@Jake-Biker ah ok - yeah that makes sense.. Good luck, let us know how it turns out.. Yeah I get discovery to make life simple for stuff.. I mean you can not expect grandma to know the IP of some iot device she connects, that sort of thing.

But all companies should also account for segmented networks.. And the ability add devices not on the same segment - discovery doesn't always work in all environments

On my wish list is for companies to allow for turning off discovery as well - some of these applications are noisy as AF.. sending out broadcast or multicast every 10 seconds.. I don't need discovery, and if I did I don't need it running 24/7/365 when I have already discovered my device, etc.

edit:
Freaking plex sends out discovery every 10 seconds, not a thing I need or want. And there is no way to turn it off.. I finally blocked it at the switch port with an ACL ;)

And don't get me started with smart wifi light bulbs - noisy SOBs

HI!
I solved a problem using rules NAT, I delete my network from NAT and is work.

That would seem to suggest a problem with the monitoring daemon files themselves. You might try running a manual filesystem check on the disk to ensure the filesystem is OK.

Might also be worth doing a reinstall (wipe and reload) of 23.05 to ensure everything is in a good and consistent state. You can request the install image from TAC.

@Pascal-1
It doesn't matter if the router is running in bridge mode. If the WAN interface is set for automatic IP configuration (DHCP, PPPoE) the gateway is set automatically as well.

But you can add an additional in System > Routing > Gateways and then select it as default gateway.

Additional IPs have to be added in Firewall > virtual IPs. Use type "IP alias" or maybe "Proxy ARP". You will have to add each single IP there.
However, if the subnet is routed to your primary WAN IP, you don't need this if you only want to forward them behind pfSense. In this case you can just add port forwarding or NAT 1:1 rules using the public IPs as destination.

@riahc8
Any progress?

i am considering setting this up as well. The item for me is the 2100 device is switch and has no OPT ports. The only instructions I can find for making one of the ports a discrete port is to establish it as a VLAN. Which then seems to create a whole new set of issues for establishing is as a WAN failover.

I'm clearly missing something (likely something simple too), but have to agree that the documentation has too many paths (links that lead to information that may or may not apply) they often don't seem to tie together.

A nice step by step for a specific device (family) would be handy and save a lot of time.

@networknotwork
The route of packets from pfSense itself follows only the default gateway setting. It doesn't obey any policy routing rule you've added to an interface, even if you use its IP as source, since this rule is only applied to incoming packets on that interface.

So you would have to set the VPN gateway as default.
Since this is not available before the VPN is established, create a gateway failover group and add the VPN as tier 1 and WAN as tier 2. Then set this as default.

To avoid that the VPN is used by the other LAN as well, you'll have to policy route its incoming traffic to the WAN gateway then.

The question was asking if anyone else had problems switching out a device by cloning a mac address with Telus ISP.

Your answer as to why not just register doesn't address the question. However to indulge you...To be able to clone the mac and proceed without a phone call or device registration would be much more efficient use of time. Clone the mac...get internet. Simple and quick! Why should the customer have to register? The ISP has control of the modem. Their job is to deliver internet to it. What we do with it on the other side is our business.

When forced to phone the problem is the long hold times to end up with a level 1 tech who chews through more time having you do the basic troubleshooting (which is already done prior to calling) before they are allowed to escalate. The level 2 techs, which apparently is needed to get things working in this case, only work business hours. Not the best time for the customers to do a switch over.

What was scheduled for a friday evening switch over & a weekend for setting up rules & testing cannot be done because I can't clone a mac. That's the problem...telus is costing the customer downtime and my billable tech time because of their draconian inefficiencies.

@itob said in routing port 80 and 443 through an upstream proxy:

So my question was whether I can convert this into a kind of transparent proxy...

No, you didn't matter before that it should be transparent.
Configuring the clients won't be. But why is this a need at all?

but the "outdoor" proxy i can not configure.

There won't no settings be possible.

You can try it with redirecting the upstream traffic if you want to have a transparent proxy, but I'm not sure, if this would work.

@networknotwork I'm not very sophisticated in freebsd, can only say that using dante as socks5 proxy for telegram worked for me except only calls are not working, but this seems to be not dante, but Telegram issue.

@srgess Shouldn't be any different than a physical interface... except the switch.

Make sure you put the VLAN40 on your landing port TAGGED and on ports 9 and 10 TAGGED

Then assign your PPPoE to the VLAN.
My VLANs tab:
4c84f3c2-b641-40bb-9c10-402499709385-image.png

You'll see I have 201 tagged on 1, 9 and 10. My main internet is Lumen PPPoE. (I just never updated the label).

Thank you for the response.
I took your advise and upgraded to one router with multiple NICs.

@benzepoj
pfSense Version
2.5.2-RELEASE (amd64)
built on Fri Jul 02 15:33:00 EDT 2021
FreeBSD 12.2-STABLE

@gertjan I think I've discovered the answer for my problem...

I came across a note about comcast blocking traffic which pings and the answer was to turn off monitoring on the gateway. Voila. That worked.

