Figured it out! Went back to check the NAT rules and the automatic ones were gone! I guess when I change the WAN interface it deletes the automatically generated outbound NAT rules?

@smaxwell2 I forgot you were running through tunnels, so you do need that GW. Spreading the default route via OSPF may not be the right way to go for this. If there is only one tunnel from each site to the central it will be much easier just to specify the default route for the needed networks statically.

@bryon I decided the simplest and most secure way forward is to create a jumpbox with two NICs. I ssh to the jumpbox when I need to access the management LAN. I plan to add a web proxy to the jump box so I can access web-based machines in the management LAN. If anyone has alternate ideas then I'd love to hear them.

Reject or Block is fine - I use reject on many a local rule that I block, because that way you "know" instantly its blocked because the firewall send you back info - hey your not getting there, go away! ;) Reject on a wan side rule is almost always a very bad idea.. Since you rarely want the firewall to send anything in response.

I have a problem like this. Two WAN connections, one static and other DHCP. WAN DHCP is my main connection and works normally alone. I did all the configuration to work with failover but when I disconnect the DHCP WAN the other WAN does not go up. I have little knowledge in pfSense so there is probably a problem with the configuration.

Hi all, just thought I would report back on this one. Finally got to site today to do the config. Set the WAN up on the /30 and added a couple of the /29 range as aliases. Set Outbound-NAT to manual and configured LAN to use one of the /29 Worked a treat, so thanks for the help.

@johnpoz thanks for taking the time to suggest transit network. I've actually never heard of it before. My quick Google search only yield to definition, not practical guide. Any article you can point me to?

hi i check route table and see there is one static route for 172.20.20.8 with UGHS flag traffic to wrong gateway 192.168.193.25. manually ( from shell ) delete this route and every things goes right. used command ``` route delete 172.20.20.8

Nope, you could have 5 WANs and 1 LAN with the SG-3100 if you want. -Rico

UPDATE: Turns out it was pfBlocker. Removed it and its rules and presto the firewall is back alive. Now the bug appears to be in pfSense since pfBlockers uses its APIs to set rules....

It could work on the same subnet but should be easier to configure and make work with 2 as you have now. I haven't looked at the documentation here for awhile but they do seem to have what you're looking for. Would it be better for you to bond the connections? That could possibly work for you. https://docs.netgate.com/pfsense/en/latest/book/multiwan/multi-wan-caveats-and-considerations.html

@idiotzoo I'll give it a try! Always good to learn something new. All my local layer 3 is done in a stack of 3850s, firewall and NAT in pf. Literally just need a packet pusher that can do per-packet load sharing and failover.

this is expected behavior. you can wait for old states to expire or you can manually kill states. If you search the forum there is someone who posted a script to do that automatically