clear,… one of the easiest thing mentioned here often / several howto's are offered... define both gateways  (System => Routing) put them in a Routing Group ... (depens on your wants... loadbalancing, failover mode)

SteveO a Network Diagram would be nice you can make one at http://www.gliffy.com , however I think I know what your problem is. If I'm thinking correctly you have two routers that you are trying to route traffic back and forth? You are not using a dynamic routing protocol like RIP or OSPF but are just using static routes? From your PfSense router you have made a static route to your 192.168.x.x network my question is did you make a static route on your other router to send 10.0.x.x traffic back? If not it won't work. Sometimes people incorrectly think that a router will send traffic out of the same interface that it came on but you have to make a static route if your not using a routing protocol. To make your job easier I would use a routing protocol like RIP, this will make your life easier without having to make a butch of static routes. Option 2 If you have a static route on your non-PfSense router do you have any access list that would block traffic on the far end? Try doing a traceroute from both sides to see where the traffic is dropping. On your second router if you are using something like Cisco you can issue the command show ip route to see what networks your router knows about. If you don't see something like: S    10.0.0.0/16 via 192.168.70.x S*  0.0.0.0/0 [254/0] via 192.168.70.x Then your router doesn't know how to reach your PfSense Network

https://www.dropbox.com/s/anu1tcw5g4br6ri/2013-07-09_08-38-44.png https://www.dropbox.com/s/o7kq05d8ajjp6t2/2013-07-09_08-44-39.png Here is a picture for those that just maybe are not sure of which I speak of

@Edwin: . So, as a test, I uninstalled squid -> problem solved!!! Yup that happen to me also before. so i just installed proxy plus on the client to use both wans with proxy. Yet after upgrading to pf 2.0.3 with squid both wans are working fine. Glad you fix the problem.

To encourage you, what you are doing is unusual, but from the description you give it should work. The pfSense by default will do NAT between LAN and WAN. So when you connect from the LAN side 192.168.11.n into the "hidden" subnet 192.168.10.n the packets will be NAT'd and the clients in 192.168.10.n will see them as coming from 192.168.10.1 - that should not matter, it is just like the "hidden" subnet is an internet. In fact, that should hide complexity from the Debian host. It should think it is talking locally to someone connecting from 192.168.10.1

What is your physical network layout? I am guessing that you have: a) pfSense LAN port connected to a switch, which connects to the various devices in LAN. b) pfSense Office port connected to a switch, which connects to the various devices in Office. If it is a physically-cabled home/office then you have to find some way to make the cable from your PC go to the Office switch. If you have VLANs, then you will be able to change the VLAN switch configuration to tell it which ports are in the LAN and Office networks. Tell us more if you need help.

Sure, anonymized and posted below (but I didn't change the netmasks to reflect my fictitious IP range).  Vr1 is connected to the ISP where the firewall only receives and responds to traffic.  No traffic seems to leave the firewall on that interface. vr0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0 prefixlen 64 scopeid 0x1         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active vr1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:12:e9:61         inet6 fe80::20d:b9ff:fe12:e961%vr1 prefixlen 64 scopeid 0x2         inet 1.1.1.1 netmask 0xfffffff8 broadcast 1.1.1.255         inet 1.1.1.2 netmask 0xfffffff8 broadcast 1.1.1.255         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active vr2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:12:e9:62         inet 2.2.2.2 netmask 0xfffffff8 broadcast 2.2.2.255         inet6 fe80::20d:b9ff:fe12:e962%vr2 prefixlen 64 scopeid 0x3         inet 10.1.10.19 netmask 0xffffff00 broadcast 10.1.10.255         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384         options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000         inet6 ::1 prefixlen 128         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4         nd6 options=43 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460         syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 enc0: flags=41 <up,running>metric 0 mtu 1536 pflog0: flags=100 <promisc>metric 0 mtu 33200 vr0_vlan1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0_vlan1 prefixlen 64 scopeid 0x8         inet 10.0.0.1 netmask 0xffffffe0 broadcast 10.0.0.31         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active         vlan: 1 parent interface: vr0 vr0_vlan2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0_vlan2 prefixlen 64 scopeid 0x9         inet 10.0.0.33 netmask 0xffffffe0 broadcast 10.0.0.63         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active         vlan: 2 parent interface: vr0 vr0_vlan3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0_vlan3 prefixlen 64 scopeid 0xa         inet 10.0.0.65 netmask 0xffffffe0 broadcast 10.0.0.95         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active         vlan: 3 parent interface: vr0 vr0_vlan4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         ether 00:0d:b9:12:e9:60         inet6 fe80::20d:b9ff:fe12:e960%vr0_vlan4 prefixlen 64 scopeid 0xb         inet 10.0.0.97 netmask 0xffffffe0 broadcast 10.0.0.127         nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)         status: active         vlan: 4 parent interface: vr0 Routing tables Internet: Destination        Gateway            Flags    Refs      Use  Netif Expire default            1.1.1.17        UGS        0 58450269    vr1 4.2.2.1            1.1.1.17        UGHS        0  621319    vr1 4.2.2.2            2.2.2.150    UGHS        0  4423618    vr2 10.0.0.0/27        link#8            U          0 172888076 vr0_vl 10.0.0.1          link#8            UHS        0        0    lo0 10.0.0.32/27      link#9            U          0 1925354412 vr0_vl 10.0.0.33          link#9            UHS        0        0    lo0 10.0.0.64/27      link#10            U          0 160538185 vr0_vl 10.0.0.65          link#10            UHS        0        0    lo0 10.0.0.96/27      link#11            U          0 82327693 vr0_vl 10.0.0.97          link#11            UHS        0        0    lo0 10.1.10.0/24      link#3            U          0  2424247    vr2 10.1.10.19        link#3            UHS        0        0    lo0 1.1.1.0/29    link#2            U          0      292    vr1 1.1.1.1        link#2            UHS        0      18    lo0 1.1.1.2        link#2            UHS        0        0    lo0 6.6.6.6      1.1.1.17        UGHS        0 21820627    vr1 127.0.0.1          link#4            UH          0        0    lo0 2.2.2.0/29 link#3            U          0        1    vr2 2.2.2.2    link#3            UHS        0        0    lo0 192.168.201.0/24  10.0.0.11          UGS        0  2678960 vr0_vl</full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast></promisc></up,running></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

