I know i will have to create a rule on the pfSense box, but how can i do it on the virgin media router? Will i have to port forward traffic to the 192.168.0.254 address? Yes, you will have to have access to the box that has the real public IP (Virgin Media router) and forward a port to pfSense WAN. Then on pfSense you can again forward that port in from pfSense WAN to the camera.

Hi, Thanks for your reply but either you read my question too quick, or I didn't expres myself good enough ;) I don't want to provide an OpenVPN Server, neither do I want to make pfSense the "master-router" at home. I already have an OpenVPN server in the datacenter. Now I want to connect to the OpenVPN server from home. At home I have a FritzBox which I want to leave as master router. My FritzBox is now feeding my pfSenses' WAN via ethernet ==> pf-WAN: 192.168.10.10/24 (DHCP) The pfSense is setup as OpenVPN client and has a succesfully established connection to the datacenter. The FritzBox has an additional entry in its static routing table, so that the FritzBox forwards datacenter-net-requests to pfSense. The pfSense LAN "SHOULD" feed the FritzBox with the network of the datacenter ==> pf-LAN: 192.168.10.2/24 (static) Problem: Even though the OpenVPN connection is succesfully established as well as the FritzBox redirects requests correctly it does not work. So I did some investigations and figured out, that the pfSense is not even able to process any of my requests via LAN. It simply fails in being a gateway for requests from its LAN port. This may be because WAN and LAN lies in the same home network - and that's where my knowledge lacks and why I consulted the pfSense forum for advice. Best regards

Yes, that should work. But I don't think you need steps 2 and 3. After Interafces->Assign to assign and OPTn to the OpenVPN, then Interfaces->OPTn enable, you leave the IPv4 (and IPv6) set to "none". pfSense and OpenVPN sort it out underneath and a gateway pointing at the other end of the tunnel should automagically appear.

Phil, you nailed it. I was thinking it was something that simple, just didn't think of it for some reason. Thanks a ton! Everything works great now.

Setup an OpenVPN site-to-site link from home to main office. Give your home subnet and the OpenVPN tunnel subnet some different private IP address space than the main office. Put OpenVPN server at main office listening on your main static IP (it can listen on some port of your choosing). The OpenVPN client will connect from home, so it does not matter what your home public IP is. Forward port/s from the static IPs at main office to the subnet at home.

Learn about subnets first. Each LAN is has to be a different subnet. Also, LAN DHCP is starting from 10.0.0.1, which is your pfSense LAN address - I am surprised that pfSense even lets you do these things, I thought there was a lot more validation in the GUI these days. Change LAN DHCP range to start from 10.0.0.2 Make the new LAN in a different subnet, like 10.0.1.1/24 with a DHCP range of whatever you like from .2 up.

You can setup rules to feed traffic to prefer different gateways at different times. That will let you use the satellite automatically when it is free. You can put guests on a separate LAN and policy-route that differently. Or if you don't care that much, then allocated static-mapped IPs to all your known devices. Then policy-route the ordinary DHCP pool to the gateway you want guests to use. But there is nothing to count quota used, and know what day of the month your quota resets.

Thanks for your help but I solved my problem just now. What I did: I created a new VM with pfsense on my router-computer. Then with this second pfsense I am creating a different subnet than with the first one with DHCP deactivated. On the phones I choose a static IP in the second router's subnet and now they both work just fine :) The thread may be closed :)

You can do a limited amount of tweaking to the BGP config. Easiest would be to play with prepend-self/neighbor to try an balance the hops between your ISPs. If you only announce some of your networks to one ISP, what happens when that ISP is off-line?

In doing more testing, I have discovered that it only appears to be android devices failing, I have only tested Samsung devices so far. I tested a apple iPad on the 10.1.3.0/24 and a laptop as well, both were able to access everything on the 10.1.1.0/24 . so this appears to be an android issue ????

Hi, I would like extra explanations, may be I missed something. Below, details about the config. Now, some traceroute details : A - Traceroute from pfSense to remote LAN2 [2.1-RELEASE][root@pfsensemaster]/root(1): traceroute 192.168.3.33 traceroute to 192.168.3.33 (192.168.3.33), 64 hops max, 52 byte packets 1  192.168.10.250 (192.168.10.250)  0.505 ms  0.777 ms  0.429 ms 2  10.255.240.1 (10.255.240.1)  7.494 ms  8.246 ms  7.968 ms 3  10.34.158.2 (10.34.158.2)  19.967 ms  20.303 ms  19.952 ms 4  192.168.3.33 (192.168.3.33)  19.975 ms  19.805 ms  19.948 ms Everything is OK Now, traceroutre from a Linux bos inside LAN1 to LAN2, the default Gateway is 192.168.10.10 of LAN1 : root@S-Linux: pts/0: 6 files 164Kb # traceroute 192.168.3.33 traceroute to 192.168.3.33 (192.168.3.33), 30 hops max, 60 byte packets 1  192.168.10.254 (192.168.10.254)  0.357 ms  0.364 ms  0.335 ms 2  192.168.10.250 (192.168.10.250)  0.854 ms  0.890 ms  0.873 ms 3  10.255.240.1 (10.255.240.1)  8.133 ms  8.139 ms  8.112 ms 4  10.34.158.2 (10.34.158.2)  19.944 ms  21.940 ms  21.913 ms 5  192.168.3.33 (192.168.3.33)  21.887 ms  21.897 ms  21.868 ms Is this normal that the first hop using 192.168.10.254 instead of 192.168.10.10 ??? Why packets first are leaving to IP = 192.168.10.254 and then back to 192.168.10.10 ? This the routing table of the Linux box : root@S-Linux: pts/0: 6 files 164Kb # netstat -rn Table de routage IP du noyau Destination    Passerelle      Genmask        Indic  MSS Fenêtre irtt Iface 192.168.10.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0 169.254.0.0    0.0.0.0        255.255.0.0    U        0 0          0 eth0 0.0.0.0        192.168.10.10  0.0.0.0        UG        0 0          0 eth0 Could it be a reason why I have some routing troubles from LAN2 to LAN1 ??? I will really appreciate your help about this issue :-) [image: PFSENSE_HA_Dual_Router_Second_LAN.png] [image: PFSENSE_HA_Dual_Router_Second_LAN.png_thumb] [image: Routes.png] [image: Routes.png_thumb] [image: Routing_Table.png] [image: Routing_Table.png_thumb]

