anybody ?

yes … lots of people are using it like that. search this section of the forum and you will probably get around a trillion posts ;)

Thanks that got me going!  ;D

The OPs first rules will work fine. Also make sure Windows firewall does not block ping ICMP This is the critical bit to get the ping to work - nothing to do with pfSense! Glad you guys watched the video and gave a review - you saved 9 minutes of my life  ;)

So, I interpret that a gateway, 'the way to get out of a LAN', does a sort of NAT. The gateway on each LAN is just the way out for routing. It does not do any NAT. The routing software in (pfSense/FreeBSD/any router) is happy to route stuff between all the actual subnet addresses that it knows are directly connected. Then it has gateway(s) itself to use to send packets to other IP addresses that it cannot deliver directly. For stuff from the internal LANs, that has to be sent out to another router (through a gateway that pfSense knows about - your ISP or…) NAT (a different piece of functionality) is usually needed. That happens on the way OUT to the upstream gateway/router. NAT is only needed if the upstream gateway does not know how to route back to your internal LAN/s - which is always the case when your LAN/s is in private IP space and the upstream gateway/router is your ISP on the public internet. are all these functions done by the gateway of the network segment (3.1), or by the 'main' gateway, 2.1? Yes, by default these network services are listening on each of your LAN-style interfaces. For DHCP, you enable it on each LAN-style interface. DNS and NTP just listen on every interface when they are enabled. So, a client on the "2" network would use 2.1 as the address for all these services - DHCP, DNS, NTP… and a client on the "3" network uses 3.1 and so on.

Possible solution: CURLOPT_INTERFACE I am pretty sure I tried this a long time ago and it did not work. Either way before I solve that problem I need to figure out how to add my own trigger level to gateways in gateway groups. Does anyone know the list of files the code for high ping and packet loss resides in?

"with camera url to the wan ip." And it would be quite simple to setup pfsense to resolve your camera url to your camera's local 192.168 IP as well and not have to use nat reflection. So when your phone is on your local network using pfsense as dns it resolves camera url to your local IP  And when its outside your network and using some public dns it would resolve your camera url to your public IP.

Sorry for pushing :p

Try to add same rules for OPT1 interface too. Like this (Port Forward tab): OPT1  TCP  *      *    OPT1 address    3000 (HBCI)    192.168.200.3  3000 (HBCI)

i've never personally had this kind of issue's with quagga before,but i only use it between pfsense devices. (and i don't have micortik hardware at hand) Jimp (one of pfSense lead developers) is also the pfsense-package maintainer for Quagga as far as i know…. Perhaps he can help you figure this out, because i'm out of idea's ;)

I guess machines at site 2 have GW set to 192.168.20.2 - and 192.168.20.2 has no route to VPN tunnel 192.168.21.0/24 Maybe just add a static route on 192.168.20.2 to route 192.168.21.0/24 to 192.168.20.1? and there might be an asymmetric routing issue come up because traffic in 1 direction only will go through 192.168.20.2

That for I configured a gateway on LAN1 could you elaborate on that ? you didn't enter a gateway on the LAN1/LAN2 interface configuration page right ? If you did –> remove it ... only WAN connections need this filled in.                 --> check NAT because i'm not entirely sure if it will automagically remove the faulty NAT-rules that were created when ya added a gateway to your LAN(s) i'm not sure what else could be wrong ... the screenshots you provided seem ok to me

Found the answer, I think and documenting for anyone else: Bridge external interfaces / LAN interface Create Rule on each external interface to allow any traffic from any external to the external subnet and a rule for outbound communication from LAN on each of the external interfaces IP the Watchguard interface with public VIPs from the external interfaces subnets Now pings are able to go through from public networks through the pfSense to the Watchguard without NAT. Also Multi-WAN LB is working. Thanks.