Routing and Multi WAN

• M

  Troubleshooting pppoe WAN connection which seems to stall from time to time
  • mattjoy

  1
  0
  Votes
  1
  Posts
  1
  Views

  No one has replied

• C

  Routed Public IP Block
  • cyberprog

  1
  0
  Votes
  1
  Posts
  16
  Views

  No one has replied

• F

  Public IP Addresses Configuration LAN - WAN
  • Fuquan

  3
  0
  Votes
  3
  Posts
  55
  Views

  F

  Dear viragomann, Thanks for the directives I shall certainly take a look into doing so when time permits. Do have a pleasant weekending! Peace Fuquan
• M

  [SOLVED] VPN routing
  • maverick_slo

  13
  0
  Votes
  13
  Posts
  118
  Views

  M

  Closure: I had it configured correctly. So correct FW rules and outbound nat (SNAT) disabled. Problem was on cisco router where network guys forgot to allow my traffic (even when they say they did, well doublecheck) :)
• C

  Routing from LAN to WAN Upstream Gateway not working
  • Cottroad

  8
  0
  Votes
  8
  Posts
  82
  Views

  C

  @awebster said in Routing from LAN to WAN Upstream Gateway not working: A1 Now my brain has melted. However, on johnPOZ's suggestion I've now got VyOS running, relaying DHCP correctly and allowing bi-directional comms between my two test subnets, and from both subnets to the downstream gateway and on to the web. I thank you for your help. Even if the result was to point me at another product to try :-)
• B

  Two PPPoE connection with the same gateway
  • borussia

  2
  0
  Votes
  2
  Posts
  76
  Views

  

  You will have to disable gateway monitoring for the second WAN, so it can't detect if it's down, but otherwise it may function OK.
• O

  2 GBit provider connection on 10 GBit GBic on Cisco with a Netgate Firewall with 2x 1 GBit network cards
  • Overlord

  2
  0
  Votes
  2
  Posts
  92
  Views

  

  Not effectively. LACP only load balances based on the source and destination MACs, which will always be the upstream gateway going to the LAGG interface on the firewall. So you can have failover, but not bonded bandwidth. You'll need a 10G interface on the firewall (or, I suppose a 2.5G interface and compatible switch...)
• A

  How to Forward SSH through multiple WANs?
  • aileron

  1
  0
  Votes
  1
  Posts
  31
  Views

  No one has replied

• G

  PPPoE Link Not Passing Through
  • gilesitis

  1
  0
  Votes
  1
  Posts
  35
  Views

  No one has replied

• S

  Virtual ip Multi wan load balancing
  • sarvesh92

  1
  0
  Votes
  1
  Posts
  31
  Views

  No one has replied

• R

  miniupnpd Failed to get IP for interface em0
  miniupnpd • • rcmpayne

  2
  0
  Votes
  2
  Posts
  54
  Views

  R

  I think this has something to do with connecting pfsense wan to my ISPmodem(home hub 3000) and using the Advance DMZ? raceroute shows the second hop is my ISP router 192.168.0.11 however, pfsense is still getting a external IP 142.134.91.xx maybe i am going down the wrong path here? pfsense IP from advance DMZ:142.134.91.xx gateway: 142.134.88.1 Monitor IP: 142.134.88.1 Bell router IP: 192.168.11 pfsense router IP: 192.168.0.2 Not sure what 192.168.2.1 is below in the dhcp catt from pfsense traceroute to google.ca (172.217.10.131), 30 hops max, 60 byte packets 1 pfsense.WORKGROUP (192.168.0.2) 0.696 ms 0.661 ms 0.640 ms 2 bell router 192.168.0.11 (192.168.0.11) 1.858 ms 1.850 ms 1.854 ms 3 loop0.6cw.ba17.hlfx.ns.aliant.net (142.176.50.10) 1.928 ms 1.864 ms 1.804 ms 4 ae15-182.cr02.hlfx.ns.aliant.net (142.166.181.141) 1.868 ms 1.794 ms 1.803 ms [2.4.3-RELEASE][root@router.WORKGROUP]/root: cat /var/db/dh dhclient.leases.em0 dhclient.leases.em0.35 dhclient.leases.em0.34 dhclient.leases.em0_vlan35 [2.4.3-RELEASE][root@router.WORKGROUP]/root: cat /var/db/dhclient.leases.em0 lease { interface "em0"; fixed-address 192.168.0.57; option subnet-mask 255.255.255.0; option routers 192.168.0.11; option domain-name-servers 192.168.0.11,142.166.166.166; option domain-name "home"; option broadcast-address 192.168.0.255; option dhcp-lease-time 259200; option dhcp-message-type 5; option dhcp-server-identifier 192.168.0.11; renew 0 2018/7/15 01:58:08; rebind 1 2018/7/16 04:58:08; expire 1 2018/7/16 13:58:08; } lease { interface "em0"; fixed-address 192.168.0.55; option subnet-mask 255.255.255.0; option routers 192.168.0.11; option domain-name-servers 192.168.0.11,142.166.166.166; option domain-name "home"; option broadcast-address 192.168.0.255; option dhcp-lease-time 259200; option dhcp-message-type 5; option dhcp-server-identifier 192.168.0.11; renew 0 2018/7/15 01:43:10; rebind 1 2018/7/16 04:43:10; expire 1 2018/7/16 13:43:10; } lease { interface "em0"; fixed-address 142.134.91.xx; option subnet-mask 255.255.252.0; option routers 142.134.88.1; option domain-name-servers 47.55.55.55,142.166.166.166; option dhcp-lease-time 600; option dhcp-message-type 5; option dhcp-server-identifier 192.168.2.1; renew 1 2018/7/16 20:32:41; rebind 1 2018/7/16 20:36:26; expire 1 2018/7/16 20:37:41; } lease { interface "em0"; fixed-address 142.134.91.xx; option subnet-mask 255.255.252.0; option routers 142.134.88.1; option domain-name-servers 47.55.55.55,142.166.166.166; option dhcp-lease-time 600; option dhcp-message-type 5; option dhcp-server-identifier 192.168.2.1; renew 1 2018/7/16 20:42:44; rebind 1 2018/7/16 20:46:29; expire 1 2018/7/16 20:47:44; } lease { interface "em0"; fixed-address 142.134.91.xx; option subnet-mask 255.255.252.0; option routers 142.134.88.1; option domain-name-servers 47.55.55.55,142.166.166.166; option dhcp-lease-time 600; option dhcp-message-type 5; option dhcp-server-identifier 192.168.2.1; renew 1 2018/7/16 20:52:47; rebind 1 2018/7/16 20:56:32; expire 1 2018/7/16 20:57:47; } lease { interface "em0"; fixed-address 142.134.91.xx; option subnet-mask 255.255.252.0; option routers 142.134.88.1; option domain-name-servers 47.55.55.55,142.166.166.166; option dhcp-lease-time 600; option dhcp-message-type 5; option dhcp-server-identifier 192.168.2.1; renew 1 2018/7/16 21:02:50; rebind 1 2018/7/16 21:06:35; expire 1 2018/7/16 21:07:50; } lease { interface "em0"; fixed-address 142.134.91.69; option subnet-mask 255.255.252.0; option routers 142.134.88.1; option domain-name-servers 47.55.55.55,142.166.166.166; option dhcp-lease-time 600; option dhcp-message-type 5; option dhcp-server-identifier 192.168.2.1; renew 1 2018/7/16 21:12:53; rebind 1 2018/7/16 21:16:38; expire 1 2018/7/16 21:17:53; }
• M

