Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. pfSense® Software
    3. Routing and Multi WAN
    Log in to post
    • Newest to Oldest
    • Oldest to Newest
    • Most Posts
    • Most Votes
    • jimp

      Reminder: Questions involving routing packages go under Packages, not here
      • jimp

      1
      0
      Votes
      1
      Posts
      495
      Views

      No one has replied

    • F

      Assign specific website url to a gateway
      • floydque

      2
      0
      Votes
      2
      Posts
      16
      Views

      bingo600

      @floydque

      You could assign that URL to an Alias.
      And then policy route packages that have that alias as destination , out of the desired gateway.

      /Bingo

    • S

      Dual WAN at home? Anyone have stories on their experience?
      • ShepherdKai

      3
      0
      Votes
      3
      Posts
      57
      Views

      A

      @shepherdkai said in Dual WAN at home? Anyone have stories on their experience?:

      I have a Ubiquiti EdgeRouter Lite sitting in a box that I plan to break out for this use case.

      Just curious... If you're going to use that box as your main router/firewall, why are you asking these questions on a pfsense forum?

    • P

      unable to ping new vlan interface IP address
      • pricemc1

      2
      0
      Votes
      2
      Posts
      30
      Views

      P

      Solved my own problem. Forgot to put additional static routes on my home router for the additional networks.... Silly me...

    • intellq

      pfSense 2.5.1 not recognizing my default ipv4 route
      • intellq

      13
      0
      Votes
      13
      Posts
      191
      Views

      intellq

      @jimp thanks for all the help. And the description you wrote when creating the issue was pretty accurate.

      @Gertjan thankfully a solution was found. All I can ask for :)

    • B

      Problem with Gateway Monitoring not working
      • Braidwood

      1
      0
      Votes
      1
      Posts
      26
      Views

      No one has replied

    • R

      Multi-Wan ping replies go out the wrong interface
      • rsiemers2

      6
      0
      Votes
      6
      Posts
      794
      Views

      V

      @helviojr
      Ensure that there is no rule on an interface group or floating tab matching to that concerned traffic.

    • B

      Policy Based Routing Not Working After Upgrade to 21.02-RELEASE-p1 on SG-5100
      • BEVietnam

      1
      0
      Votes
      1
      Posts
      34
      Views

      No one has replied

    • R

      Dynamic DNS IP wrong
      • rtadams89

      1
      0
      Votes
      1
      Posts
      20
      Views

      No one has replied

    • A

      4G internet on 2nd WAN giving awful speeds and can't do local network between devices! Help!
      • AkiraSensei

      6
      0
      Votes
      6
      Posts
      41
      Views

      johnpoz

      @akirasensei said in 4G internet on 2nd WAN giving awful speeds and can't do local network between devices! Help!:

      but the NAS is on under the main WAN network)

      Well if your routing traffic to your gateway - no you can not get to network that are locally attached.. Same as on your other network..

    • L

      sending all traffic through remote wan interface
      • lak

      4
      0
      Votes
      4
      Posts
      49
      Views

      V

      @lak
      pfSense can do it, but I don't know any way with IPSec.

    • B

      Help with sudden traffic on 2nd Failover WAN
      • BlankSpace

      1
      0
      Votes
      1
      Posts
      31
      Views

      No one has replied

    • I

      Two providers, three links
      • Ilya.V

      2
      0
      Votes
      2
      Posts
      58
      Views

      Rico

      Are link 1 and 2 sharing the same ISP gateway IP ?
      Check https://docs.netgate.com/pfsense/en/latest/multiwan/considerations.html

      -Rico

    • H

      Is there a way to add many static routes
      • hsv

      3
      0
      Votes
      3
      Posts
      61
      Views

      johnpoz

      @hsv said in Is there a way to add many static routes:

      I need to add about 100 static routes.

      Just my curiosity cat meowing at me - why? Can you not just summarize the routes?

      For example route to 192.168.0/24 and 192.168.1/24 could be routed as just 192.168.0/23

      If you have a lot of routes - I would try and summarize as much as possible.. Shoot you could sometimes route 100 with 1 statement, ie 192.168/16 for example..

      Or run a routing protocol? So the routes are exchanged?

    • G

      Can't connect to internet hosts when VPNed into internal VPN Server behing PFSense Router
      openvpn routing routing • • grillp

      3
      0
      Votes
      3
      Posts
      51
      Views

      G

      OK, I worked it out!

