Route to each different subnet.
Rule in LAN to allow such traffic.
Outbound NAT rule to allow the traffic to return.
I think if you get those setup, you won't have any problems. I think I wouls also turn on the advanced option to bypass firewall rule if the traffic is on the same interface.
I have personally found BT Infinity to be wildly varying in throughput.
I have the old 40/2 service but get anywhere from the expected 36-37Mbps at 2 AM to 15-16Mbps at 6 PM.
Try it late at night.
Try using the Windows PPPoE client directly (or whatever OS you are running).
What name server should the LAN system be using? Is the LAN system correctly correctly for that (static IP) or getting the correct name server IP address from its DHCP server? Is the DHCP server configured to supply the correct address?
Perhaps your firewall is blocking all access to the name server. Perhaps the firewall is blocking DNS access to the name server.
Some parts of the developer rules page on the dev wiki may be useful to you. The site for it seems to be down at the moment, so here's a cached version: http://webcache.googleusercontent.com/search?q=cache:xNnNncCyXkUJ:devwiki.pfsense.org/DeveloperRules
There are also other pages that may be useful. Cached version of the main page: http://webcache.googleusercontent.com/search?q=cache:CCzm5_BWozEJ:devwiki.pfsense.org/
It is better to get get each network segment working to the internet, then you can work on getting them to talk to each other. Basically it is rules and a lack of NAT for each network to talk to each other. Without knowing what rules you have set, what NAT you have set, and the packages you have installed, it becomes a guessing game for us. LAN is going to have a default allow rule, but any OPT interfaces will not. If you have not created a rule there then opt interfaces will not have internet or any access.
While we don't technically support that in the GUI, the underlying OS is perfectly capable of doing that. It can take a little hacking to make it work, but it can be done.
What it seemed like was happening was the web server was spending time trying to maintain dropped connections to the outside at the expense of inside connections - which should never touch the firewall. All internal machines used an internal DNS server that specified the IP for the web server that was on the same subnet. It looks like the symptoms we were seeing were indirectly related to the reflective NAT issue. For some reason there were tons of connections between the server and itself trying to loop back over an external address–-my best guess is that something somewhere was hardcoded to talk over that IP. But if that were the case, removing NAT reflection would not resolve the issue - it would still try and talk out and back and be blocked. I'm still at a loss to the exact mechanism of the problem but any speculation to help others in the future is welcome.
My guess would be that the html/php/asp is telling the client to go to http://<externalip>/internalpage.html/php/asp instead of ./internalpage.html/php.asp and as a result you where getting essentially redirected to the external ip instead of it using the internal ip from DNS. This happens sometimes when your webpage needs to load data from another page. This is generally the wrong way to setup a website IMO.</externalip>
Looks like that would reduce the amount of detail shown in the full logs. Does the firewall log view in the GUI still work properly when you have this active?
I'm not sure that's a change that many people would want to make, but it's not a large change, so people can change it on their own if they like.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
