@brandon-lizard said in Routing between WAN and LAN: Why does this have to be so hard? Its not hard... You have been given multiple options..

@townsenk64 Yes sometime i get packet loss, but most of the time its stable and loss is 0%.. [image: 1622698022589-3ac3902b-e7dc-45a4-a2d3-676f79e77016-image.png]

@townsenk64 Thankyou really appreciate all the insight

I had realized I had forgotten to add my NAT rule into my list as I am manually natting on pfSense. Once I added the VIP's and NAT rule, I was able to ping externally. Sometimes it pays to step away and look at it again a different day.

@johnpoz Thanks for explaining everything. I tried what you suggested and is succesful. The only thing was that the remote user, couldn't been able to connect through a VPN Client, that's why i make it short term access using port 100. ok, now it's clear.

@KOM the original diagram had a second pfSense box in the 10.x network but was followed with a question mark to show it was possible. i admit not clear. thanks for the suggestions, it makes sense and i will give it a shot! @johnpoz if you cannot follow this topology of a simple network, there is little else i can provide to help you. and your insistence that your earlier rant about 10.x subnets was simply to find out my level of networking experience is ludicrous and a very transparent attempt at covering up your inability to simply admit that that line of snarkiness had nothing to do with the question at hand. have a great memorial day weekend. technical skills are a dime a dozen, technical skills coupled with empathy and understanding are invaluable.

@vinicius-santosl said in multi-wan load balancing with more than 2 WAN, High Availability.: If possible, how can it be done? Hi, You can run it smoothly , the descriptions are only examples. Pick up the gateways and configure them here (GW Group) following the Netgate guide and this should also help, I repeat myself here: https://forum.netgate.com/topic/163934/sg-3100-loadbalance-and-failover/4?_=1622307884780 This will help (this is a rough link - suddenly- I couldn't find a better one for you): https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/?cf_chl_captcha_tk=b19a8d5b347fd3f6a25579b8c123f3ca7dd76d3a-1621868538-0-AaaAJyc-XA0E_URuyvq0PWv1HMcVWaLA4YlA9uq7f61D_EDbT6SdOjLrN1YNALceSrBn9ni3SZ0nlGyt5I_Tq84TJGAbMGvFE9M7ZUbtNDxplLM-ZDHu6NnftrAaEQiFjYg0SgL9q-83tjIlR1-hq6N5VWtGAqZW-u-sKKAHkSDa1EG4FRJdiQHDSekvGkAr93cuC4GnTw2McCMXeac3PZGteBkSCKnT5IkEPmR1oP7rJur3TAmtorH07uMw3O73r53cFKo29BCVD04qJ07Qqe86tKSZw2SQEskOz20mes1NUh1CMK1LPO7vJaSfqjgEl6pVzIX_tK-0-pzww_zsjSaX0iNlwF5JfEMBwmvxlgRnodHOCufP-w35cf8KbvnRKQGLaKS__z1tTiZiS5WiDldda7TcLE8xLL10jbHjV0eMrUrmmbxYSl_KiInn8845gbYf4I2yNrt2T6GMCAXXtQpWD6v3kQcl4VMKwCD_LL_BP9uy0ufhoBoFhjS-j1cbThASyTs8WufVhg143Rj2seGN4SKQsXmwHdUNzzJ_DOv7TucHqZhY0ZmiCG2QNqRLPRZ2rsl5wJi1oXadTQTrTpLVvfWVXdePbuzjslThiK10ztKkbfr6JqOAxQ2xWXnRG7fRqKFXE5Z5p_bVWVh8yoKa78YY2ag107cLwOp3J2lJtNiWSiIGC-mcRFx7FyMPqSitREY1-u-1gJh95ulIogyvrYz_LNtVDcyJ-WEgVhKah2KFo6Kg6cuFzHDiFEMf4w [image: 1622308052523-59fea0be-99d4-4079-96a0-adcf3e41a515-image.png]

@kom I agree with you but for some reason it was failing to ping the gateway. thanks for your help along the way

@smithgcovert You could run a packet capture filtered on your TV device to see what it's talking to and on which ports when you run your Spectrum app. From there you would create rules to direct traffic from that device to those IPs/ports out the WAN2 gateway. The trick is separating traffic the device normally generates versus the traffic specifically from the Spectrum app so you might have to play around with it.

@viragomann Thank you so much for taking the time to answer my queries, and to educate me, I really appreciate that. I'm learning new things all the time.

@mountainlion I disabled pf filter, now I cant get admin gui access. From console, I was able to issue pfctl -e and the gui still didnt work. I shutdown and started, still no go. Any ideas how to re-enable the gui after issuing the "disable pf-filter"?

