That cron entry starting "1 1" runs at 01:01 each day - only once per day. For every minute you want: */1  *  *  *  *  root /usr/bin/nice -n20 /etc/rc.dyndns.update

even if you do, somehow, manage to get this working - it'll be a nightmare; if not now, then later. bite the bitter pill and go to a sane subnetting scheme my 2 cents

Diagnostics->Packet Capture on the OpenVPN tunnel interface, looking for port 53 (and/or the IP address of the external DNS server it is supposed to be using) should show the traffic from DNS Forwarder doing the lookups. DNS Forwarder does caching, so on the client do "nslookup" of various different *.uk sites so DNS Forwarder has to go externally to look them up.

And if you want the layer3 at the switch performance between production VLAN100 and Other VLAN45, but need to firewall off Guest VLAN60, then you can make a hybrid topology. Trunk VLAN60 up to pfSense, but leave VLAN100 and VLAN45 layer 3 defined at the switch, and routing up to pfSense (on a 4th little subnet). Then VLAN100 and VLAN45 can talk to each other on the layer 3 switch. Guest has to go first to pfSense to get anywhere, and so you can secure that with any rules you like at pfSense.

@SysIT: could you not get the same speed in a single package? or they do not offer faster speeds so you have to get 2 packages? Its ADSL2 at sync speed, which in this case is pretty average due to distance from the exchange.

i also put the Outbound Wan rules and also the firewall LAN rules at the very top of the list. This sounds like what fixed it - if you have a more general ordinary pass rule above the policy-routing rule, then the traffic will be passed to the ordinary routing table by the general rule. The later special rule with the policy-routing gateway specified will never come into play.

Thank you very much I nailed it by myself … and IT WORKS Now Thingies connected to a certain wifi are going through an open vpn without doing anything on the device Thanks again

@timthetortoise: I mean that the second rule is redundant, since the first rule is already allowing anything anywhere on that interface. i was thinking the same however the client can still not reach the WAN from VPN and also not to the internet, any more suggestions please?

Those words are misleading IMHO - substitute "down" for "exhausted" and that is what it does. You Load Balance by putting multiple gateways at the same tier. Then new connections get allocated around the gateways of the same tier (that are up) in the gateway group. For Failover, put gateways at different tiers and the Tier 1 will be used exclusively first, then when all Tier 1 are down Tier 2 is used… As you imply, it might also be nice to use a Tier 1 gateway, and when it appears to be saturated with traffic, then put new connections onto a Tier 2 gateway... - there is no functionality to do that. If you have multiple Tier1 gateways of different bandwidths, then you can put different weights in the gateway advanced parameters to make the system allocate more/less client connection to particular gateways (rather than just even balancing).

Good solutions, the next one would likley be a paid DNS fail over service to do this automagically!

thank you vindenesen for your reply. Thats right. I want to alter the destionation port going from lan to wan. But not necessary keep destination IP Address. Because we've a lot of Wan Ip address. We can send to any ip address. But should be as follows. 1251 to 25 wan ip xxx.xxx.xxx.xxx, 1252-26 wan ip xx1.xx1.xx1.xx1 etc… For example : telnet mx1.hotmail.com 1251 hotmail server should give back to smtp helo (port 25) I'm investigating for long time and I learned it is feasible with outbound NAT. And I've tried alot of outbound rules. but doesn't work still And this is very important for me :(

Zebra.conf (IIRC) Info on Syntax can be found here: http://www.nongnu.org/quagga/docs/docs-info.html#Static-Route-Commands Even if you just had an open text field in the GUI that would add whatever you type to Zebra.conf (like in OpenVPN how you have the text box for extra stuff), that would be great. I am by no means a programmer and tried to do it myself, but I can't get what I have in the text field to apply. (A text field for ospfd.conf would be nice too for things like route maps and access lists).

After looking at the attached document, I believe that his implementation is similar to ML-PPP but without the ISP having to do anything. How he accomplishes that is way beyond my technical understanding. It sounds like magic though, and I am always wary of things that seem to good to be true.

Hi sorry for the delay I had only noticed your reply now apologies I don't think there is any NAT involved they route subnets to the mac address of the server to ensure nobody else can take your ip or subnet by mistake "Subnets are statically routed on the main IP address of the server, which is why no gateway is needed for the additional IP addresses. Therefore, all IP addresses, except the network address (first) and broadcast address (last), are usable. The router does not take up an IP address of the subnet. Example: You have the subnet 88.1.1.80/29: Network:  88.1.1.80 Broadcast: 88.1.1.87 Usable Adresses: 88.1.1.81 – 88.1.1.86"

Just in case anyone else gets bitten by this… My solution was to move the 2nd WAN to its own VLAN and create another interface on pfSense to handle it. Now both WANs coexist in harmony.

"accept filter" seems to work better for excluding such things, unfortunately it gets set on the receiving end not the sending end. There must be some difference between the site that works and the one that doesn't, either at the OS level or in the config. At the end of the day, though, if it works, it's not really hurting anything to have them show up there.

I'm having the same problem. I've gotten around it for now by enabling split DNS. My thought is to move all the port forwards over to floating and then enable them for the LAN side as well. It feels like some NAT reflection setting should have just made this work with the defaults, but isn't.

Thanks, I thought that I had tried that, but I must have missed selecting the correct gateway in the advanced features.