Oops, sorry to waste your time on this. The problems was I wasn't thinking about the firewalls on the computers I was trying to traceroute to. I didn't realize they were blocking the traceroute's ping. Thanks again for your help.

I am not sure if it is a typo, but you have listed 192.168.10.0 and 192.168.2.0 and in the dump you have 192.168.7.0. You also have a block rule that blocks traffic from LAN2 to LAN1. (that first rule) You might have to switch to Manual outbound NAT, but Auto should work.

Not possible, the gateway is the internal-facing NIC. The only thing a gateway IP does is provide a MAC address to use for the destination of your off subnet bound traffic, which would be the same no matter how many IPs you put on an interface. If you dual homed the source machine, and put two internal NICs in the firewall, and could control routing from the source OS, you can do it that way. In most circumstances, such routing from the source OS will not be feasible.

If I ping 10.61.88.254 from the lan 192.168.1 network it replys correctly!  A clue?

Thank you for your hints. I tried them before i started this thread. But they dont work so i concentrated on "cloning" the working route from the linux box, because there it is working. I agree with you the cleanest way is the ip alias. But the problem is adding the ip alias only works local on the pfsense box, not on an other machine using the pfsense as gateway. When i do a tracepath on the other machine that uses the pfsense as gateway, i see the  route stops on the default gw of the wan interface of the pfsense. But the subnet is in the lan interface of pfsense. I use an gateway group to implement a WAN failover. So i have a firewall rule that routes the traffic from lan to the gateway group as described here: http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing at "Set up the basic firewall rules for outgoing access" . I think this could be the problem. Writing this text i had the idea that i have to add a firewall rule for the subnet with the virtual ip. I had done this before too, but i dont have palced the rule before the failover route for the gateway group. Now it works perfect. thank you for pushing me in to the right direction. I hope this post can help someone having the same problem. though this might be a very rare configuration ;-)

not sure how many months its been there …. theres also the openospf package that does basically the same, but devs recommend the quagga version because openospf occasionally flunks out. kind regards

Yes the pfsense authenticates through the modem and gains Inet IP and Inet gateway. Cannot ping internet host, can ping the assigned gateway. PFSense has the INet assigned gateway as the default. Thanks :)

Genius! I remember having this issue a few years ago now- not appreciating that traffic needed to know how to get back (i had the firewall setup ok to allow the traffic in both directions but only the route setup in one direction). Thanks a million!

@rana: hey marcelloc how i make this rule? i have two lan and i dont want them talking to one another you just need to create a rule on lan and lan2 before the rule you allow access. on lan source = lan net destination = lan2 net on lan2 source = lan2 net destination = lannet

@heper: might be the same problem squid has … process binds to the default gateway | lan rules are not applied. solution for failover: enable 'default gateway switching' if possible in your setup (System: Advanced: Miscellaneous) solution for loadbalance & failover: use floating rules to match proxy http requests and send em out the correct gateway (search for squid + loadbalance) kind regards ;) this is what i missed thank you sir

Bridging == layer2 only. There's no IP address or whatsoever involved. And if those 2 pfSense boxes are in the same building and you ask about calbes: Why do you need pfsense boxes to bridge 2 network if you can do this with a simple network cable. If you speak about bridging 2 layer2 networks over a bigger difference (like internet or wan connection) it's something completly different. But for bridging 2 networks within the same building there's no for pfsense. Every switch or straight cable can do it better and likely more perfomant instead of having some kind of sofware in between.

Atm I can't find any workaround this variable/scope issue during the package installation process apart from creating constants for all variables. I've the feeling that a multiple require_once called in different places (install_package_xml, sync_package, uninstall_package) can cause this issues. The way with using a constant is the only practical way atm without doing a bigger redesign. Oh btw. you can move all the pkg_* variables into the install_conf() functions. they aren't used anywhere else apart for the config installation. I attached a patch against the current git version. It also added support for raw config of zebra.conf and ospfd.conf. You need to be able to edit both files, cause quagga static routes and everything routing/kernel related are handed by zebra and only ospf stuff is handed by the ospfd. There's a feature called integrated config where you only have one config (like if you would use vtysh on the cli) but quagga team recommends having seperate configs for each daemon (zebra, ospf, bgp, isis) quagga_ospfd.patch.txt

lol, me neither! Was just hoping someone would have some idea how to troubleshoot further. The only change that has happened is that more VLANS have been set up but since previously I didn't use intervlan routing very much I didn't notice exactly when it happened. Am busy building a second box as I was planning on setting up CARP anyway so will replace with that and see what happens. Thanks Graham

@Horak: However, unless you use Quick Match on a Floating rule for inbound interfaces, it never gets applied. Is this correct? Not exactly. The first matching quick rule will apply for firewall rule purposes, but there are reasons (generally on match rules only) to use floating rules without quick. In general, unless you use quick traffic will always match some later rule with quick so the action if it's pass/block/reject will not be applied in that instance without quick.

Default values from "apinger.conf" "Down" alarm definition. This alarm will be fired when target doesn't respond for 30 seconds. alarm down "down" { time 10s } "Delay" alarm definition. This alarm will be fired when responses are delayed more than 200ms it will be canceled, when the delay drops below 100ms alarm delay "delay" { delay_low 200ms delay_high 500ms } "Loss" alarm definition. This alarm will be fired when packet loss goes over 20% it will be canceled, when the loss drops below 10% alarm loss "loss" { percent_low 10 percent_high 20

Just to add some more info: -I am using pfSense 2.0.1-RELEASE -The appliance running pfSense is a Soekris net6501 600MHz Atom box -Creating a Firewall Rule that uses the layer7 skypetoskype profile and applying it to all traffic from the LAN interface, with WAN2 selected as the gateway, seems to make the box burn 100% CPU and be unresponsive to all internet requests.  This makes me think that I am using the filters wrong. Again, any help, however broad and vague, that could help me in accomplishing the stated goal would be much appreciated. Please let me know what other information may be needed in order to route the Voip traffic over one of two WANs. Thanks!

Hi ck42, Did you ever get this resolved? I'm trying to setup VLANs with a HP 1810G. I have spent 2 full days pouring over every resource i can locate and am still a little stumped. Michael