this is expected behavior. you can wait for old states to expire or you can manually kill states. If you search the forum there is someone who posted a script to do that automatically

@Rico Sorry, just an error writing the message. My rule was /24 New test : From pfsense host I can ping / curl any host on the lan 1 Hosts on lan1 with default GW set to pfsense works from all LAN router1 with a static route to 192.168.1.0/24 => gw:pfsense. I can access to admin interface of router 1 from lan 2 (without this rule, it's not working) I've create a rule on router1 to accept all trafic to lan2 net (192.168.1.0/24), but no result ...

No sooner had I posted this than I got it fixed. Been working at it for hours! I deleted the gateway in the WAN interface configuration and now it works. Thanks anyway :) keep up the great work bbjunkie

As mentioned above, the only setting you should have to change is under routing. On the routing page, make sure you go to Default gateway IPv4 and select the gateway group you defined for failover. For me that was set to Automatic and did not work as I expected when first setting this up. That should be it. [image: 1598371903814-09e2e158-12de-4f1f-a09a-9f77a2252378-image.png]

@Gertjan I'll have a watch of those videos at some point. Thanks.

Looks really nice. I always have had problems with the connection. I don't know why but where I was living was a bad connection to the internet, radio or TV. I influence it lol

@johnpoz Thank you John! I was able to get things working based on your diagram. You rock! In my case I needed to setup a transit net and also a static route on the pfsense fw to route to the downstream net via the switch/router. I then needed to add the proper pfsense rules to the LAN interface to allow traffic from each interior network.

So I finally had a chance to relax this weekend and take a step back. Seems obvious now my mistake is that I have the two servers on the same vlan and same switch so they're communicating directly - at least one-way they are. I believe my options area: Change the VLAN for one of them Change the subnets, such as putting one in the lower half of a /24 with a /25 and the other in the other half Get a swich that can do Private VLANs, port-isolation, or protected ports to prevent them from talking without sending the traffic up to the FW first I'm leaning toward 3, and maybe doing 1 in the interim while I wait for the switch to arrive.

I think I identified my problem, and figured I'd share with the community if anyone ever sees this breadcrumb again. I was trying to use a gateway group so that I had fallback for PBR - "prefer WWAN, use WAN if you must" and that didn't quite seem to be working as expected; I'd get SYN-SENT on WWAN and active state on WAN. Once I changed the PBR rule to use the gateway and not the gateway group (and, of course, tossed the states on WAN), traffic started flowing as desired. Fun, fun, fun.

When you ping LAN3 from LAN1 can you see the packets on pfSense 3 and do they have the correct IPs? If yes, can you see them on the internal interface?

te VM sofware locking VLAN packet!

Not really sure why this is a difficult question. WAN1 Uses Static (NOTHING ELSE) LAN either uses WAN1 or WAN2 depending on Failover State WAN2 Uses OpenVPN (NOTHING ELSE)