And if you want the layer3 at the switch performance between production VLAN100 and Other VLAN45, but need to firewall off Guest VLAN60, then you can make a hybrid topology. Trunk VLAN60 up to pfSense, but leave VLAN100 and VLAN45 layer 3 defined at the switch, and routing up to pfSense (on a 4th little subnet). Then VLAN100 and VLAN45 can talk to each other on the layer 3 switch. Guest has to go first to pfSense to get anywhere, and so you can secure that with any rules you like at pfSense.

@SysIT: could you not get the same speed in a single package? or they do not offer faster speeds so you have to get 2 packages? Its ADSL2 at sync speed, which in this case is pretty average due to distance from the exchange.

i also put the Outbound Wan rules and also the firewall LAN rules at the very top of the list. This sounds like what fixed it - if you have a more general ordinary pass rule above the policy-routing rule, then the traffic will be passed to the ordinary routing table by the general rule. The later special rule with the policy-routing gateway specified will never come into play.

Thank you very much I nailed it by myself … and IT WORKS Now Thingies connected to a certain wifi are going through an open vpn without doing anything on the device Thanks again

@timthetortoise: I mean that the second rule is redundant, since the first rule is already allowing anything anywhere on that interface. i was thinking the same however the client can still not reach the WAN from VPN and also not to the internet, any more suggestions please?

Those words are misleading IMHO - substitute "down" for "exhausted" and that is what it does. You Load Balance by putting multiple gateways at the same tier. Then new connections get allocated around the gateways of the same tier (that are up) in the gateway group. For Failover, put gateways at different tiers and the Tier 1 will be used exclusively first, then when all Tier 1 are down Tier 2 is used… As you imply, it might also be nice to use a Tier 1 gateway, and when it appears to be saturated with traffic, then put new connections onto a Tier 2 gateway... - there is no functionality to do that. If you have multiple Tier1 gateways of different bandwidths, then you can put different weights in the gateway advanced parameters to make the system allocate more/less client connection to particular gateways (rather than just even balancing).

Good solutions, the next one would likley be a paid DNS fail over service to do this automagically!

thank you vindenesen for your reply. Thats right. I want to alter the destionation port going from lan to wan. But not necessary keep destination IP Address. Because we've a lot of Wan Ip address. We can send to any ip address. But should be as follows. 1251 to 25 wan ip xxx.xxx.xxx.xxx, 1252-26 wan ip xx1.xx1.xx1.xx1 etc… For example : telnet mx1.hotmail.com 1251 hotmail server should give back to smtp helo (port 25) I'm investigating for long time and I learned it is feasible with outbound NAT. And I've tried alot of outbound rules. but doesn't work still And this is very important for me :(

Zebra.conf (IIRC) Info on Syntax can be found here: http://www.nongnu.org/quagga/docs/docs-info.html#Static-Route-Commands Even if you just had an open text field in the GUI that would add whatever you type to Zebra.conf (like in OpenVPN how you have the text box for extra stuff), that would be great. I am by no means a programmer and tried to do it myself, but I can't get what I have in the text field to apply. (A text field for ospfd.conf would be nice too for things like route maps and access lists).

After looking at the attached document, I believe that his implementation is similar to ML-PPP but without the ISP having to do anything. How he accomplishes that is way beyond my technical understanding. It sounds like magic though, and I am always wary of things that seem to good to be true.

Hi sorry for the delay I had only noticed your reply now apologies I don't think there is any NAT involved they route subnets to the mac address of the server to ensure nobody else can take your ip or subnet by mistake "Subnets are statically routed on the main IP address of the server, which is why no gateway is needed for the additional IP addresses. Therefore, all IP addresses, except the network address (first) and broadcast address (last), are usable. The router does not take up an IP address of the subnet. Example: You have the subnet 88.1.1.80/29: Network:  88.1.1.80 Broadcast: 88.1.1.87 Usable Adresses: 88.1.1.81 – 88.1.1.86"

Just in case anyone else gets bitten by this… My solution was to move the 2nd WAN to its own VLAN and create another interface on pfSense to handle it. Now both WANs coexist in harmony.

"accept filter" seems to work better for excluding such things, unfortunately it gets set on the receiving end not the sending end. There must be some difference between the site that works and the one that doesn't, either at the OS level or in the config. At the end of the day, though, if it works, it's not really hurting anything to have them show up there.

I'm having the same problem. I've gotten around it for now by enabling split DNS. My thought is to move all the port forwards over to floating and then enable them for the LAN side as well. It feels like some NAT reflection setting should have just made this work with the defaults, but isn't.

Thanks, I thought that I had tried that, but I must have missed selecting the correct gateway in the advanced features.

@GeorgeM: @zerokool: yea I cant get the stupid "default gateway" box to uncheck. I've been exploring 2.1 on a spare machine (2.0.3 is what's on the live one) and I noticed this problem myself when I got into setting up my dual WANs. In my case I want certain kinds of traffic to go over specific WAN links and that not working would be a real headache. (e.g., cloud backup needs to go over the link with the biggest upstream bandwidth.) Ordinary client traffic (like a big backup to cloud) is easily directed to the WAN (or group of WANs) that you want it to use, by specifying the gateway or gateway group in the rules. It is only traffic originated from pfSense itself that is tricky to direct.

In pfSense/FreeBSD (like other OSes I can think of), a gateway is the IP address of another box to which the computer can send data packets destined for some group of other IP subnets (or for all). The interfaces that have gateways are dealt with as WAN-type, the gateway is supposed to be on that WAN subnet on a different machine (ISPs router, some other box on the way to the internet. Define a gateway on each WAN pointing to the upstream IP address of the path to the internet. Remove any gateways from LAN. Set whichever WAN gateway you prefer to be the default route. Add policy-routing rules (rules that pass traffic and send it into a gateway). On LAN1: Pass protocol any source LAN1net destination any gateway WAN1GW On LAN2: Pass protocol any source LAN2net destination any gateway WAN2GW If you want failover, then make gateway groups with the required order of preference and feed the traffic into the gateway groups.

It was a lease line VPN.. managed by a provider..

There wouldn't be anything exposed over SNMP for the gateway status, at least not currently. The closest you could get would be the ifOperStatus of the WANs but there are plenty of situations where the interfaces are up but the gateways are down/unreachable.