Sorry for not responding sooner Phil  :'( The thing is, i was trying 1001 things to solve my problem myself and didn't want to bother you with it because you've already devoted so much time in helping me - for which thank you once again ;D But I keep on fighting with the Synology going to WAN2 when WAN1 has connection problems, which I don't want it to do. As a recap: 1. WAN1 is VDSL with unlimited traffic; Synology downloads here. 2. WAN2 is Cable, metered 100 GB monthly traffic, so purely meant as fall back. Synology shall never go there. 3. Given your remarks before I put z_nas (= synology) not on the failover group but on the Gateway 'WAN1'. 4. Occassionally, I wake up in the morning discovering WAN1 was down and Synology hopped over on WAN2 and downloaded too much there (metered). I know you said this shouldn't be possible, but it does do it( :-). I double checked to make sure the Synology always on WAN1 rule is before the 'LAN to any' which goes through Failover1. So, if I understand correctly the Synology traffic is covered by the more specific rule, and therefor should never be hit by the more general 'LAN to any' rule that comes later. Would you happen to know how I might fix this mess? Also, I don't quite understand this (screenshots). I have a rule that says Synology should never go to WAN2 (you wrote in the above that won't work, but I am still playing with it to see). But now in the firewall log there are blocks caused by that rule, preventing the Synology to go DNS on the WAN1-interface. I suspected before already that copying a rule and adjusting it turns out buggy (I get the wrong descriptions in the logs, for example a block on LAN shows up in the logs as a block triggered by a rule for OPT3, which is a VLAN). As ever I am in big debt towards you Phil; thank you for your help ;D

how could i work around the problem, that my wan-ip changes every 24h?

Thanks:! I did the same thing before, just that i haven't moved the roules to the top! Regards.

Hi all, I finally got most of it to work after a lot of trial and error! A lot had to be done late at night while people are gone. >_< Setup virtual IP's: Firewall > Virtual IP > Add > Select "IP Alias" and enter the public static IP in "Address(es)" > Save Setup 1:1 NAT: Firewall > NAT > 1:1 > Add > Enter "External" and "Internal" IP's and enable "NAT Reflection" > Save Config system: System > Advanced > Firewall/NAT > Select "Enable (Pure NAT)" and check "Enable NAT Reflection for 1:1…" and "Enable automatic outbound NAT..." > Save Change "Default Allow LAN" rule: Firewall > Rules > LAN > Default Allow LAN > Add load balanced GW and change source from "LAN subnet" to "Any" (because I have many LAN subnets) Open ports on one WAN: Firewall > Rules > WAN1 > Add allow rules for HTTP, SSH etc. (I only need to do this on WAN1, because the virtual IP's can only be defined on one WAN) Lemme know if I'm doing something wrong. Everything seems to be working now, so I've unplugged the Cisco and Zyxel. Yay! (Strangely, my download speed is WAN1 + WAN2 occasionally on speedtest.net, both WAN's fire up in one test)

We got cisco ASA and Cisco 1921 in the boarder. I wonder where should I enable my cisco ipsec vpn ?

Hi, After struggling with this for a while, we finally have a solution. All the settings above are correct. It was the Comcast router that needed reboots whenever we rebooted PF Sense, presumably because Comcast otherwise had decided a long time ago that the PF Sense box wasn't routable for the additional WAN IP addresses and had simply stopped trying. After rebooting the Comcast router and PF Sense immediately after, we could now ping the Virtual IP addresses (because we allowed ping in the firewall), and we could do both 1:1 NAT, as well as port forwarding. The Manual Outbound NAT is important, because you have to set the Virtual IPs as the WAN address. This way, when you do a "what is my IP" search on Google from behind the second LAN, Google responds with the second (virtual IP) address. So we're good to go. Per

1st you should consider if you like to do a DMZ. Personally i move all hosts which are reachable from the outside to a dmz and everything else to lan (where just outbound traffic is allowed) Otherwise port forwarding does the magic.