I guess machines at site 2 have GW set to 192.168.20.2 - and 192.168.20.2 has no route to VPN tunnel 192.168.21.0/24 Maybe just add a static route on 192.168.20.2 to route 192.168.21.0/24 to 192.168.20.1? and there might be an asymmetric routing issue come up because traffic in 1 direction only will go through 192.168.20.2

That for I configured a gateway on LAN1 could you elaborate on that ? you didn't enter a gateway on the LAN1/LAN2 interface configuration page right ? If you did –> remove it ... only WAN connections need this filled in.                 --> check NAT because i'm not entirely sure if it will automagically remove the faulty NAT-rules that were created when ya added a gateway to your LAN(s) i'm not sure what else could be wrong ... the screenshots you provided seem ok to me

Found the answer, I think and documenting for anyone else: Bridge external interfaces / LAN interface Create Rule on each external interface to allow any traffic from any external to the external subnet and a rule for outbound communication from LAN on each of the external interfaces IP the Watchguard interface with public VIPs from the external interfaces subnets Now pings are able to go through from public networks through the pfSense to the Watchguard without NAT. Also Multi-WAN LB is working. Thanks.

@johnpoz: So you have this - see attached. And what possible routes did you create?  Is your wan a common network?  Where is your common network your pfsense use to talk to each other with? If you pfsense lans are connected to same switch - why they not just using the same network? More general again: You need a common subnet between your boxes if you want them to talk to each other ;-) Either you could just strip another connection between both pfsense boxes, e.g. 10.10.10.0/30, then add static routes. Otherwise you need to add an Alias-IP from the other subnet to the LAN-Adapters of your boxes. Maybe add 10.0.0.254/24 to your first box or choose a different address. Then you can also add static routes pointing to the other box… or even add the other device as gateway and load-balance ;-)

that output is truncated. please see attached (bz2, but txt extension due to forum limits) crash.txt

I am having this problem too. It's a real pain. My ssh session drops after a few 10s of seconds. Ping works fine, but I am using Putty on Windows 7, and it closes the ssh session promptly. Has anyone reported this in the bug tracker?

mmm… i found out you cant ping or log onto the other vlans interface (switches page) if there are no computers connected to that vlan, if there is a computer connected to that vlan you can ping the laptop and also you can ping and log onto the vlan interfaces ip address which is the switches page

the issue was the squid proxy. when i run the pfsense without squid is everything all right.

i remember someone asking a similar question in  the Q&A session on BSDcon in the netherlands a while ago (around the time of the 2.0 - release) If i remember correctly, Ermal pointed out that it wasn't production ready and that implementing it in pfSense would be a huge undertaking. (adding/removing routes would need changes/special attention etc etc etc) Still i hope it will be a feature in one of the future versions. I think, it would also solve a lot of the multi-wan "hacking" that is required today (ie squid/vpn/…) Keep up the good work

exactly the same, which only makes this problem weirder.

There will be no problem with Dynamic DNS - you can define an entry for each ISP (on WAN1 and WAN2) so each Dynamic DNS name stays updated with the current public IP of ISP1 and ISP2. Then you can port-forward whatever ports you like from each WAN independently to the same backend LAN-side IP address of the server. About RDP - I am not sure what list of ports you will have to forward and the resulting security of all that being directly accessible from the public internet for "random" people to attempt connections. Personally I would put an OpenVPN "Road-Warrior" server on the pfSense, listening on both WANs (or failing over from one to the other if you want it to prefer a particular WAN or…). Then have the remote users connect by OpenVPN - they are then authenticated well and become part of your private network. Then they can RDP or whatever to wherever. Others will also have an opinion about that...

Thanks to both of you, it was my fault.

Outbound NAT happens as the traffic exits an interface. Routing decisions happen before that point. To oversimplify it a bit: Packet enters firewall Routing table (or policy routing) decides which interface the packet will exit Outbound (source) NAT applies as the traffic leaves that interface

Thank you for reply phil.davis, I have attached diagrams of the system that I'm trying to build up: two pfSense configuration works, one pfSense not works. PFS POS has two WAN interfaces (WAN1, WAN2) in failover group and two VPN connections (VPNPRY, VPNBCK) to headquarter office. The PC has "PFS POS" as default gateway and must use it for internet navigation and for communication with HQ Server (via VPN); VPN routing is managed by Quagga OSPF and I need to have VPNPRY on WAN1 and VPNBCK on WAN2. [image: twoPFSenseWork.png] [image: twoPFSenseWork.png_thumb] [image: onePFSenseNotWork.png] [image: onePFSenseNotWork.png_thumb]

No, that's not possible. Sticky, as you've observed, maintains a client-to-gateway relationship and doesn't get any more fine-grained than that unfortunately.