Many thanks for taking the time to review and answer. I guess I was baffled due to that document saying the switch chip on RB750UP does NOT support Rule tables. I gather from your previous message that this does not matter for our scenario. Thanks again for your kind assistance.

Or is there maybe an option to capture the dns request and change it?

Interface Cable is down: Why do I get "GW_Cable, Gathering data" in gateway status and gateway group status. There is nothing to probe if the interface is down.

And it sounds like you have default gateway switching enabled, that would be why default traffic is failing over to some other gateway, in this instance the gateway on LAN. The LANGW should just be a gateway, it should not also be selected as the gateway for the LAN interface (on Interffaces->LAN). If the LAN interface config has a gateway specified, then the system will consider that a possible general way out to "the internet" and may use it when default gateway switching is enabled.

Hi, ok I was busy with checking the source code, when I noticed that one gateway disappeared from the summery. When I tried to re-add it, it says : You can not use a IPv4 Gateway Address on a IPv6 only interface. _So I went to the Gateway (which was disabled, but that is fine!) and enabled it to check the settings. It says: ipv6: none! Weird._ –> The Error came because it is an PPPoE device. But the message makes no sense ;) But it is fine now. Ok, it's working now, when the device/gateway is set to "enable". The Thing was disabled because it is not connected,yet. This was fine in pfsense 2.04. Anyway… I now know how to get the thing to work! THANK YOU VERY MUCH!

Thanks for the suggestion deviant. But according to https://doc.pfsense.org/index.php/Multi-WAN_2.0, 5 is the highest priority: "By default all WANs on the same tier are considered equal when doing load balancing. If your WANs are different speeds, the weight parameter lets you give the system some bias toward a faster link. If you had a 50Mbit line and a 10Mbit line you probably would not want to share them equally, as it would often leave the 50Mbit line underloaded and the 10Mbit line overloaded. You can give your 50MBit line a weight of 5 so that you get a 5:1 ratio of usage to prefer the faster WAN."

If you have gateways set for your DNS, it sets the static routes. The way I've found the most success with is setting a floating output rule for your WAN interfaces with your failover group as the gateway.

They were on your Whatttttt????  That doesn't sound comfortable.

I'm doing a fix fot that. Take a look on bounty topic.

Thank you for your patience, now I found the real solution for that problem: You find it in: System: Advanced: Firewall and NAT There mark Bypass firewall rules for traffic on the same interface This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface. Conclusion: pfSense CAN handle asymetric routings! And you showed me where to look for that. Thank you again. Best regards, Holger P.S. Where can I mark the thread as solved (manually editing the head line?)

The route looks fine. The first WAN rule lets everything in, so you can't go wrong there - but it kind of defeats the idea of calling it a firewall :) The 2nd WAN rule by itself should also work. routers on the LAN Segment Now I see that the LAN segment has other routers, and presumably routes, behind it. Maybe those routers do not use the pfSense LAN IP (192.168.x.y) as their default gateway? Those routers will need to know that the route back to you at 10.0.0.0/24 is through the pfSense LAN IP 192.168.x.y - then they will be able to reply to your connection attempts. Post a network diagram if you get stuck further.

Thanks! I was able to isolate both vlans adding rules to the firewall.

Glad you mentioned PEBCAK. This WiKi article is quite amusing: http://en.wikipedia.org/wiki/User_error including "Don't think of the user as making errors; think of the actions as approximations of what is desired" and, in reference to ID10T - "Historical use (circa 1995) includes phone tech support personnel instructing the user/customer to place the line "id=10t" in their CONFIG.SYS file as a warning to future tech support personnel."

@phil.davis: Your solution will let LAN access CLOUD, but not the reverse direction. But if that is the real requirement, then great, because it actually helps make access from CLOUD to LAN difficult. It's only a temporary solution, required because we already have a router (and default GW) into that LAN.  When I'm happy with the pfsense configs we'll replace the other router and the NAT won't be required.

You need to choose WAN2 when port forwarding. There is no need for any other rules. The Advanced Gateway settings are only for outgoing connections. You can receive external connections from WAN2 to LAN2 even if LAN2 is using WAN1 for outgoing.

L2TP VPN also doesn't work with policy based routing with same 'bad cksum' error on WAN interface.