Should I provide more specific Infos ?

[image: ss1.png] [image: ss2.png] [image: ss3.png] [image: ss4.png] [image: ss5.png] [image: ss6.png] [image: ss7.png] [image: ss8.png] If you need a further diagram let me know… if anyone knows a good software program (free/perhaps online) for drawing a quick one let me know... basically local network is 10.2.24.0/24   the real LAN range is 10.2.27.1-255 though /24 is allowed        /          DSL (OPT 1) is on DHCP 193.168.x.1 (OPT1 is connected to DSL modem/router)                     and static WAN is 50.XXX.5X.121/29 Default GW is .126        bogon RFC is not turned off)

I would expect to have to goto System Routing and setup a Gateway named something like LAN1_OPT1GW assigning the LAN1 interface and having a gateway and monitor IP matching the IP of OPT1.  OPT1 of course being on a different subnet than LAN1. This should create a static route automatically. Then goto Status, Gateways to ensure the gateway link is established. At this point you should be able to ping devices in OPT1 subnet from the LAN1 subnet. Rules could also be added to define specific traffic to pass from Lan1 via the LAN1_OPT1GW gateway.

You can do this also by changing the gateway in the Firewall->Rules->Edit.  There is an advanced section at the bottom of the edit page.  Click on the Advanced button next to Gateway.  Choose the gateway for the particular LAN you are editing. In your case you'd edit the 192.168.5.0/24 page and select Opt3 as the Gateway.  That's it.

NVM Turns out ISP had routed an IP range that was already in use.

solved: firewall > nat > outbound changed to manual and created a rule: source: 192.168.100.0/24 destination: 192.168.0.0/24 translation ip: virtual ip alias 192.168.0.142 then changed the gw to 192.168.0.1 and added a static route

Hi, As stated in the original reply, as long as your firewall is patched into a VLAN-capable switch, you can create a separate VLAN for each of the networks (eg: VLAN-ID: 1681 = 192.168.1.0/24, VLAN-ID: 1682 = 192.168.2.0/24, VLAN-ID: 1683 = 192.168.3.0/24) and bind each VLAN to the same physical interface (eg: bge0). This will create three new interfaces, each bound to the same physical NIC but on separate VLANS. You can then set up your rules and NAT and routes for each of these new interfaces and be able to selectively route to any of the three routers you mentioned. You have to be sure the three new VLANS are defined in your switch as well, otherwise your VLAN traffic won't route correctly.

Sustained gigabit exchange over openvpn? I think you saved yourself a whole heap of headaches.

I have a followup.  I've got this setup and it seems to work, hurrah, thanks jimp! However when I change the 0.0.0.0/0 to us the gateway group, my VPN tunnels crash and burn.  Is this still good advice?  I note it's for 1.2.  Basically add the remote networks using WAN1 gateway explicitly and then use the 0.0.0.0/0 via gateway group after the remote network rules.  Does that sound right or am I going down the wrong path?

I removed the other post for you. The gateway would show as "down" if unplugged/down on the interface, even if you disable gateway monitoring. Or at least it did last I tried it…

Are you NATting with the VIP not the default NAT rules?

thank you very much for your reply. just another quick question. since (afaik) certain games are relying on UDP packets for communicating with the server, if i have a load balancing configuration and the rule for switching traffic from one to another triggers, what might it happen that the client gets dropped? especially in those games where the client is authenticated with the server, do you know if there are workarounds for this problem?

To clear this up and get more / better response, I would suggest a simple diagram of what you have, and what you want.  Simple is better in explanations and design.

You can use that first static ip address, but using port forward or use the second ip address as part of vip, 1:1 nat, and adding fw rule. To see second option: http://forum.pfsense.org/index.php/topic,64387.msg348884.html#msg348884

Soon as a I saw 2.0.3 and IPSEC, I cringed. Try the same setup using a different version of pfSense.  Try 1.2.3, 2.0.1, 2.0.2 or latest snapshot - just not 2.0.3.  Look at IPSEC section and you will know what I mean.

Figured this one out. Somehow pfSense's WAN interface became Private network under Windows however both, pfSense's and Windows' LAN interfaces were 'Guest or public networks'. Naturally, Windows restricts access to files on public networks and changing network profile from public to private solves all issues at once!

I finally find out what I was doing wrong. All my virtual interfaces where NOT mac-spoffed. So all interfaces had the same MAC address. In that way, the MAC table of the switch was going crazy .. the same mac address can NOT be on different port at the same time. Shame on me -(