Have you worked through https://docs.netgate.com/pfsense/en/latest/book/trafficshaper/limiters.html ? -Rico

@johnpoz This solves my problem. Thank you two buddies!

It won't be "proper" HA as there is no way for the dynamic WANs to participate in CARP or to trigger an HA failover. There would be no seamless failover of clients if the primary node failed to the secondary while the dynamic WAN was in use. So it can function in the most basic sense -- Multi-WAN could possibly work (gateways may be tricky, for one) but it wouldn't be a good experience and that's one of the reasons we say that type of configuration is unsupported. If there is only a single shared CPE for the dynamic WAN, you could enable routing mode in the CPE (if it has one) and then setup HA w/CARP on pfSense in the private subnet behind it. Setup 1:1 NAT on the CPE to map all traffic on its public address to the private CARP VIP. That won't work if each HA node has its own separate second WAN, though.

Post up screenshots of your firewall rules. And, like I said earlier, that extra router behind pfsense is probably causing the problems. Jeff

Thanks. This pfSense VM article is what I followed. Bit confused with the interfaces, so that may be an issue.

Heh... I kinda thought that might be the case. At least that one's an easy fix. Thanks again for all of your help!

I got my issue resolved and feel quite relieved - but also kind of embarassed for taking so long to find the problem. In the hope that it might save someone else from digging around for days, here is what I found. Problem was: private IPs will not be routed. All my 192.168.xx.yy/24 networks are private networks and I force-routed them a little way but could not get them through all the way. Solution was: set an outgoing NAT rule: [image: 1582831485259-c274d0d7-6f2c-4f73-8f12-75283e7ab6a9-grafik.png] Again: router A is the openVPN server, it has subnet 192.168.225.0/24. The above setting is for router B, which has subnet 192.168.245.0/24 for LAN. This permits a host in B's subnet to reach a host in A's subnet. A corresponding NAT rule will be required on A for the opposite direction. I my case server A will assign an interface address to B, so the NAT address needs to be B's openVPN interface address. What else did I learn? For one thing, Apple's version of ping supports some really helpful options: -A will make a sound for each outgoing packet -a will make a sound for each incoming response -f will flood the target with ICMP packets. On an otherwise quiet system, this permitted me to see where my packets were going just by looking at pfSense's traffic graphs on the dashboard. Another thing is, it took me ages to get to the solution but I feel that all the failures I have been through taught me more than I ever wanted to know Keep working on your problems, eventually you will master them!

nice !

Thanks for the replies. Here are some screenshots of my LAN rules, gateways and gateway groups.[image: 1582649669114-lan_rules.png] [image: 1582649669069-gateways.png] [image: 1582649668917-gateway_groups.png]

Dear All, Do i need to reconfigure the pppoe with vlan after initial setup?

@johnpoz said in WAN to WAN (LAN): ed would be when you have say a trans AHH, Thank you, So munch! Now I understand!

@johnpoz got it now..will try it out tomorrow morning in my lab and will let you know...

Dude we already went over this.. And you showed it working. Are you trying to send different traffic somewhere else? You can not send traffic hitting your pfsense on IP port X to more than 1 place.. @anders-o said in Redirect incoming data to from an external IP to another external IP address destination.: Now it seems to be working. And yes, I had the wrong port which I believe was the root of the problem here. I facepalmed rather hard after realizing I had written the wrong port number. Now the log shows: 14:26:29.771406 IP 193.181.245.214.62668 > 51.174.x.x.10564: UDP, length 39 14:26:29.771426 IP 193.181.245.214.62668 > 3.122.x.x.10564: UDP, length 39 14:27:34.731419 IP 193.181.245.220.32867 > 51.174.x.x.10564: UDP, length 39 14:27:34.731441 IP 193.181.245.220.32867 > 3.122.x.x.10564: UDP, length 39 So I think it should work fine now right? If I don't get any data now on my cloud server then it should be an issue with my firewall on my cloud server?

There is no need for static routes. From LAN you should be able to access anything as long as you haven't changed the firewall rules. On the WLAN interface you have to add a pass rule to get access.