      I had the following Firewall rule for LAN:

      Screen Shot 2021-04-06 at 8.17.46 pm.png

      But of course, the 10.8.0.0/23 and 10.9.0.0/23 (I changed them to /23 instead of /24) are not in the "LAN Net", so I had to add extra rules to allow that traffic out:

      baecb64d-b9fb-4d84-b216-035dbd903399-image.png
      That as well as the static routes fixed it!

    • C

      Cannot add VLAN interface
      • Cool_Corona

      12
      0
      Votes
      12
      Posts
      80
      Views

      johnpoz

      Dude I don't know what else to tell you.. Its BORKED!

      Fix your setup.. There is nothing for pfsense to do here.. what you are trying to do is wrong - no matter how you look at it, or want to think you should be able to do it..

      Even the most basic grasp of how networking works tells you how you have it setup is just plain borked..

      edit:

      When a client wants to talk to an IP.. Is that IP suppose to be on my network.. Does it fall inside the IP space of my address and mask. Oh its on my network - ARP!! for it.. Ok device with mac address abc, answered for IP 123.. Send the traffic to that mac..

      In no scenario does the client say - oh no answer for arp, send it to my gateway... The only scenario where it "could" work is if the gateway (pfsense) was doing proxy arp and answer for any IP that doesn't answer arp.. Which there is no such thing - there is a way to do proxy arp for VIPs..

      So if you have some device on your /16, and it wants to talk to a an IP that is on one of your vlans that falls under this /16 block.. How would it know where to send the traffic.. So either your L2 are not actually isolated. Or you have pfsense doing proxy arp for every single IP under the /16 that is not actually on the /16 L2..

      You can not expect your setup to ever function correctly.. Pfsense will clearly warn you - as it did that what your trying to do is wrong, ie the overlapping networks warning. But how can it warn you from a cmd line setup? Pfsense can try and keep users from shooting themselves in the foot.. But it can not protect you from every scenario of shooting yourself.

      Setup your networks on pfsense be them native or vlans so they do not overlap..

    • L

      OpenBGP parameter "network" in FRR BGP config
      • ly0n4a

      3
      0
      Votes
      3
      Posts
      48
      Views

      L

      @viktor_g Thank you very much!

    • mohkhalifa

      WAN Speed
      • mohkhalifa

      16
      0
      Votes
      16
      Posts
      173
      Views

      G

      normal it will not give you problems restoring it, interface settings looks ok

    • C

      WAN problems reconnecting
      • Charlie48

      1
      0
      Votes
      1
      Posts
      44
      Views

      No one has replied

    • D

      Some connections survive killing all states on Tier 1 gateway recovery
      • dbykov

      2
      0
      Votes
      2
      Posts
      58
      Views

      D

      OK, I implemented a workaround for this problem.

      I wrote this little script:

      <?php require_once("interfaces.inc"); $cached_def_gw_if_file = '/tmp/cached_def_gw_if'; $current_gw_ip = route_get_default('inet'); $current_gw_if = get_gateway_interface($current_gw_ip); $old_gw_if = file_get_contents($cached_def_gw_if_file); if ($old_gw_if === false) { file_put_contents($cached_def_gw_if_file, $current_gw_if); exit; } // Just in case the file was edited manually for test purposes and contains some whitespace $old_gw_if = trim($old_gw_if); if ($current_gw_if != $old_gw_if) { log_error("Default gateway interface changed from $old_gw_if to $current_gw_if, killing old states..."); mwexec("/sbin/pfctl -F states"); file_put_contents($cached_def_gw_if_file, $current_gw_if); } function get_gateway_interface($gateway_ip) { $interfaces = get_interfaces_with_gateway(); foreach ($interfaces as $interface) { $interface_gw = get_interface_gateway($interface); if ($gateway_ip == $interface_gw) { $real_interface = get_real_interface($interface); return $real_interface; } } } ?>

      and created a cron task which executes this script every minute.

      I am not sure how reliable this "solution" will be, but a dozen of gateway switchover has shown that everything works as expected, the Wireguard connection is routed over Tier 1 gateway after it recovers.

      During my little research, I also found this post, but unfortunately samtoopid's script didn't work for me - it only kills states on WAN interface, and in my case it's not enough, only flushing all states makes Wireguard connection switch to new Tier 1 gateway.

