@timthetortoise: @steven6282: That link you provided is doing exactly what I've already said I did, except it does not cover how to get the route to stick through a reboot.  If I reboot the routes added with the route command go away.  It even says in that link: It is not possible to create such routes using the Web interface… It says that only if you don't read far enough: It is not possible to create such routes using the Web interface then once more the shellcmd module come to rescue to setup the route at startup. The whole section after that details how to get the routes to persist. Ahh, I see it is referencing an actual module ShellCmd, not just meaning a Shell command as I read it.  I missed it talking about that because it's a little tiny section buried between talk about DMZ and OPT lans that don't pertain to my configuration.  It doesn't really go into detail on what that module does, I'm assuming it simply runs those shell cmds at pfsense startup or something.

@timthetortoise: Yes and yes. Thanks very much.

Ahh shame! Thought that was the issue. I'll have to replace the pfSense with a Watchguard then. Thanks Chris

3G/4G came up as an alternative to satellite recently using a good directional antenna, so that means response time isn't that much of a concern if it works out well. But for future reference I've come up with two possible solutions: Route all traffic with ports over 1024 through ADSL Route all UDP traffic with ports over 1024 through ADSL In addition possibly find applications that doesn't require low response time and route them specifically over satellite. On another hand UDP is a connectionless protocol, shouldn't L7 work fine then? Because the applications we're using that requires low response time uses UDP.

What's your default gateway on the machine you're pinging from/the machine(s) you're pinging to?

My subnet mask is /22 (255.255.252.0).

While I don't understand it yet….I found a fix. https://forum.pfsense.org/index.php?topic=75620.0 post #2 by CMB.  Ticking "Disable reply-to on WAN rules" solved the issue. I've tried Googling reply-to route-to but not found anything concrete about how or what it is used for.  Is this s freeBSD thing or I am missing something core to networking here. I hate not knowing why this works. Someone enlighten me?

Thanks that worked a treat!

Can you post a diagram of your setup? It's not clear what your environment looks like

There isn't a per-interface toggle for the proxy, it's a global value.

See my thread here https://forum.pfsense.org/index.php?topic=75358.msg411290

OpenBGPD messages used to show up in System Logs > General, and I'm pretty sure those were also included in Syslog messages.  I feel like in one of the recent updates they have been moved to System Logs > Routing.  These Routing messages are only sent to the Syslog server when Everything is checked in the Settings, but, I don't want to flood my Syslog server with every firewall event.  Any way to enable the Routing messages to be sent via Syslog without seeing every firewall message?  Seems odd that there's category of Syslog group for everything but Routing gets dumped into Firewall.

I figured out the problem: partially due to PEBKAC and partially due to missing static routes. I should also mention that the subnets in the isolated network were duplicates of our production network. I did not fully explain to the user, for which this was built, how it was intended to be used. The other, and more important reason, was that a jump machine was configured with two vNICs: one inside the isolated network and the other outside that was routable to our production network. In order to communicate to the hosts inside the isolated I needed to add static host routes for each of the (dozen) hosts. route /p add <ip of="" host="" on="" isolated="" network="">mask 255.255.255.255 <ip address="" of="" vnic="" on="" isolated="" network="">Route http://technet.microsoft.com/en-us/library/ff961510.aspx This meant of course that the jump machine would not be able to contact the production instance of the hosts we had in the isolated network, but that was not a real problem.</ip></ip>

No worries. I am the in the USA too. I have had my coffee limit though!

Some more data: If the initiator is PFSENSE, then the connection is correctly handled - so if I use telnet -s WAN2_address, the packets go out and return via the correct gateway (GW2). It seems that only locally bound services are affected.