We got cisco ASA and Cisco 1921 in the boarder. I wonder where should I enable my cisco ipsec vpn ?

Hi, After struggling with this for a while, we finally have a solution. All the settings above are correct. It was the Comcast router that needed reboots whenever we rebooted PF Sense, presumably because Comcast otherwise had decided a long time ago that the PF Sense box wasn't routable for the additional WAN IP addresses and had simply stopped trying. After rebooting the Comcast router and PF Sense immediately after, we could now ping the Virtual IP addresses (because we allowed ping in the firewall), and we could do both 1:1 NAT, as well as port forwarding. The Manual Outbound NAT is important, because you have to set the Virtual IPs as the WAN address. This way, when you do a "what is my IP" search on Google from behind the second LAN, Google responds with the second (virtual IP) address. So we're good to go. Per

1st you should consider if you like to do a DMZ. Personally i move all hosts which are reachable from the outside to a dmz and everything else to lan (where just outbound traffic is allowed) Otherwise port forwarding does the magic.

What do you mean that you have 192.168.0.3 going to 172.16.2.1. Do you mean that you have a firewall rule or a NAT setup for this. You do not need a route. IF there are FW rules in place, pfsense will route between internal subnets. My suggestion would be to remote the route you have created. Check both the VLAN interface FW rules and the LAN to make sure that you have allowed the traffic to pass. If you have setup a Gateway on LAN or VLAN interface, you are going to have remove that as well. Check out your routing table to make sure that it all looks good.

probably. at first glance doesn't look like theres anything that would be impossible using the webgui

I did a lot of testing, and it turned out that I had to leave the ethernet port from the hotspot alone, and switch on vlan on the wifi part of the hotspot.

Forgive me if I missed it… I understand this is a routing question, but where is PFsense located?.  I only see routers and switches...you may want to direct your question towards the Cisco forums (https://supportforums.cisco.com/)

To get it working the way I think you want it, you will need to either add another NIC or put all your PC's in the "DMZ" and use that as the LAN on both sites.  Here are some corrections: If Site A is directly connected to Site B via the interface labeled "LAN" and you want to pass traffic across that direct link, both "LAN" interfaces need to be in the same subnet.  e.g. change Site B LAN to 192.168.20.2 or change Site A LAN to 192.168.21.2 Your static routes are configured incorrectly.  Lets assume you change site B's LAN to 192.168.20.2, your static routes should look like this: Site B Network / Gateway / Interface 192.168.10.0/28  |  192.168.20.1  |  LAN Site A Network / Gateway / Interface 192.168.11.0/28  |  192.168.20.2  |  LAN Assuming you have any/any firewall rules on all your interfaces, your "DMZ" subnets should now be able to communicate.

Create a "Failover" GW group, and point that Host to that group (using FW rules) https://doc.pfsense.org/index.php/Multi-WAN_2.0#Firewall_Rules

@grandrivers: yeah just switched back to google dns although good possibility they are hijacking it dropped my cpu usage which was baffling . You could use these as well: https://labs.nic.cz/odvr/ - as a bonus, they actually validate DNSSEC.

Just go to interfaces and enable the new interface that was created after you assigned the VLAN. Then add firewall rules and NAT rules (if using manual).

sorry guys again…... I'm watching some youtube videos, and I think that in my case i shoulda use "interface groups" tomorrow i will try at office

multiple gateways in the same subnet do not work.

Why do you have a GW on the LAN interface ? Usually you don't want/need an GW on LAN

Hello! I am trying to basically achive the same thing. I would like one pf sense box to handle multiple WANs and LANs separately. Bump!

IMHO best practice would be to use a VPN to connect in then run RDP over that. If you do that, you still need to port forward an OpenVPN server port like 1194. Anyway, you could forward 3389 by: a) Forward the port on each front pfSense (1 and 2) to the WAN of pfSense 3. b) On pfSense 3 forward 3389 to the server. c) On all the port forwards, allow pfSense to automatically create an associated firewall rule d) On pfSense 3 create a gateway group "MyServer" with WAN1 gateway tier 1, WAN2 gateway tier 2. e) Edit WAN1 and WAN2 gateway and choose a real outside alternative monitor IP for each (like 8.8.8.8 and 8.8.4.4) e) Use a dynamic DNS service, in Services->Dynamic DNS, add an entry for your name (e.g. myserver.dynsdns-ip.com) and interface "MyServer" pfSense will monitor the gateways. When WAN1is down, it will change the dynamic DNS name to be the public IP of WAN2. Use the name to connect from outside. Note: If pfSense 1 and 2 public WAN have dynamic public IPs, then pfSense 3 may not notice when those change. Install the Cron package. Edit the dyndns update job to run frequently (e.g. every 5 minutes) - it will then check the public IPs and notice if they have changed.

Do you have other policy-routing rules on LAN that pass "destination any" traffic out WAN, WAN2 etc? From memory, 2.0.n generated rules in front of those to pass "intranet private" traffic to "default" gateway (the routing table), from where it would be routed across the OpenVPN… This no longer happens in 2.1 (I guess it is more secure for pfSense to NOT write any "hidden" pass rules for you) You might need to put a pass rule on LAN, above any policy-routing rules, to pass traffic from LAN to the OpenVPN tunnel subnet and remote subnet at the other end. Then that traffic will pass to the ordinary routing table, rather than being pushed out the WAN by a policy-routing rule.

@blackbrayn: Just a guess , but are you by chance doing NAT twice? once behind the multiwan router and once after pfsense? This is the only thing i can think right now that will maybe "break" the load balancing done on the multi-wan router. Sorry for seeming to drop off the planet; school got busy, and then March break happened. I was able to go back in to do some testing yesterday. I am doing double NAT, which I understand can raise issues with VPN. However that doesn't seem to be the problem here. Disabling NAT on pfSense made no difference to the speed tests: same results with and without NAT. However: Something bizarre is going on, and I need to do more testing. I'm getting the same results with and without NAT, but suddenly they're much better than before. Previously I was seeing much worse performance behind pfSense and now that's gone. I don't know whether that's because most users have been gone for a week, or whether it's not the Olympics (less video streaming on the Bell network) or what. THeo