Thanks for the reply! Where can I look to figure out how to put in a "ifconfig de0 up" statement?  I am pretty new to FreeBSD.

That TIER setup, will cause WANA to be used all the time except when it's down, then WANB will be used until it's down too, then WANC and then WAND. If you're seeing only WAND used most likely you don't have the routing group as the gateway for your outbound firewall rules which is required for it to work.

Fantastic! I'll be paying up in a few minutes then.

Well, that's a good question  :) I found another (hopefully more reliable) machine that I intended to use as my main - and only - firewall in the future. For now, I just wanted to get it installed and hopefully test some of the cool stuff with pfsense that I wouldn't want to do on my production firewall. So I thought I'd run my own little testing system and maybe put a few select users on it but I also wanted to be able to access printers etc. behind the main firewall. That's why I'm doing this.

It works now! The main problem was my ISP having a firewall on (4g Telenor).  :o I run on this settings: OpenVPN Server on Lan interface 2 Port Forward one for each WAN interface GatewayGroup in the firewall roule in OpenVPN tab. If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description OPT1 TCP/UDP * * OPT1 address 1194 (OpenVPN) IP_Pfsense 1194 (OpenVPN) WAN TCP/UDP * * WAN address 1194 (OpenVPN) IP_Pfsense 1194 (OpenVPN)

Soon we will be upgrading the connection so our ASA will send traffic to a switch port connected to the WAN interface of our PFSense box.  The LAN interface is connected to a wireless AP. The traffic to that switch port will be tagged with a VLAN ID so we can keep traffic separated. i'm unsure as to what you mean there? do you mean ASA > pFsense > Wireless only? if you are using vlans, the pfsense port will need to be configured with the vlans in use. generally, the pfsense port would include all the vlans that you are using as in most cases it's the router and it has to route traffic on the vlans to other networks eg the internet etc the switch behind pfsense is usually where you configure what ports are members of what vlans. For example Pfsense: WAN PORT = untagged > internet LAN PORT = vlan2 = PRIVATE, vlan3 = PUBLIC The LAN port is plugged into say PORT 24 of the switch. Switch: PORT 24 = member vlan 2(private) & 3(public) PORT 1 = member vlan 2(private) = plug private PC in here PORT 2 = member vlan 2(private) = plug private PC in here PORT 3 = member vlan 2(private) & vlan 3(public) = plug wireless access point in here Wireless access point: SSID = PRIVATE = vlan2 SSID = PUBLIC = vlan3 the above setup will allow anybody connecting wirelessly on the PRIVATE network to connect to all of the PRIVATE pc's because it is on vlan 2 and also go to the internet if you have configured pfsense to do this. Anybody connecting wirelessly via SSID PUBLIC (vlan3) will be isolated from the PRIVATE network (vlan2) and will go out to the internet if you have that configured. It's also worth remembering to put a rule in the firewall to prevent inter vlan traffic ie block if source is vlan & destination is vlan.

Thanks a lot sir

VLAN IDs are site-specific. You can route between them with multiple phase 2s on IPsec.

Hey podilarius! Unfortunately my /29's are not consecutive…..they're all over the place actually.  :-[

Darnitol, you are the man!!! Works like magic, thanks a million.

there isn't a "pretty" status file but you can see /tmp/apinger.status (or /var/run/apinger.status on 2.0.3 and 2.1)

The same things that cause deterioration of any kind of network connectivity. Line problems, equipment problems, excessive usage, amongst other possibilities. Need more info on specifically what you're seeing/why you're asking to narrow it down to anything useful.

port 1, 2 and 4 r on different vlans so untagged is fine and port 3 is tagged meaning trunk port. i tried wireshark and its the pfsense mac only that goes to isp, cisco switch has its own mac in between for Ethernet packets but the isp is detecting the pfsense mac based on pppoe encapsulation which linksys gateway is this and how is it to be used?

@Reiner030: What usage has your firewall if you have all WAN and LANs (DMZ?) on the same side of your firewall ? It's like you put a crash wall in front of your house that no car can drive in and hurt you… But you are waiting for cars on the street side and not in the house? ;) i have since this post added all my firewall rules back in place, as i was suffering from the system locking up i started stripping things apart back to bare config… the public/24 is solely used for my wireless clients, i block all ports to prevent residential clients from hosting servers (Vlan CPE = net access), if they want to host then they have to upgrade their access to a business class at that point i open all ports to their ip from wan side.... Wireless ISP....

I imagine it's something like this –------ WAN1 ------(ISP GW) --LAN ---pfsense                       -------- WAN2-------(linksys or similar GW)------(same ISP GW as WAN1) I read this too and I think you need at least one intermediate GW so that both WAN1 and WAN2 do not point to the same GW IP address. In this case WAN1 will point to Linksys as it's gateway with address different from the ISP GW. The linksys will then be configured to point to the ISPs gateway. Disable NAT in the Linksys or whatever intermediate gateway you use if that is possible. Is this really a limitation in 2.0.2? I thought it only applied to 1.x releases. I'm having trouble getting dual WAN working myself and this may be part of the reason why, but in my case disabling WAN1 so that there is only one one WAN and one GW doesn't help. If you ever get dual WAN to work please share you configuration.

i am by no means a pro/expert… but my first thought was are u using auto NAT or Manual NAT? if manual nat, you need to add mapping...

My SlingBox has the same issue.  Will only talk to the local subnet and won't route. I got around this by adding a NAT rule to hide all the traffic coming from other networks behind an address local to the slingbox.

Ping something else like Google's DNS servers (8.8.8.8).