    • S

      [NAT] reply-to on WAN rules not working after Update to 21.02_1
      nat reply-to error • • snits35m

      4
      1
      Votes
      4
      Posts
      85
      Views

      G

      @jimp Thanks for posting this. This is exactly my problem with my pfSense Plus. I have two WANs with my default one being GCNAT. My secondary WAN has a static IP which is used for inbound connections which need entry to my network.

      I didn't have any problems with 2.4.5p1. I can only make it work now if I change my default gateway to my static IP WAN. This connection is very slow compared to my other WAN. Hopefully they come up with a workaround soon.

    • L

      Force traffic through a gateway with specific mac address
      • lzdfhuni

      9
      0
      Votes
      9
      Posts
      164
      Views

      L

      @johnpoz said in Force traffic trough a getaway with specific mac address:

      If so then really all you need to do is fudge the last 3 numbers... Ie the device ID, the block ID or OUI the 1st 3 numbers could be left alone, this only identifies the vendor that made the device. Not the actual device.

      I am very pleased with this model USB-to-LAN. I have previously tried up to 9-10 USB2LAN adapters, pfSense (and probably FreeBSD) had no drivers for some or others had large load losses. But only this model surprisingly endured tests with high loads on the net without loss.

    • D

      dpinger shows 100% loss after gateway recovers
      • dbykov

      3
      0
      Votes
      3
      Posts
      82
      Views

      D

      @steveits said in dpinger shows 100% loss after gateway recovers:

      If you view the gateways page does it recover?

      No, the Status -> Gateways page shows 100% loss.

      As I said, if I run dpinger in shell manually, it shows the same behavior - the output shows 100% loss even after 10 minutes passed since physical link recovery, but if I restart dpinger, it shows 0% loss as it should.

    • L

      Identical!! access and filtering towards a local server, for internet located clients as for local clients
      • louis2

      5
      0
      Votes
      5
      Posts
      77
      Views

      Gertjan

      @louis2 said in Identical!! access and filtering towards a local server, for internet located clients as for local clients:

      is handled "exactly" like a call coming from the internet.

      The most simple solution is probably : Not inviting the Internet in your own local infrastructure.
      Use a VPS (or cloud thing, whatever they call it these days), somewhere in a data center. The cost will close to nothing these days.
      Internet clients -and your access, will be guaranteed treated equally. You'll have nothing to do to enforce this.

      Another solution : use a second ISP, so your local servers have their own WAN IP, and you access them just like the other clients.

      Both propositions don't need any fancy setup.

    • strato

      RIP in version 2.5
      • strato

      1
      0
      Votes
      1
      Posts
      70
      Views

      No one has replied

    • C

      dpinger and WAN access problems since 2.5.0
      • charvey

      2
      0
      Votes
      2
      Posts
      112
      Views

      C

      Solved this -- kinda. I disabled CoDeL and everything went back to normal. Maybe I'll try setting it up again once 2.5.1 comes out.

    • T

      Failover WAN not working properly
      • teefos

      13
      0
      Votes
      13
      Posts
      80
      Views

      T

      @viragomann Well that's great. Thank you so much

    • pzanga

      trouble configuring WAN interface/gateway with public static IP
      • pzanga

      2
      0
      Votes
      2
      Posts
      86
      Views

      pzanga

      Well, I figured out the issue, so thought I should post what I found, even though I feel a bit stupid now. Seems the main problem was a lack of knowledge on my part and that of Comcast Tier 1 support. Basically I had my gateway IP and static IP reversed.

      Turns out that since we were originally using the Comcast CM as a modem/gateway without a firewall behind it, and then later set up the firewall in the CM's DMZ, the gateway IP was functioning as our public static IP. It didn't help that the person who set up the network had documented the gateway IP as our static and vice versa. And Tier 1 support apparently had no clue. It took Tier 2 support to point out my mistake and of course it seems fairly obvious to me now. I suppose my one remaining question is whether this is typical behavior of static IP implementations or specific to Comcast and/or other ISPs? Either way, lesson learned.

