General Question pfsense MULTI WAN Rules and ERROR in Routes ?!

  • Hello,

    i have a pfsense box 2.0 beta 5 with three ethernet ports.
    wan: default gateway:
    opt1: gateway:

    i want that one client from local lan can access the optional interface gateway! only this client

    gernerally i think i need a firewall rule on top that client can access gateway or?

    and i important question i have:

    default UGS 0 731 1500 bce0        link#5 UH 0 494191 16384 lo0 link#3 U 0 5856 1500 bce0 link#2 UHS 0 0 16384 lo0 link#3 UHS 0 0 16384 lo0 link#4 UHS 0 0 16384 lo0

    link#3 is wan ;)

    why is my local net under interface wan?
    this is lan!
    how can i edit this interface entry in routing table?
    i can only access my gui when i have connected wan and lan in the same switch to my pc?

    can someone help me?

  • when i only connect lan with me pc - i cant connect :(
    firewall rules are ok!
    default gateway is on wan
    what have i to configure that i connect over wan ?
    and why i cant connect to gui ( when wan is only connected to router and lan only to network switch?

    what this please

  • From WAN side ALL ports are blocked by default. You have to create a firewall rule on WAN side which allows to pass to WAN-Address with port 80 (http) or port 443 (https).

    The rule for the client to go over your OPT interface should look like this:

    source IP: IP of the client
    Port: any
    destination: any
    Port: any
    Gateway (OPT) (For this, you have to scroll down and click the "Gateway" button.

    This rule should be on the top of the rules.

  • yes this good! ONE STEP BACK!!!
    i make it simple….something missed by my configuration ;)

    clients are connected to lan interface
    on wan is connected the router

    i have any any any rule for testing ;)
    (i want use the default gateway)

    and why cant clients access internet?

    have i to create the wan interface as a gateway to lan? (static routes) ????

    i dont know why i cant access internet, when a pc is allone connect to lan and the router on wan interface - there must something fail :(
    i have only internet when wan is additionally connected to the lan switch :???
    help me please

  • For me its hard to understand what your configuration looks like.

    Can you make a picture with paint with your switches, routers and IP-addresses / subnets

  • ok one moment please….


    default gateway and dns of network client is pfsense

    with this, i can not connect to my pfsense and have no internet.

    when i connect the wan interface ADDITIONALLY to the network side, i can connect to pfsense and internet!
    i have test it, i can disconnect the lan cable and have access and internet :D …when wan addiotionally connected to the switch ;)

    i want no bridging! i want to access wan / internet from network client

    the default gateway on wan is the router
    and the gateway is online!
    my firewall rules are allow all for testing
    i use pfsense 2.0 beta 5

    my routing table:
    default UGS 0 8514 1500 bce0        link#5 UH 0 21372 16384 lo0 link#3 U 0 15067 1500 bce0 link#3 UHS 0 1552 16384 lo0 link#4 UHS 0 1214 16384 lo0

    my interfaces:
    WAN interface (bce0)
    Status up
    MAC address 00:26:b9:75:5c:bb
    IP address  
    Subnet mask
    Gateway COLT
    ISP DNS servers

    LAN interface (bce1)
    Status up
    MAC address 00:26:b9:75:5c:bc
    IP address  
    Subnet mask

    my prot forwarding for squid proxy
    If Proto Src. addr Src. ports Dest. addr Dest. ports    NAT IP NAT Ports Description

    LAN TCP             *     80 (HTTP)       *     3333 *


  • a traceroute output from netowrk client, with addiotional cable connection from wan to lan switch

    C:\Documents and Settings\OnkelDave>tracert

    Tracing route to []
    over a maximum of 30 hops:

    1    <1 ms    <1 ms    <1 ms
     2    <1 ms    <1 ms    <1 ms
     3     1 ms     1 ms     1 ms  …
     4     4 ms     3 ms     3 ms  ...
     5    13 ms    12 ms    12 ms  ...
     6    21 ms    20 ms    28 ms  ...
     7    25 ms    25 ms    25 ms  ...
     8    30 ms    29 ms    29 ms  ...
     9    28 ms    28 ms    28 ms  ...
    10    33 ms    35 ms    35 ms  ...
    11    29 ms    29 ms    29 ms []

    he goes directly from wan to internet!

