The reason it took a while is because pfSense is a stateful firewall. Rules changes do not apply to existing states. That's why it is always advised to flush the state table before testing ;)

Yep, it's a little tricky but can be done. You have to add another Phase2 on both ends of the IPsec tunnel with the OpenVPN subnet as the local or remote subnet Let's say you have SiteA and SiteB as the IPsec endpoints, and OpenVPN on SiteA: you add a Phase2 on SiteA with local subnet: the OpenVPN subnet and remote subnet: SiteB subnet. On SiteB you add a Phase2 with local subnet: SiteB subnet and remote subnet: the OpenVPN subnet Make sure the firewall rules allow this traffic, too

All you need to do is create a rule that allows any protocol from any source to any destination and you should be good. Since your router (Pfsense) is connected to both networks traffic will route from one to another. If you don't want people on your wireless lan to communicate to your LAN1 then create a rule that say block traffic from subnet going to LAN1. Make sure that rule is before the allow any any and you should be good to go.

Use the Avahi package to handle proxy/redistribution for mDNS

try follow this step http://forum.pfsense.org/index.php/topic,60977.0.html

The code for multi-wan failover support was not added to RFC2136 yet. I think someone may have already put that in for 2.2, or it's planned for 2.2, but either way it's not there on 2.1.

So where is the gateway to the Internet? Is it via some other router in the DMZ or LAN? You can have the default gateway on any interface you want, but depending on where that is, it may affect how other devices can use the firewall. A network diagram would help to see, including how your network actually will reach the Internet.

Enclosed are my rules, not understanding what I'm doing wrong… I can't put all screen shots ... [image: 2013-10-13-185839_1024x768_scrot.png] [image: 2013-10-13-185839_1024x768_scrot.png_thumb]

thanks GruensFroeschl Does a IP Alias fail between two pfsense boxes like a carped address would do, or would I have to add the network as an IP Alias and then single carped addresses for each of the IP addresses?

That kind of bonding isn't possible currently. What you're after should be OK to do if you have the local firewall do NAT on the VPN interface as it leaves, to the OpenVPN tunnel IP, and then just use a standard gateway failover to move the traffic from one tunnel to the other if it goes down. You'll have to assign the OpenVPN interfaces for the gateways to appear.

Maybe my English is not too good and you cant understand what i want to do so i try to explain again… I have 2 VLAN from 1 ISP trough 1 cable wich go to one port of my router... I use Intel PRO1000 PCI-E dual port adapter... VLAN 1 --> em0.1 IP 1.0.0.2/30 GW 1.0.0.1 = WAN          this is transport net for my /24 VLAN 2 --> em0.2 IP 2.0.0.11/24 GW 2.0.0.1 = WAN1 LAN --> 3.0.0.1/24  DHCP enabled... Also have PPTP with server IP 3.0.0.100  and Proxy server... When i group both of the WAN and enable NAT i can use sum of all bandwidth but my IP is not public anymore... Also VPN and proxy stop working... Without NAT enabled bandwidth is not summarised... I want to continue using my public IP's VPN and proxy and also to have sum bandwidth... Do i need to have both NAT and direct routing at the same time ?

@Nachtfalke: In the latest squid 3.3.4 post marcelloc gave me the hint to create different Source-ACLs and then use these with different "tcp_outgoing_address". we stuck 2.1 squid3 wpad configured multiwan there any solution about 2.1 multiwan squid3 ?

Hey Mewsense, were you ever able to solve this? I'm working on a similar issue. My setup include two pfsense 2.1 firewalls. One is the OpenVPN server setup with a site-to-site tunnel to the other pfsense 2.1 box. On the client side the tunnel is working and so is the Multi-WAN failover gateway group. However if the route fails overs to the tier 2 GW OpenVPN connect does not switch over. Anyone else have any input on this? It would be much appreciated.

There are a couple of things I would change… drop this part from your pfsense config: Then I configured the pfSense as following.  I created another gateway with the ip of 10.10.1.10 and called it LANGW.  Then I created a static route of 10.10.2.0/24 using gateway LANGW.  Then created another static route of 10.10.3.0/24 using gateway LANGW Add a IPv4 static route in the cisco switch: Destination IP Prefix: 0.0.0.0  Mask 0.0.0.0  Next Hop: your pfSense LAN address (it tells the switch -who is doing the inter-vlan routing- to forward all traffic that didn't hit the local route table to the next hop address) Then add the different networks in pfSense, under "System\Routing -> tab Routes" (only the 2 other subnets in your setup, they are currently unknown to pfSense as there is no routing protocol running (?)) Next, but equally important, you need some instance to resolve the name, so you could configure the switch to send DNS requests to pfSense (found under "Domain Name System\DNS servers") Not sure if this will work though. Alternative: configure the LAN ip of pfSense as DNS server IP in your clients. That should give you internet access (unless I'm forgetting something ;D) Last, fix that vlan setup. Trunks are only required if they need to transport vlan information (802.1Q). If no trunking is required, I think it will be better for your setup to configure the port to access. Easiest fix: assign those ports as "access" to the correct vlan (menus "Port to VLAN" and "Port VLAN Membership" and set the native vlan back to 1 (pvid)) An alternative to this setup, would to configure your LAN interface in pfSense to also do trunking, but then you would need to configure those vlans also in pfSense and let pfSense do the routing instead of the switch. Not more complex than your setup, just another approach… Good luck & let us know how it goes...  ;)

KurianOfBorg is exactly, you need to put IP of your VLAN, and check you pfsense routing table. thanks

Yes. The WiFi router will not be acting as a "router", strictly talking. The cable coming from the pfSense needs to be connected on one of the "LAN" ports of the WiFi router, and whatever device you want to connect here also needs to be connected to the LAN ports (you shouldn't use the WAN port on this setup). This is something that a lot of people fail to realize (if you plug the cable from pfSense to the WAN port, you will most likely be creating a double NAT and you might get some issues that will be a pain to troubleshoot). Also, make sure the DHCP server on the Wi-Fi router is turned off. Regards!

You need to create a bridge among the 2 interfaces. Why do you need this? It is usually better and will provide you better performance to just use a simple and cheap switch

You just need to create a NAT port forward on WAN, destination address: the virtual IP, destination port: the outside port (443), redirect target IP: the internal IP of the server, redirect port: the internal port (probably also 443). It should work after that. Outbound NAT rules are not required if you just want this. If you also want that server to identify itself with the other public IP when it goes to the internet, you can create an Outbound NAT on WAN, with source IP: the IP of the server, traslation IP: the virtual IP. But this is not needed if you just want to provide access on the 443 port on the other IP. Regards!

hi podilarius, thanks for your reply. i didn't disable the firewall - but i did add an allow all rule. it turns out the problem i had was i added the IP address of the VLAN interface in the "gateway' field… my thinking must have been that its what the dhcp passes to the client. but it must have meant that the interface itself was pointing to itself . anyway once i set that to none it worked. cheers, m

Ok. Thank you for help!