I tested it by turning monitoring back on and it still worked. That seems a little flaky to me and I suspect it will come back to haunt me... but for now i'm clad it's framed up pretty well.

I did create the 4084 vlan and assigned it to a default Interface OPT1. Then in the Interface settings I renamed the OPT1 to WAN2.

I also created a gateway for WAN2 manually and had to set a NAT in outbound for WAN2.

Thank you for your help.

In anyone is still interested, here is how I got it to work with 3 pfsense setup.

I wanted to setup an environment where I have a datacenter and a remote lab.
All machines in the datacenter have the domain datacenter.home.arpa.
All machines in the lab have the domain lab1.home.arpa.
I wanted machines in the lab to be able to reach machines in the datacenter.

pfSense1:

Hostname: pfSense Domain: home.arpa WAN (dhcp) LAN: 192.168.0.1 Block private networks and loopback addresses: Unchecked Forward packets for datacenter subnet 192.168.2.0/24 to datacenter router - 192.168.0.2 Added gateway Name: datacentergw Interface: LAN Gateway: 192.168.0.2 Added static route Network: 192.168.2.0/24 gateway: datacentergw

pfSense2:

Hostname: pfSense Domain: datacenter.home.arpa WAN: 192.168.0.2 (static) LAN: 192.168.2.1 Block private networks and loopback addresses: Unchecked NAT Forward ICMP and TCP/UDP from source:192.168.0.0/16, destination: LAN net to LAN Address This automatically added necessary firewall rules as well

pfSense3:

Hostname: pfSense Domain: lab1.home.arpa WAN: 192.168.0.3 LAN: 192.168.3.1 Block private networks and loopback addresses: Unchecked DNS Add a domain override for datacenter.home.arpa and send its queries to datacenter DNS: 192.168.2.1 DHCP Set lab1.home.arpa;datacenter.home.arpa as DNS Search

@stewart Just wanted to report that this was the solution. Thanks @johnpoz!

@dataideas-josh Yeah I need to get back to testing this soon.

@operations no one with an idea?

pfSense from what I've seen won't work if the gateway is the same on both WAN interfaces.
Are you doing this in a VM environment or BareMetal?

thanks so much for the help @viragomann and @johnpoz , I seem to have a working route out now with FW rules using policy route!

@jaspery Based on my 2nd episode with crash, I suspect it was crash that caused my dpinger to fail (in this case).

@ashtonianagain Can't speak to Wireguard but we've used it for our office (behind our building router) for many years and have had port forwards set up at several clients that put the router in a DMZ.

There is a guide at https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html but if it connects initially it would seem the forwarding is correct. Unless maybe it's trying to use additional ports?

There are examples for Wireguard setup.

@latimeria

I think you will get the most out of this video on YouTube.

How to use Multiple WAN on pfsense for Fail over and or Load Balancing

@chrisjx

Maybe I'm over thinking it and it's just a different way to do what DDNS does but for a non-ip CGNAT service.

You need a so called jump host in the internet, free to reach from else where, that is connected to you home network.

Thats it, at a "Hoster" of your choice for some coin
per month and all is done.

@steveits Yes, it was surprisingly easy to set up the 1:1 NAT logic. For the Medusa, its used for someone who rents single office tenant spaces to their own clients so lots of small VLAN's with one or two clients requesting public IP's directly.

@cool_corona
IPsec Site-to-Site VPN Example with Pre-Shared Keys

If you want to allow access to a small segment of the LAN subnet you can state this in the phase 2 at "Local Network", type "Network".
Additionally you need a firewall rule on the IPSec tab to allow access. Here you can also state an alias with single IPs and ports as destination to lock permission down to the necessary destinations only.

Guys, i am still working on this trying to configure it. I think i am doing some kind of progress. Please bear with me as today i don't have that much time. I'll come back tomorrow.

Thank you for all your advises!

@computingdon You'll need to post details. The source address of the connection, the route back to it, the firewall rules passing that traffic when it enters pfSense, and the outbound NAT rules.

@lnguyen said in Can't Route Site To Site:

@dma_pf What are the allowed networks under "Peers" for both sites?

Thanks for pointing me in this direction...that was it! There was an error in one of the peer IP addresses:

00155179-c7b4-4b05-be81-a0a7f79d6e1c-image.png

The Site 2 network should have been 192.168.164.0.

I made the error of seeing that the Wireguard handshake was completed and made the assumption that by doing so it was confirming that: 1) the cryptographic keys matched and 2) that the peer trying to connect had come from the Allowed IP networks. As a result I never rechecked the peer Allowed IPs because I saw a successful handshake.

But now I've got to dig deeper into the Wireguard protocol as it appears that the handshake only requires the keys to match and the Allowed IPs are only used as a routing ACL to allow or reject traffic across the tunnel.

Thanks again for your help!

@jazzl0ver ahhh ok not available in the kernel. That makes sense.

@viragomann

Ok yeah, that makes sense, now that you mention it, I've seen that before. Just not something I typically pay attention to. Guess that leaves me pretty well stumped here.