I seem to have resolved this issue by reinstalling an older version of pfSense v2.4.5. With that in mind, I believe this to be a bug with v2.5.1.

@marekandreansky said in Adding secondary WAN to existing network without completely changing topology: Does seem a shame that they only have dual cores and 2GB of ram. Why - do you need a Ferrari to drive to the corner store, or will that Sonata work? Do you really need more horse power than needed to pull the plow, or do you need 8 Clydesdales? This is an appliance this going to really do 1 thing.. Well actually a few things, but It will do it well, it will do it for a long time, and it will use very little power doing it. The appliance update whenever a new version comes out - with appliance you get pfsense+ just use to be call FE vs CE..

@spacebass You have to route SMTP traffic from public sources over from B to A. To send response packets back the correct path to B instead out to the default gateway, there is a special traffic marking required, called reply-to. But as far as I know, this doesn’t work on IPSec interfaces and it doesn‘t work on CE 2.5.1.

@sgtkilgore406 said in pfSense Multi WAN Site-to-Site OpenVPN Tunnel Port Forward Routing Issue: I have created a virtual interface for it and created rules but the RA VPN appears to be broken. I'll fool around with the RA VPN later and try to get it fixed. It should work this way though. It doesn't matter if the rules resides on the interface tab or on OpenVPN. The OpenVPN is just an interface group including all OpenVPN instances running on the box and is added when the first one is set up.

Hello, After months of work with @amassi, here is our feedback. Multicast accross VLANs works with igmpproxy on pfSense <= 21.02.2-RELEASE but there are several cumulative constraints: Only one upstream interface so only one VLAN can send multicast at once. In theory, pimd (available in additionnal package) permits several upstream interfaces but it's totally buggy (when we start it, it tries to bind() on each network interface so it exceeds MAXVIFS kernel value - 32 - so it crashes. Obviously, it ignores its configuration file in which we have disabled unwanted network interfaces and it still tries to bind() on all interfaces). Only 32 VLANs with multicast enabled at the same time (upstream + downstreams). Cause: MAXVIFS = 32 in FreeBSD kernel. When we add CARP on each VLAN, the limit becomes 16 multicast-VLANs activable in igmpproxy. Cause: igmpproxy sees each VIP as a network interface so it tries to bind() on it and reaches MAXVIFS. The more VIP we add on multicast-enabled interfaces, the less number of multicast-available interfaces we have. Same cause. A multicast-enabled interface can't have more than six VIPs on it. Otherwise igmpproxy refuses to start. A multicast-enabled VLAN must be in the XX first VLANs listed in Interface > Assignments > VLANs (all our VLANs are configured on lagg0). Otherwise igmpproxy don't bind() on it (no log message "adding VIF, Ix XX Fl 0x0 IP 0xXXXXXXXX lagg0.XXX). On fresh install XX = 22. With CARP (for routing purpose) on all of our VLANs, XX = 21 (obviously, only VIPs on multicast-enabled VLANs are counted). With CARP for routing and destination NAT, XX = 20. If we add additionnal VIPs on these multicast-enabled VLANs, XX = 19. We have moved our VLANs with a lot of VIPs at the end of the list => they are not counted. We have added "parking" VLANs (unused VLAN IDs) in 17 th, 18 th, 19 th position in Interface > Assignments > VLANs. If we need to add VIPs on multicast-enabled VLANs, we will delete them. If we need to enable multicast on new VLAN, we will replace one ununsed VLAN ID by the new one and so VLAN will be in the 20 first multicast-activable VLANs. In addition to these limits, we had an unknown problem with our FOG setup. We have installed a new storage node (in FOG terminology) and attached it to our existing FOG server => multicast works. New storage node has same OS and same FOG version (1.5.7) than the old one. For multicast, FOG uses the udpcast tool. sha256sum of updcast binaries are equal. So no idea of the root cause, but we now have a working inter-VLANs multicast FOG server with pfSense. Finally, our XG-1541 reboot when we plug DAC cable in Chelsio's port and igmpproxy is enabled. At reboot, web gui prints core dump. Disable igmpproxy before plug DAC = no crash. In summary: if you want to use inter-VLANs multicast with pfSense, you need to use igmpproxy + take previously-listed limits into account + maybe reinstalle your FOG storage node. Bye

@webdawg I suspect, you only need NAT. Maybe you can provide more details, what exactly you're trying to achieve. Firewall rule have to be added to the interface the traffic is coming in for sure. If the address is routed to the primary one there is also no need to assing the address as VIP, but may be done anyway.

@network-stack-445 said in Does pfSense support sub domain policy based routing: IPS signature updates That is something is outside pfsense/netgate - depending on what signatures your using, there well could be a cost associated with those..