ok… now it works! it's a little bit stupid when i have a * ALL Rule and the Bypass in Advanced. for people with the same problem: you must set in LAN Rules an extra Rule for 192.1.11.0/24 Proto: * Source: 192.1.11.0/24 Port: * Destination: * Gateway: * and all works fine like the old pfsense

Also possibliy related but i have noticed that the auto updater seems broken for me on this box. It gives the generic "Unable to check for updates" I checked the auto updater section and got this below Downloading new version information...done Unable to check for updates. Could not contact pfSense update server https://updates.pfsense.org/_updaters Is this related to the load balancing?

I am trying to do both. I want in-coming connections from each public IP to go to there respective internal VLAN. Also I want outgoing traffic that come from one VLAN to go out there respective public IP. Basically I wanted to know if I could do the work of two gateways/firewalls, in one box with one incoming connection. Is there any downsides to what I am trying the implement? thanks,

The best advice I can give you is DIVE IN, it is the only way to figure out pfSense (or really anything).  I found both the online pfSense tutorials and installation process to be FANTASTIC. Step 1) Burn the pfSense software to a CD. Step 2) Get an old computer with a CD ROM, a hard drive and two Ethernet ports.  One Ethernet port will be your WAN port for your ISP and the other will be your LAN port for your local network.  If your computer only has one ethernet port then buy a cheap ethernet card - the pfSense hardware support is generally very good.  You can upgrade later if you want something better. Step 3) Boot the computer from the CD and install pfSense. The worst thing that can happen is it won't work (although it probably will), but at least you will have a starting point.  The default rules will probably work fine for starting out.  You can add always add complexity later.

After you verify you aren't blocking private networks you need to set up port forwards for TCP and UDP for ports 137, 138, 139, and 445. Do not use 1:1 on your WAN IP that is meant to be used with an IP alias. You will also need make rules for all of the forwards on the WAN interface to the internal private IP (192.168.13.14) or check the box to do it automatically when you create the port forwards. I just reread your original post and it looks like you're doing it backwards. Your LAN and WAN interfaces are switched around. You should be able to connect directly from the windows pc to the server using it's own address with the default LAN to any rule. Is there any particular reason you're doing this? Typically port forwards are to allow external access to internal resources (which you shouldn't do with Windows shares anyway).

@Fluidic: @dotdash: The same subnet does not just mean the subnet mask. e.g. If your modems were on 1.2.3.4/24 1.2.3.5/24, etc. that would not work. If they were on 1.2.5.6/24 and 1.2.6.7/24 that would work, as they would be on two separate subnets. You could have two modems with 255.255.255.0 (/24) subnets as long as the first three octets (1.2.3) were NOT identical. I would guess your problem is that they all use the same gateway. That will not work. Sorry your ISP sucks. In the US, at least, that would not be considered a business-class connection. If other providers are available, the best situation is to have connections from different providers. The IPs are like this… 204.16.64.69  - IP on WAN1 204.16.64.254- Gateway on WAN1 255.255.255.0- Subnet on WAN1 69.71.11.30  - IP on WAN2 69.71.11.254- Gateway on WAN2 255.255.255.0- Subnet on WAN2 71.39.111.14  - IP on WAN3 71.39.111.254- Gateway on WAN3 255.255.255.0- Subnet on WAN3 64.9.42.92 - IP on WAN4 64.9.42.254 - Gateway on WAN4 255.255.255.0 - Subnet on WAN4 They are all completely separate IPs on different gateways, the only thing that is the same is the fact that they all use 255.255.255.0 as the subnet... This still will not work? -Fluidic That will work fine. The subnet mask in combination with the IP address is what determines your subnet, and none of them are the same. Let Netgate know that they are all indeed different subnets.

