Thanks ab0tj, now I can order the last part needed and start muddling through the process. The best way to lean IMO! Again thanks for the conformation.

Some others have posted about this also. Perhaps the previous alias types are not getting upgraded correctly. If you have a copy of config.xml from before the upgrade, then post the routes and aliases sections. Then the issue might become traceable.

@rubic: Hi, turk182 This scenario will not work unless each of 3 ISP you are connected to has a static route to ip3 through pfSense01. Being ISP1 how could I know that ip3 given to you by ISP3 is behind WAN1 of pfSense01? Suppose I accept incoming packet from you with source ip3, where should I send answer? According to my routing table I will send it to ISP3 which will send it to your WAN3 where it will be dropped as packet comming in on wrong interface. You do not need public IP net between pfSense boxes. Using private net with double NAT is mach easier. Thank Rubic, So if it were double NAT, pfsense01 will just have one client which is pfsense02.

I hope you didn't disable reply-to on System: Advanced: Firewall and NAT. Look at your outgoing NAT rules: The source address shouldn't include the WAN addresses. I use an alias with all internal used (or all private networks) as source addresses.

Many thanks for taking the time to review and answer. I guess I was baffled due to that document saying the switch chip on RB750UP does NOT support Rule tables. I gather from your previous message that this does not matter for our scenario. Thanks again for your kind assistance.

Or is there maybe an option to capture the dns request and change it?

Interface Cable is down: Why do I get "GW_Cable, Gathering data" in gateway status and gateway group status. There is nothing to probe if the interface is down.

And it sounds like you have default gateway switching enabled, that would be why default traffic is failing over to some other gateway, in this instance the gateway on LAN. The LANGW should just be a gateway, it should not also be selected as the gateway for the LAN interface (on Interffaces->LAN). If the LAN interface config has a gateway specified, then the system will consider that a possible general way out to "the internet" and may use it when default gateway switching is enabled.

Hi, ok I was busy with checking the source code, when I noticed that one gateway disappeared from the summery. When I tried to re-add it, it says : You can not use a IPv4 Gateway Address on a IPv6 only interface. _So I went to the Gateway (which was disabled, but that is fine!) and enabled it to check the settings. It says: ipv6: none! Weird._ –> The Error came because it is an PPPoE device. But the message makes no sense ;) But it is fine now. Ok, it's working now, when the device/gateway is set to "enable". The Thing was disabled because it is not connected,yet. This was fine in pfsense 2.04. Anyway… I now know how to get the thing to work! THANK YOU VERY MUCH!

Thanks for the suggestion deviant. But according to https://doc.pfsense.org/index.php/Multi-WAN_2.0, 5 is the highest priority: "By default all WANs on the same tier are considered equal when doing load balancing. If your WANs are different speeds, the weight parameter lets you give the system some bias toward a faster link. If you had a 50Mbit line and a 10Mbit line you probably would not want to share them equally, as it would often leave the 50Mbit line underloaded and the 10Mbit line overloaded. You can give your 50MBit line a weight of 5 so that you get a 5:1 ratio of usage to prefer the faster WAN."

If you have gateways set for your DNS, it sets the static routes. The way I've found the most success with is setting a floating output rule for your WAN interfaces with your failover group as the gateway.

They were on your Whatttttt????  That doesn't sound comfortable.

I'm doing a fix fot that. Take a look on bounty topic.

Thank you for your patience, now I found the real solution for that problem: You find it in: System: Advanced: Firewall and NAT There mark Bypass firewall rules for traffic on the same interface This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface. Conclusion: pfSense CAN handle asymetric routings! And you showed me where to look for that. Thank you again. Best regards, Holger P.S. Where can I mark the thread as solved (manually editing the head line?)

The route looks fine. The first WAN rule lets everything in, so you can't go wrong there - but it kind of defeats the idea of calling it a firewall :) The 2nd WAN rule by itself should also work. routers on the LAN Segment Now I see that the LAN segment has other routers, and presumably routes, behind it. Maybe those routers do not use the pfSense LAN IP (192.168.x.y) as their default gateway? Those routers will need to know that the route back to you at 10.0.0.0/24 is through the pfSense LAN IP 192.168.x.y - then they will be able to reply to your connection attempts. Post a network diagram if you get stuck further.