateway) Since I only have 2 devices on my LAN that need load balancing, I ended up creating 2 rules specifically for them and left everyone else use the faster WAN by default. Seemed more logical than creating exceptions for each PC.

Good morning to all! Well!  Thanks to all that read my issue. And this isn't an issue any more.  Turns out the last two attempts by the ISP failed because of them.  We finally were assigned an engineer who knew what he was doing and did it right. As for my post, if anyone can give me some advice on how I could have done it differently so that anyone would have tried to help me out sooner, I would appreciate it for future posts. dbennett

So after reading a bunch of other posts it would appear that the preferred method to get this working is to use gateway groups. This has a bunch of advantages as well. I got my setup working with the settings below: [image: i69Um3Q.png] [image: gBqqrVS.png]