      I should note one thing. I am 99% sure I did try reversing the gateway/public IPs when I first failed in configuring the static WAN interface, and that it did not work. What I did differently this time, however, was power cycle both the CM and FW, as opposed to just rebooting each; a simple step, mentioned by others in various posts, that might have helped me solve this sooner. Another lesson learned. 🙂

    • S

      route incoming traffic (WAN1) on specific port to be forwarded through WAN2 to another site. Possible?
      • seanr22a

      5
      0
      Votes
      5
      Posts
      73
      Views

      S

      @viragomann

      I give it a try tomorrow, thanks !

    • I

      Route some subnets through a VM with wireguard connected to VPN provider
      • incognito

      2
      0
      Votes
      2
      Posts
      118
      Views

      F

      @incognito Were u able to make this work? Since WG has been disabled in 2.5

    • N

      SG-5100 Multi-Wan Setup
      • nickf1227

      1
      0
      Votes
      1
      Posts
      65
      Views

      No one has replied

    • L

      Multi-WAN with Backup down
      failover multi wan • • luckyh_de

      2
      0
      Votes
      2
      Posts
      88
      Views

      DaddyGo

      @luckyh_de said in Multi-WAN with Backup down:

      So i have to prevent any Packet to the LTE-router AS Long as primary ist okay

      Hi,

      The failover mechanism does not allow this, you definitely need something that, which tells the firewall that the connections are alive
      (minimum GW pinger ICMP traffic)

    • D

      Multiple PFSense devices, Multiple ISP's , LAN redundancy
      • dlewis_nepean

      1
      0
      Votes
      1
      Posts
      70
      Views

      No one has replied

    • A

      PfSense Gateways not connected
      • arnabnandy1706

      1
      0
      Votes
      1
      Posts
      73
      Views

      No one has replied

    • D

      How to set up routing between LAN and OPT subnets
      • DominikHoffmann

      2
      0
      Votes
      2
      Posts
      103
      Views

      D

      It turns out that I have to set up a bridge in Interfaces→Bridges. For mDNS bridging I also set up Avahi between the different subnets.

    • P

      Why do I see outgoing traffic as incoming traffic on the other WAN?
      • planetinse

      5
      0
      Votes
      5
      Posts
      93
      Views

      P

      @cool_corona Yes I know it looks so - but that's not the case.

    • G

      Converting OpenBGP to FRR
      frr openbgpd • • gothmog

      1
      0
      Votes
      1
      Posts
      66
      Views

      No one has replied

    • O

      ipsec interface filters with default deny rule
      • Ofloo

      4
      0
      Votes
      4
      Posts
      111
      Views

      O

      @ofloo This is not limited to IPsec this happens in wireguard also. Not sure why but sometimes reloading some settings makes it not filter maybe it's I'm just imaging it but it comes and goes and it's not limited to just IPsec.

      I have do not filter traffic on same interfaces, I have just allow all traffic on the interface so no any firewall rule is there just allow any from any to any and yet !!! It filters.

      Lately it happens to happen more on WIREGUARD Interface then it does on IPSec.

    • M

      RDP SESSION DROPPING WITH OPTIMAL PINGS
      dropping filtering ospfrouting rdpsession systemlogs • • Muhammad Abdul Hadi

      2
      0
      Votes
      2
      Posts
      79
      Views

      M

      Also there is nothing in filtering rules to deny anything all the interfaces are allowed to pass through the traffic. Neither its showing anything on the system logs as well

    • B

      after 2.5.0 upgrade - no cross vlan rtsp stream
      • buzz2912

      3
      0
      Votes
      3
      Posts
      149
      Views

      B

      I put my camera on the same subnet, but I am not very happy with that.
      My MQTT devices did work cross VLAN, but I had a lot of errors telling me the packet was too short, shorter than expected. I moved these too to the same subnet and the errors are gone.

      There seems to be a layer 3 routing issue in pfsense.

      Can anyone who understands what is happing comment on this?

      Thanks, Sebastian

    Products

    • Platform Overview
    • TNSR
    • pfSense
    • Appliances

    Services

    • Training
    • Professional Services

    Support

    • Subscription Plans
    • Contact Support
    • Product Lifecycle
    • Documentation

    News

    • Media Coverage
    • Press
    • Events

    Resources

    • Blog
    • FAQ
    • Find a Partner
    • Resource Library
    • Security Information

    Company

    • About Us
    • Careers
    • Partners
    • Contact Us
    • Legal
    Our Mission

    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

    Subscribe to our Newsletter

    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

    © 2021 Rubicon Communications, LLC | Privacy Policy