easiest way todo that would be to assign an interface to the openvpn-connection. (in the interface config set type to "none") after you assigned an interface you should duplicate the firewall rules from the openvpn connection to the new OPT interface. then restart the openvpn service. pfsense should automagically create a gateway for the new OPT interface; now you can set that gateway in your lan-firewall rule to direct certain traffic over the openvpn enjoy

Policy routing in the firewall rules. Make a rule at the top of the LAN rules to pass to/from that and select the WAN gateway.

podilarius, yeah, I had bridge0 assigned. But I have changed everything (still new to pfSense and throwing configs around) and just accomplished one of my goals: having a seperate, public AP (OPT1) with VPN routing to my LAN. samba isn't working in this setup yet but that's next. :)

Im upping this… no clue anyone?

an extra bone… under diagnostics > ping > I am from the wan interface able to ping  the linux clients, example 172.16.2.10  but not the windows client 172.16.2.30 ... any ideas?

Well again the site connection has dropped out every minute, all day. I've checked squid logs and also bandwidthD and there's nothing to suggest excessive traffic on either end. However the dropouts continue. So I established a private VPN so I could look at the two pfsense appliances side-by-side. The server end never reports a drop-out, however the reconnection from the client end (every minute) is noted in the OpenVPN server logs. On the client side is a repetition of the  Inactivity timeout (–ping-restart), restarting log entry. So I tried something. I disabled the client VPN, then disabled the server VPN, waited a minute, re-enabled the server VPN, then re-enabled the client VPN. And now the connection has worked for the past hour without a drop-out. So it seems to me the problem is not necessarily due to constant drop-outs, but instead that once an issue occurs, the reconnect doesn't work properly and the client side attempts unsuccessfully to reconnect every minute, but without a full reset, the connection might not be made again all day. Frustrating….  :(

Your welcome, glad to help.

Did you have the tap bridge fix package installed? It's possible that when it booted up after the upgrade, the package wasn't installed, so it wrote out the "wrong" config for a tap setup, then the package got installed, and when you did the edit/save it then setup and rewrote a proper config for a tap bridge.

Hi Phil Just wanted to say thanks for your reply. I set the VPN connection to force all traffic over the VPN and the Port Forward worked. Thanks again for your advice. Wasca

Glad that it helped

Many thanks for directing me to this. Host 192.168.220 did have a misconfiguration - broadcast 192.168.255.255 with netmask 255.255.255.0 - which did not raise a problem until a reboot - coincidently around the time of the pfSense upgrade. Now ping is working from VPN clients to this host (and all VM's on this machine) but still a ping to the Windows 7 host 192.168.1.100 gets only answered inside the LAN, but that's obviously not related to pfSense.

Thanks for the tip, I have not yet set the default gateway to the pfSense firewall because I want to test the configuration first. But this has to be the problem.

Thanks for the feedback guys - I will try again with Open VPN as L2TP keeps dropping out

Thanks for all your help guys, I appreciate the answers. I considered using heper's solution but for the sake of avoiding all conflicts I think I might just change the addressing scheme to something somewhat random like 10.9.8.0/24 or something similar.

10x a lot, it was enough for me to understand :)

Hello marcelloc, Our Realtek Ethernet Card is in 100baseTX <full-duplex>Mode. The other Szenario is with Intel Gigabit Cards and we tested OpenVPN and IPsec with Tuneables No Success :( Can someone help us or have ideas for more performance We think 100baseTX <full-duplex>Realtek over IPsec or OpenVPN with Crypto should have 80MBit/s Performance over Tunnel.</full-duplex></full-duplex>

OpenVPN client advanced config, like this screen shot. On the server end, you can just have 1 OpenVPN server running, listening on LAN. Then port forward the port you want to listen on from WAN1, WAN2… to LAN. That way the same OpenVPN server receives the connect requests from the client, whichever public IP address the client connects to. [image: OpenVPN-Client-Dual-Server.png] [image: OpenVPN-Client-Dual-Server.png_thumb]