    i think by correct config he have from…
    lan -> wan -> internet gateway

     1    <1 ms    <1 ms    <1 ms
     2    <1 ms    <1 ms    <1 ms
     3    <1 ms    <1 ms    <1 ms

  • Ähm,

    pfsense is a routing plattform. A router connects two or more DIFFERENT networks. Your network on WAN and LAN are both the same. They are both

    On the WAN side you could use and on the LAN side use
    On the WAN side NAT must be enabled or you have to enter a static route for on the router which is DIRECTLY connected to the internet. I mean this router which has the IP

  • hi  ;D

    take a look here on my network:

    maybe it helps  ;)

  • yeah thanks!

  • this really good! its godlike ;)
    thanks for this example….
    my mistake was the same subnet for lan and wan....thats stupido

    i want to distance from bridging and ta-ta-ta its perfect -> THANKS phpzilla and THANKS Nachtfalke!!!

    to do list:
    other subnets for lan and wan
    one route: from lan to gateway router on wan
    firewall rules all access
    thats all!

    one question left:

    before i had bridged interfaces (wan / lan)
    and this was like a tranparent firewall i think.....i had to only set rules on lan tab for access or denied things on wan and lan!
    yet? can you explain me how is it managed in routed pfsense modell

    have i to set wan rules only in wan and in lan i need only : source lan subet access to any ?

    thanks for help

  • its seems like that wan rules tab is ignort…..?

    when i set in wan firewall rules block any any any any any
    and i set lan rules pass icmp for all

    i can ping

    only when i block it in lan tab, i cant ping google.

    therefore i have to only set the lan rules tab ?

    is it right?


  • You have to set the rule in the right direction:

    If the direction is from LAN to WAN, for example a Client should not connect to or ping google, then you must enter a LAN rule.

    If you want, that someone from the internet/WAN should be ablte to connect to your LAN (Webserver, E-Mail-Server) then you must enter a WAN rule.

    Remember: NO rules means everything is BLOCKED.
    In general you do not want that someone from the WAN/internet should be able to connect to you LAN, therefor there should be no rules on WAN tab.

  • at first thanks nachtfalke


    have one more question.

    when i added a second gateway…..

    can i set a second static route with same network but other gateway?
    this way, two gateways :??

    i have only one lan but two isp gateways.....all user should use the first gateway and one user the second gateway.

    thanks for help

  • Yes, you can. For every rule you could specify a gateway.

    If you have more than one WAN, you should read more about "Load Balancing", "Multi WAN" and "Failover". I think this could be interesting for you.

    The firewall rule take effect from top to down. The first rule which matches will be used.

  • @onkeldave83:

    at first thanks nachtfalke
    i have only one lan but two isp gateways…..all user should use the first gateway and one user the second gateway.

    that's policy based routing, you can make a firewall rule for this and select the appropriate gateway to use when a packet comes in from the one user.

  • f.e.

    routing    WAN    WAN2

    and then in firewall LAN tab (top entries are dominating) one entry for this one user, how should use gateway two (wan2), with gateway entry to wan2

    is it right?


    load balancing...thats intressting yes right!
    is it for two trunking?

    thanks a lot for your professional infos !!!!

  • For example, if you would like, that Host A with should be routet over WAN2 it could look like this:

    pass * * * WAN2        This is for Host A over WAN2
    pass  * * * WAN1        This is for all Hosts from

    Load Balancing could be used for 2 or more interfaces. Its not really like trunking, its more like Bonding.
    Seach the forum for Failover, Load Balancing and Multi-WAN. Check the pfsense docs, too.

  • ok thanks nachtfalke!
    i will try this!

    i found good tutorials for load balancing and failover….

    but there is a difference in it!
    some make it with a bridge between the wan connections and some not.
    what is the better way ?

    thanks for help

  • Sorry. DOn't know when to use this in bridge mode.
    I use it without bridge and I think this is the normal way to use Load Balancing. Perhaps there are special scenarios which need another configuration.

  • with bridge interfaces, we are on osi layer 2 or?

  • Yes, bridging is Layer 2