Thanks! I was able to isolate both vlans adding rules to the firewall.

Glad you mentioned PEBCAK. This WiKi article is quite amusing: http://en.wikipedia.org/wiki/User_error including "Don't think of the user as making errors; think of the actions as approximations of what is desired" and, in reference to ID10T - "Historical use (circa 1995) includes phone tech support personnel instructing the user/customer to place the line "id=10t" in their CONFIG.SYS file as a warning to future tech support personnel."

@phil.davis: Your solution will let LAN access CLOUD, but not the reverse direction. But if that is the real requirement, then great, because it actually helps make access from CLOUD to LAN difficult. It's only a temporary solution, required because we already have a router (and default GW) into that LAN.  When I'm happy with the pfsense configs we'll replace the other router and the NAT won't be required.

You need to choose WAN2 when port forwarding. There is no need for any other rules. The Advanced Gateway settings are only for outgoing connections. You can receive external connections from WAN2 to LAN2 even if LAN2 is using WAN1 for outgoing.

L2TP VPN also doesn't work with policy based routing with same 'bad cksum' error on WAN interface.

add a wireless router by connecting it from the WAN port on the router to the switch I see the confusion here - the WiFi device is one of these that is also a router - has a few LAN ports and a WAN port. Normally you just ignore the fact that it has a WAN port - put tape over it. Plug one of the LAN ports into your LAN switch. Switch off DHCP on the "WiFi router". Just have it offering WiFi, the DHCP will come from pfSense, through the LAN switch, through the WiFi device and delivered to WiFi clients. You could, as I think you were meaning, connect the WiFi-router WAN port onto the LAN switch. The WAN of the WiFi-router will get an IP address handed out by DHCP on the pfSense LAN. If you static map this address in pfSense DHCP, then you know that all your WiFi clients will be NATed behind the WiFi router. I guess that has some advantages - WiFi devices can't set themselves a static pfSense LAN IP, your pfSense LAN firewall rules can be sure about the source IP address of all traffic from the WiFi. That might help with a bit of control of WiFi "guest" devices.

Well, if it's not blocked… then, you need to actually try to send real mail via the SMTP server, using telnet, exactly like the phones that fail would. Google it if unfamiliar with the procedure. There can be other policies in place breaking this.

Set that IP as the gateway monitor address and make it fail over to a dummy gateway.

Hello, thanks for the answer. I have tried the dhcp static mapping with no luck. I have pfsense version 2.0.3 i386. The problem is that I have a pxe menu as the default. I put a file with the corresponding nic's mac address in the same location of the default pxe menu file. It should pic up first the file named with it's mac address but it keeps going to default menu. Correct me if I'm wrong, in that scenario there is no need for dhcp mapping. I have tried naming the file with uppper and lower case and with conbinations of "-" and ":" with no luck. after that I also tried to make dhcp mapping and it only stop seeing the default file to load, but doesn't see or load any file. Has someone done this on this version, or the only posible solution is to upgrade? My questions point to the fact that in version 2.0.3 these options does exist, but probably the behavior is buggy. another questions comes to my mind. When you go to static mapping and you add the "Netboot filename"  option. What is the locations it make reference to? I have allready consider permisions where the "default" file is located. Also have tried to make reference to files on the "Additional BOOTP/DHCP Options" with the option 209, text, and the name of the file and it keeps droping to "default" file.

Yes , for multiple clients accessing diferent websites should help.

@KurianOfBorg: I just did a test and I am able to successfully add a new virtual IP address of type IP alias and gateway in a new subnet different from the interface IP address and gateway. Hi, I managed to add new VIPs from a different WAN subnet without even adding a new gateway. After turning pfSense config upside down so many times, I realized to have mistyped an entry in the routing table, that's why my VMs were not responding. Now it's all up and running.  :-[ Thanks

If I understand it correctly, you need to create an interface and gw for the tunnel which you can then create a static route against.

Hello, i try to set route but not have success. route add -host x.x.x.x netmask 255.255.255.255 em2 (my DMZ interface). The DMZ (noip) iface is bridged with external iface (noip). The pfsense answer is: route: writing to routing socket: Network is unreachable add net x.x.x.x : gateway netmask: Network is unreachable Can you help me? Thank you

Should be easy - Interfaces->assign a new OPT1 to a space NIC. Give OPT1 a different subnet. Plug the WAP-AP into that NIC, and give it an IP in the new subnet. Connect your sensor devices to the WAP-AP. Assuming you just want to connect in from devices elsewhere (e.g. from devices on the LAN) to read the sensors, then you should be able to have no pass rules on OPT1. That way someone else who connects to your WAP-AP will get nowhere except for your sensors. If they are just sensors, then who cares if they know your fridge temp. If the sensor also lets you switch off the fridge, then there is a bigger problem, don't want the neighbours doing that for a prank. On LAN put whatever restrictive or permissive rules you like to let things get to OPT1 subnet.

So, you are telling me under the Firewall Rules for LAN1 instead of: ID | Proto | Source    | Port |  Destination    | Port | Gateway | Queue  | –  | *     | *           | *   |  LAN1 address | *   | *           | none    | --  | *     | LAN1 net  | *      | *                   | *     | *         | none    | it should be?: ID | Proto | Source  | Port |  Destination  | Port | Gateway | Queue  | --  | * | LAN1 net | *    |  LAN address   | *   | *             | none   | WAN1: ID | Proto | Source                                        | Port |  Destination  | Port | Gateway | Queue  | --  | * | RFC 1918 networks                    | *      |  *             | *      | *       | none    |  Block private networks --  | * | Reserved/not assigned by IANA | *      |  *             | *      | *       | none    |  Block bogon networks LAN2: ID | Proto | Source    | Port |  Destination      | Port | Gateway    | Queue  | --  | *     | LAN2 net | *    |  LAN2 address   | *   | *             | none   | WAN2: <no entries="">Btw, I got the WAN2 to get PPPoe connection (in bridged mode from router to WAN2) but LAN2 can ping within its network but cannot get onto the internet now. Any ideas?</no>

I don't believe you can route your subnet further unless your ISP allows it and is setup to allow you to do so. Assuming you have a simple Ethernet Internet connection with your subnet, you can setup pfSense in bridged mode with the second pfSense. The second pfSense will need to be plugged into a dedicated interface on the first pfSense. This will allow you to share the public IP addresses between both boxes. It's easier to just plug the second pfSense box directly into the Internet switch though… Also, there is no benefit over a 1:1 NAT unless you require the actual public IP on the internal machine for some reason.

You will need to have 3 DNS names, 1 for each of the WANs, that translate to each of the WAN public IP addresses. (since you have 1 static IP, you could specify that static IP in OpenDNS as 1 of your "sites") Use the Dynamic DNS on pfSense to keep the name up-to-date with the current public IP. Tell OpenDNS the names, and it can lookup the current IP address. That way, OpenDNS knows the public IP addresses that are "yours" and can apply your filtering rules to DNS requests from those IPs.