NVM Turns out ISP had routed an IP range that was already in use.

solved: firewall > nat > outbound changed to manual and created a rule: source: 192.168.100.0/24 destination: 192.168.0.0/24 translation ip: virtual ip alias 192.168.0.142 then changed the gw to 192.168.0.1 and added a static route

Hi, As stated in the original reply, as long as your firewall is patched into a VLAN-capable switch, you can create a separate VLAN for each of the networks (eg: VLAN-ID: 1681 = 192.168.1.0/24, VLAN-ID: 1682 = 192.168.2.0/24, VLAN-ID: 1683 = 192.168.3.0/24) and bind each VLAN to the same physical interface (eg: bge0). This will create three new interfaces, each bound to the same physical NIC but on separate VLANS. You can then set up your rules and NAT and routes for each of these new interfaces and be able to selectively route to any of the three routers you mentioned. You have to be sure the three new VLANS are defined in your switch as well, otherwise your VLAN traffic won't route correctly.

Sustained gigabit exchange over openvpn? I think you saved yourself a whole heap of headaches.

I have a followup.  I've got this setup and it seems to work, hurrah, thanks jimp! However when I change the 0.0.0.0/0 to us the gateway group, my VPN tunnels crash and burn.  Is this still good advice?  I note it's for 1.2.  Basically add the remote networks using WAN1 gateway explicitly and then use the 0.0.0.0/0 via gateway group after the remote network rules.  Does that sound right or am I going down the wrong path?

I removed the other post for you. The gateway would show as "down" if unplugged/down on the interface, even if you disable gateway monitoring. Or at least it did last I tried it…

Are you NATting with the VIP not the default NAT rules?

thank you very much for your reply. just another quick question. since (afaik) certain games are relying on UDP packets for communicating with the server, if i have a load balancing configuration and the rule for switching traffic from one to another triggers, what might it happen that the client gets dropped? especially in those games where the client is authenticated with the server, do you know if there are workarounds for this problem?

To clear this up and get more / better response, I would suggest a simple diagram of what you have, and what you want.  Simple is better in explanations and design.

You can use that first static ip address, but using port forward or use the second ip address as part of vip, 1:1 nat, and adding fw rule. To see second option: http://forum.pfsense.org/index.php/topic,64387.msg348884.html#msg348884

Soon as a I saw 2.0.3 and IPSEC, I cringed. Try the same setup using a different version of pfSense.  Try 1.2.3, 2.0.1, 2.0.2 or latest snapshot - just not 2.0.3.  Look at IPSEC section and you will know what I mean.

Figured this one out. Somehow pfSense's WAN interface became Private network under Windows however both, pfSense's and Windows' LAN interfaces were 'Guest or public networks'. Naturally, Windows restricts access to files on public networks and changing network profile from public to private solves all issues at once!

I finally find out what I was doing wrong. All my virtual interfaces where NOT mac-spoffed. So all interfaces had the same MAC address. In that way, the MAC table of the switch was going crazy .. the same mac address can NOT be on different port at the same time. Shame on me -(

clear,… one of the easiest thing mentioned here often / several howto's are offered... define both gateways  (System => Routing) put them in a Routing Group ... (depens on your wants... loadbalancing, failover mode)

SteveO a Network Diagram would be nice you can make one at http://www.gliffy.com , however I think I know what your problem is. If I'm thinking correctly you have two routers that you are trying to route traffic back and forth? You are not using a dynamic routing protocol like RIP or OSPF but are just using static routes? From your PfSense router you have made a static route to your 192.168.x.x network my question is did you make a static route on your other router to send 10.0.x.x traffic back? If not it won't work. Sometimes people incorrectly think that a router will send traffic out of the same interface that it came on but you have to make a static route if your not using a routing protocol. To make your job easier I would use a routing protocol like RIP, this will make your life easier without having to make a butch of static routes. Option 2 If you have a static route on your non-PfSense router do you have any access list that would block traffic on the far end? Try doing a traceroute from both sides to see where the traffic is dropping. On your second router if you are using something like Cisco you can issue the command show ip route to see what networks your router knows about. If you don't see something like: S    10.0.0.0/16 via 192.168.70.x S*  0.0.0.0/0 [254/0] via 192.168.70.x Then your router doesn't know how to reach your PfSense Network

https://www.dropbox.com/s/anu1tcw5g4br6ri/2013-07-09_08-38-44.png https://www.dropbox.com/s/o7kq05d8ajjp6t2/2013-07-09_08-44-39.png Here is a picture for those that just maybe are not sure of which I speak of

@Edwin: . So, as a test, I uninstalled squid -> problem solved!!! Yup that happen to me also before. so i just installed proxy plus on the client to use both wans with proxy. Yet after upgrading to pf 2.0.3 with squid both wans are working fine. Glad you fix the problem.

To encourage you, what you are doing is unusual, but from the description you give it should work. The pfSense by default will do NAT between LAN and WAN. So when you connect from the LAN side 192.168.11.n into the "hidden" subnet 192.168.10.n the packets will be NAT'd and the clients in 192.168.10.n will see them as coming from 192.168.10.1 - that should not matter, it is just like the "hidden" subnet is an internet. In fact, that should hide complexity from the Debian host. It should think it is talking locally to someone connecting from 192.168.10.1