Will do! :) @Metu69salemi: edit your first post subject field with [SOLVED]

@somentity: This box is a dedicated box that only has two NICs. Transparent box would need 3 nics, 1 wan, 1 lan & 1 management @somentity: My question is: in the web configuration how do I create a SINGLE IP route to the router?  I do not want more than that.  Is it practical to do what I envision? System:Routing:Routes

Just for your and others information: After I've figured out what was wrong, I started to search for "pfsense nat interface group" and it appears there are a lot of questions on this topic. And the answer is that we can't use interface groups with NAT. Looks like they can be used just for blocking rules. Digging into details, each NAT rule for the real interface has a reply-to keyword which states which interface must be used for reply traffic: pass in log quick on re1_vlan442 reply-to (re1_vlan442 10.4.255.254) inet proto tcp from any to 172.26.2.76 port = ddm-rdb flags S/SA keep state label "USER_RULE" When we try to use NAT on interface groups that rule changes to: pass in log quick on INTERNET inet proto tcp from any to 172.26.2.76 port = ddm-rdb flags S/SA keep state label "USER_RULE" So, it appears the system just has no ideas where to send the replies and chooses an interface randomly or sort of. I might be wrong, but it looks like a bug of pf-subsystem. It definitely knows where the traffic came from and why it does not use this information - god only knows. Thank you again, heper, and have a nice weekend!

as said check the gateway & subnet settings, also make sure you are using the correct physical interface on the pfsense ;)

http://forum.pfsense.org/index.php/topic,28379.msg148389.html#msg148389

First let me ask you this, how many LAN hosts do you really need? As it stands right now using a 16 bit mask your LAN can be anything from 192.168.0.1 to 192.168.255.254. That's a total of 65543 hosts you could have. I'm going to guess you don't really need that many but took a quick change to open things up a little? You even state your DHCP now only hands out addresses from 1.100 to 2.254 which is only 408 addresses if my math is right. Is this DHCP just for wireless clients and there is another for hardwired? What about static clients? If you were to start with 192.168.0.x you could go up to a 21 bit mask (255.255.248.0) before you would interfere with your existing WAN segments. This would give you a range of 192.168.0.1 to 192.168.7.254 for a total of 2046 hosts. If that isn't enough hosts, you will need to start your LAN segment at 192.168.32.x and you can start with a 20 bit mask (255.255.240.0) and have 4094 hosts or a 19 bit mask (255.255.224.0) and have 8190 hosts. There's plenty of other combinations you can come up with that don't encompass 10.x and 20.x on this tool: http://www.subnet-calculator.com/cidr.php if you need even more hosts. Now, if for some reason you really DO need a full 16 bit mask on the LAN side your best bet is to change the address range that the WAN uses. Stick the WAN in the 172.16.x.x range or a 10.x.x.x range. Though if you really are using ALL of the 192.168.x.x range, or plan to then I'd suggest moving your LAN to 172/10 instead of the WAN so you have more expansion room. Even if you aren't using the full /16 (which I strongly doubt you are since a /24 previously served your needs fine), I would still suggest moving your WAN segments. If you are able to, I would stick them on 254.x and 255.x so they are way out of the way. Even better would be shortening their mask from a /24 to a /30 or /29. You don't need a full /24 for two hosts each. If you can do that, I would set them to 255.1/255.2 and 255.5/255.6 on a /30 subnet each or 255.1/255.2 and 255.9/255.10 on a /29. Anything you can do to shorten the WAN segments as they definitely don't need to be on full /24's though depending on the kind of DSL modem they are, they may be "dumbed down" and might not be able to do anything less than a /24.

I don't call that multi WAN dude, one WAN, seperated using switch??

What rules you have concerning to that routed location. Asymmetric routing shouldn't work with SPI, meaning that sending traffic from GW-A and receiving to GW-B should not be working

Make sure that you put the correct IP monitoring address. Pfsense thinks that the first tier is just fine, so it won't move to another.

Thank you. I do not want to hijack this thread, though. There is a site for ecommerce tat we buy computer parts, which works with partner accounts. While logged in, we get kicked out, and they told us that it happens because the wan ip has changed. It should not be happening right? I check the Firewall logs when we access this URL, and pfsense uses the rules we created for this specific URL. How can we check if it it changing WANs? Bet regards Kostas

I totally forgot about this thread, sorry. I updated Quagga to the newest pfSense package available (just today) and gave it a try. The PID fix did not work. Upon a cold boot it spams my log with: Jul 17 18:52:08 zebra[39656]: Zebra 0.99.20.1 starting: vty@2601 Jul 17 18:52:08 zebra[39656]: Zebra 0.99.20.1 starting: vty@2601 Jul 17 18:52:08 ospfd[40230]: OSPFd 0.99.20.1 starting: vty@2604 Jul 17 18:52:08 ospfd[40230]: OSPFd 0.99.20.1 starting: vty@2604 About 10 times over, then Quagga does not form any neighbor relationships until I restart it manually. Another bug that seems to have been introduced is when the internet goes down for a few minutes and the neighbor relationship is lost, it never regains it again. I tried a few separate times to no avail. As soon as I made the few changes below, I have been throwing everything I have at it. Power failure, internet failure, and interface failure all for varying amounts of time. The relationship came up every time. I had to remove a few lines and add a few. The sleep 60 may be unnecessary, but I didn't want Quagga coming up before my OpenVPN tunnel which it seemed to do sometimes if the sleep 60 wasn't in there.     246        // Create rc.d file     247        $rc_file_stop = <<<eof<br>248     249        kill -9 `cat /var/run/quagga/zebra.pid`     250        kill -9 `cat /var/run/quagga/ospfd.pid`     251     252 EOF;     253        $rc_file_start = <<<eof<br>254 kill -9 'cat /var/run/quagga/zebra.pid'     255 kill -9 'cat /var/run/quagga/ospfd.pid'     256 sleep 60     257 /bin/mkdir -p /var/run/quagga     258 /bin/mkdir -p /var/log/quagga     259</eof<br></eof<br> Side note: What was found out on the redistribute static vs redistribute kernel? I am still going in by hand to make the change to config to redistribute kernel.

Go to SYSTEM -> Routing and configure the packet loss values for the different gateways. Or disable gateway monitoring for one gateway

Check the Docs: http://doc.pfsense.org/index.php/Multi-WAN_2.0 ;)