OpenSwitch looks to be run as a virtual switch in the vkernal, not as a VMware VM as far as I can see. -decided to simplify the problem, so for now, I am only trying to connect (route or bridge) between two virtual switches.  -single Windows client PC with a single 1GBE NIC -single ESXi host with two physical 1GBE NICS, and 2 vSwitches, each with one physical NIC added. -singe VM hosted, the VM that I am attempting to use to link the two Vswitches.  -1 physical NIC goes to my internal network -the other is a point to point link to the Windows client -tried PFSense.  initially it looked OK.  Install was OK.  WAN IP was recieved from my internal network DHCP server.  LAN segment was a completely different subnet, DHCP enabled, and the windows box got a DHCP address from this segment.  I was able to connect and configure the pf install, do thinks like disable it from blocking private ip range (since both interfaces were of a private range) was able to open a few internet sites.  But as soon as I tried to push some data through it, the pf VM was essentially killed.  from the console I could do things like restart the web console, but till I rebooted pfSense VM, no data would pass.  after the reboot it was OK for a bit, DHCP worked, small websites etc, but 2% through an nVidia driver download, it would die again. -wasted nearly all of my spare time from the long weekend, but didn't get this working. :( -tried vyos.  This looked like it would work exactly the way I wanted it to.  Vyatta would create an ethernet bridge with what appears to me to be only a few commands.  I messed around with it for a couple hours, but made essentially no progress.  It appears to work to the point that the windows client will get a DHCP address, but other than that nothing else would pass. So then I thought funny that DHCP packets would flow, but once an IP address was established, that was the end of it. … maybe I need to allow the vswitches to be in promiscuous mode? After than Vyos would pass packets!  Hit the Internet, run a speedtest.Net test, full speed.  Pushed and pulled a few ISO's from my file server.. saturated the 1Gbit Ethernet link.... looking good! check CPU use on ESXi-host ouch 50-63% of my haswell Xeon core for 1Gig, no way this will be able to do 10Gig! anyway, Thats where I am at now. leaning towards continuing to see if I can drop CPU requirement on Vyos. Virtual E1000 NICS, so if that can be made to use VMEX3 NICS, that should help!

Set up pfSense WAN interface IP to 172.37.37.1, subnet /30. Set the WAN gateway to 172.37.37.2. On LAN side you may use DHCP or set up a private network of your choice. There should be nothing more to do to access internet.

I think it would be better to ask this in the visualization section of this forum. I can not access it through my windows machine with localhost What do you mean? You try to access pfSense in Windows browser with localhost? localhost is Windows itself and nothing else. Your pfSense has an IP on each interface and with these you can access it. From Debian you have also to use one of these IPs. For accessing pfSense from Windows host vmware has to bridge the network to pfSenses interface.

If you do not specify  a gateway in the firewall rules on the OpenVPN tab, it will use the default gateway. It's possible the traffic is going the right way but that the other router/far side doesn't have the right routes back to the first pfsense box for the OpenVPN client subnet, or NAT to mask it.

Thank you very much, that's great to hear.

@user1378: hello every1, i am using squid 2.7.9 on pfsense 2.1 with multiple WANs. i want squid to use not the default gateway but a different wan. using the squid custom-configuration:``` tcp_outgoing_address "WAN2 IP" but my problem is, that the ip of WAN2 changes every 24 hours. is there any opportunity of telling squid to use a specific interface instead of IP - address? i appreciate any help! Hello, have you set some particular setting on squid to get this working? I have done lots of tests, but i always see that squid only uses the default router, and ignores the secondary wan…unless you set the "allow default gateway switching" on the advanced tab. If that box is checked, and the default gateway is down, the traffic is correctly routed to the second wan. I would like to be able to route a specific client/subnet through the secondary link, even if the primary is up (active/active configuration). Is there any way to get this working? Edoardo

thank you so much that solved the issue  ;)

Many thanks for your response.

Gotta eat my words on this, it looks like you did indeed discover a bug in the DHCP code. I'm able to reproduce this on 2.1.2, and I'm assuming it applies to 2.1.1 as well. In my case, my DHCP client was never assigned a gateway in general, and this is reflected by there not being an "option routers" directive in the dhcpd.conf file. I am investigating where this is happening. Documented here with a temporary fix: https://forum.pfsense.org/index.php?topic=75766

It'd make sense that those rules would take precedence and not give the result you wanted since they weren't set to use the correct gateway group.