@stephenw10 So I just deleted my WAN shaper (but retained the LAN shaper) and re-enabled if_pppoe - after a reboot I ran a number of speed tests and there were no WAN out errors so it seems to be an issue with having a WAN shaper in conjunction with if_pppoe enabled. I would prefer to have a WAN shaper enabled as it can help when I WFH and max out the 75Mb/s upload capacity during a grid compile. I will leave the config as is for the moment and see how I get on without the WAN shaper.

@4o4rh i am struggling to get policy based routing working on truenas scale.
either i get the situation where non-media vlans can access the jellyfin server on the media vlan (but then the truenas/smb vlan is not accessible, or the truenas/smb vlan is accessible by not the jellyfin vlan (other than from a device on the vlan).

It both cases the non-accessible vlan is appearing on the wrong pfsense interface.

so, it seems truenas is returning via the default route rather than the desired return route

@mr_nets Alias

Ignore this

For anyone maybe suffering with similar issues, I went through the guide again and realised I'd forgotten to update the Port VID under Interfaces > Switch > Ports as well as updating the VLAN Tag under Interfaces > Switch > VLANs

Once that was done it got an IP and I could use it as a WAN port.

I add a consideration.

Currently the workaround of changing the global Firewall State Policy has worked, but can it have negative impacts on other things?

It would be nice to have an overall solution to the problem on OpenVPN, maybe with an option like it was done for IPSec. 😊

Bye,
Edo

@Troutpocket Might be worth checking if there are any rules or NAT settings on WAN2 that block access when it’s not the active gateway. Also, could be a policy routing issue — maybe the replies aren’t going out the same way they came in?

Enabling logging or packet captures on the firewall might give some clues.

eabc93a8-57d3-42a7-a238-9dc201c9bca6-image.png

VPN Only is essentially just the rule up above.

NAT wise I've added this rule:
68d71407-e473-4694-b9ec-6679e6575c41-image.png

@Al2108 You need to solve the same gateway issue first.
Some device in nat mode in between maybe?

@andydills said in Two default routes are getting installed:

This is on 2.7.0, ....

@andydills said in Two default routes are getting installed:

We're thinking

Stop thinking, the solution has arrived.
'Years ago'.
Upgrade first. Go to 2.7.2 - and even consider continuing upgrading to "Beta 2.8.0" as is very close to release.

Then : reset your questions.
Bye bye old issues.
( Welcome to the new issues - not that I, afaik, 'm aware of any =

Okay, this is resolved. As suspected, it was related to the configuration of the VLAN for the OPT1 port.

For anyone up against the same issue, the solution is:

follow the instructions for configuring switch ports with VLANs https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html set your VLAN to have members "4" (assuming you are using the 4th LAN port as your OPT1 for WAN2), and "5" this is the critical part: for the VLAN members 4 and 5, you must make "4" untagged and "5" tagged -- see screenshot.

I believe this is because traffic from the VLAN must go to the switch (member 5), but traffic on port 4 (member 4) cannot be tagged since your secondary internet provider is not set up to handle VLAN traffic. I could be wrong here, and welcome any better explanation for this solution.

vlan - screenshot.png