Sounds like the new subnet isn't being routed to you properly by your ISP, though not enough info there to tell you. Packet capture on WAN when trying to connect to it from the Internet, if you don't see it, you aren't getting it routed to you.

Using Squid would be my guess, that's not adequate for Squid.

On another note, remove the gateway from both of your first two rules. You want them there to avoid the policy routing, but you do not want the gateway there, that'll break connectivity to directly connected hosts on that subnet.

@jimp:

Any modem reported to work is listed here:
http://doc.pfsense.org/index.php/Known_Working_3G_Modems

If they aren't there, nobody has told us it works.

Excellent.  Thank you.

i have the same problem

I believe I may have figured out the issue. Instead of having the policy based firewall rules directing traffic I removed them and let PFSense just use its routing table. I then changed the final policy based rule saying if NOT trying to access a remote office, go out the internet group of gateways.

Very soon, found a couple issues that had to be fixed yet that required a new round of images, which means a new round of testing. Hopefully this is the last batch.

@Jeda:

but we can get out fine via the wan, so doesn't that infer that the DNS is working?  It's only between the two subnets that is problematic.
I don't understand if the ping from the 10 subnet is showing up on the 20 subnet, and I see it with wireshark on the 20 subnet, why isn't the
pc on the 20 subnet responding (same pc that wireshark is on).  so it's from 192.168.10.189 pc -> ping 192.168.20.198

Yes it does. Got mixed up with another issue. Sorry about that.

Bloody windows firewall … always gets in the way.

It seems to work now without turning that feature on. Just had to restart the pfSense box :-)

First, I'm not sure why you would keep two gateways on a single LAN, but then there's a lot I don't know.

What do you mean by "use the draytek as a secondary"? In the simplest scenario you replace the Cisco with pfsense and configure it the same. Nothing changes from the user's point of view.

Is there any way I can have a WAN2 that points to the draytek box even though it's on our internal LAN?

Are you doing that now with the Cisco? I believe you can set a static route in pfsense to use the Draytek as a gateway, then configure load balancing, failover, or policy routing as you would with a second LAN. As far as I know there's no problem having pfsense route between multiple hosts on the same network as long as your gateways, NAT and firewall rules are set up correctly. Then again, I haven't tried it.

cmb, thank you, that's both problems solved!  ;D

I'm now on 2.0 and with the setup functioning fine, although I did need to set "Disable DNS Rebinding Checks" on the second router for DNS resolution to work after the upgrade to 2.0

biggsy, no problem, I'd ask the same! It's actually because I'm bound by physical interfaces on the first ESXi server. Now that I've had a good look, I can't get another NIC in there, so I'll have to move this second router VM onto another box which does have enough NICs. Plus, I'm trying to investigate some NFS usage over time and am quite interested in the RRD graphs on the second router (keeping them separate from the ones on the first router, which should only be doing internet routing)

Thanks again,
Chris

i have a problem setting this up for single wan, single lan and single OPT…

what are the main keypoints when setting up this transparent firewall?

thanks...

@Metu69salemi:

How is your firewall setted up? How many lan nic's etc

I have 4 interfaces:

LAN
STRONGVPN
VPN
WAN

LAN and WAN are physical interfaces.

My outbound is this:

WAN  10.0.0.0/24 * * * * * NO LAN
STRONGVPN  192.168.50.0/24 * * * * * NO Phone

well im not trying to get back the values. i just dont want other people to be able to

so maybe i should change values in the rng every round, and seed it every round, and only use 1 output number?

@Metu69salemi:

I assume that pfsense is already doing loadbalancing on wans, but it still select first one and not the other one

Correct it is doing loadbalancing and I current have the working WAN with a lower metric.  When I ping from the firewall over the second wan connection to the wan's gateway.  I get really high times.  Again this is not the case when I bypass the firewall and setup a computer with the same settings.

Add a firewall rule on the LAN interface to allow 20.0.0.0/24.

Why are you using 20.0.0.0/24 for a LAN?

Hey guys,

I ended up in enabling NAT-PMP. In some test connections to echo123 it then gave me udp status local: good. I also thought about adding port forwardings, but we have much and also changing clients.
Can anyone of you maybe tell me useful restriction rules, so that only Skype (more or less) could create NAT-PMP entries?

Ping is ICMP, and your rule has a protocol of only TCP. Change the rule to allow any protocol, or add another rule for ICMP, and then you can ping.

pfsense 1.2.3 had no true concept of weight, using 2.0 with the weight the same would be identical to 1.2.3 with one entry for each WAN in the gateway pool.

Neither 1.2.3 or 2.0 consider the actual bandwidth for load balancing - the balancing is done in round-robin style based on connections.

The only thing that would be limiting bandwidth would be traffic shaping/limters, and those would have to be setup separately.