Bump. Since my last post I've tried the gateway advanced option in the firewall rules but it does not have any effect. Anyone know how to tell pfsense to answer always with the same interface or to tell that the management interface/console only has to work with one interface ? I've seen this trouble with all kind of the management protocol available : http / https / ssh … I've attached a quick diagram of what is happening to me. (I need the http out to be in the same interface than http in) Best regards [image: diagram.png] [image: diagram.png_thumb]

That configuration is certainly doable. There are many posts already to help you out if you where to look. My suggestion would be to test in a lab, could be ESX VM in a segragated vswitches, till you get the hang of it, then go for production. Biggest pointer I can give you right now is that if the cisco is only doing NAT, then that usually means it has a private address scheme. There is a setting in the WAN to block private IPs. You will need to turn that off.

Hi, sorry my english is not so good. Please make a draw of your network setup( or how you want to have the network flow)  and maybe i can help you. Have your ESXI 2 physical networkcards, no than use vlan´s but then your switch must be an managedable one. docsis –----[ESXI[WAN - PFSENSE - LAN]]–---[SWITCH]–--[AP] regards max

yes change "wangwgroup" to use gateway instead of default (*)

VLAN MACs follow the MAC of their parent interface. Assign the parent interface of the VLANs, set IP type to none, and spoof the MAC there.

@Nachtfalke: Hi, Port 1+2 are displayed as trunk ports. As far as I know trunk ports these ports accept tagged VLANs. A trunk port which has VLAN2 tagged and VLAN1 (default VLAN - better never use it) as untagged. On pfsense VLAN1 is always untagged and VLAN2 is tagged (you did that). Then you connect pfsense and HP switch through the trunk port. Now you must configure another port on the switch - lets say port 8 to be an untagged Port for VLAN2. So I would suggestthe following: Never use VLAN1 which is the default VLAN on pfsense and on many switches. If you need two VLANs or more then create them on pfsense like VLAN 2+3 or 10+20. Assign both new created VLANs on pfsense an interface on em1 On the HP switch configure port 1 as a tagged member of VLAN2+3 or 10+20 On the HP switch configure port 8 as an UNtagged member of VLAN2 or 10 On the HP switch configure port 9 as an UNtagged member of VLAN3 or 20 Connect pfsense em1 NIC with HP switch port 1 assign different IP address subnets for the two new VLAN interfaces on pfsense enable DHCP server on both two new VLAN interfaces set allow "any to any" firewall rules on the two new pfsense VLAN interfaces connect a computer to the HP switch and test your setup Connect a computer to the ports on Hey there Nachtfalke, I really appreciate that you took time out to reply, using your advice I figured out the problem!  :)

@srk3461: Do you have anything added under access control !? Did you check "allow users on this Interface" on squid's front page i.e General Tab! Make sure to clear cache memory of your browser's first! If possible post some screen shots of squid!? well, in ac tab is written " Note that the proxy interface subnet is already an allowed subnet" so i left it blank. Chekbox in "Allow users on interface" is marked.  But i discovered that http://forum.pfsense.org/index.php?topic=40509.0;prev_next=next is exactly my case. When i opened config file after i marked "Transparent proxy" and applied changes i found that "extra string". Manual correcting partly solved my problem: transp mode works normal but i can't change anything in "Proxy server: General settings" otherwise my changes are overwritten and i get the same issue.