  Problems with LDAP Authentication and cisco routing.
  • Malad

  9
  0
  Votes
  9
  Posts
  86
  Views

  M

  Thank you very much for your help, I already solved by removing the NAT. regards
• S

  2 VDSL2 uneual speed WAN and 2 LAN
  • Syrio Forel

  1
  0
  Votes
  1
  Posts
  52
  Views

  No one has replied

• 

  Gateway monitoring ping times off on secondary pfSense
  • mclaborn

  2
  0
  Votes
  2
  Posts
  75
  Views

  

  I recently upgrade to 2.4.3-RELEASE-p1 and this is working properly now. Not sure if the upgrade fixed it or maybe it just needed a reboot.
• N

  Automatic Wan Gateway configuration through php shell
  • nicopolak

  1
  0
  Votes
  1
  Posts
  40
  Views

  No one has replied

• N

  LAN1 to WAN1 and LAN2 to WAN2
  • ntiesto

  5
  0
  Votes
  5
  Posts
  96
  Views

  N

  Timoteo test this setting and I will say to youcolored text
• U

  Route Lost by CARP Change
  • UnknownNR1

  9
  0
  Votes
  9
  Posts
  211
  Views

  A

  Cool, that's enough to tell me it won't affect me. Thanks man.
• A

  Routing 2 Router LANs under a Third Router
  • azmodeuz

  12
  0
  Votes
  12
  Posts
  184
  Views

  

  @azmodeuz said in Routing 2 Router LANs under a Third Router: Firewall Rules > LAN: PASS - Source: LAN NET - Destination: 192.168.8.0/24 - Gateway: 192.168.88.7 No. You need to pass sources 192.168.2.0/24 and 192.168.3.0/24 into LAN. Do NOT set a gateway on those rules. Imagine yourself sitting in one of the routers. You say "I have a packet for 192.168.X.X. What next hop do I need to send it to? Consult my routing table. I have a route for 192.168.X.X - I send that traffic to next-hop Y.Y.Y.Y (the route's gateway)." If you are unfamiliar with all of this why are you making it so complicated? Please get it working with one then move to the second. Far less to look at and communicate.
• B

  two static routes for one subnet
  balancing static routes • • black2

  11
  0
  Votes
  11
  Posts
  135
  Views

  

  What is the point of this? Your wanting to load share to 2 different vpn connections off the same physical interface? And the same TUN interface as well? Have no clue to what is the use case here... What is the point of the complexity - what does it get you? Your worried that r44 or r45 go down? What is the point of the loadsharing across the connection.. NHRP - with just the 2 connections.. With GRE and IPsec involved as well?? Is this some sort of class work - seems like nonsense waste of time, I see no real world application here. And down the rabbit hole we go...
• 

  Gateway groups: will pfSense take both gateways out of service?
  • mclaborn

  4
  0
  Votes
  4
  Posts
  156
  Views

  

  I have (hopefully) solved my immediate problem by marking the Tier 2 gateway in the group that we use most as "Disable Gateway Monitoring Action" so that if the Tier 1 gateway is down pfSense will never take the Tier 2 gateway down. This should be fine for our most used gateway group but it is inappropriate for other groups that we occasionally use. If/when we switch to using another gateway group I'll have to remember and change that setting on that gateway. It seems to me that the various monitoring and threshold settings should be defined in the gateway group and would override those on the gateway, when the gateway is used as part of a group. That would allow me to configure each group as it makes sense and then switch between them with ease.
• S

  pfsense - and just pfsense - loses internet connection on failover
  • stetho

  1
  0
  Votes
  1
  Posts
  51
  Views

  No one has replied

• O

  Multi-WAN gateway failover not switching back to tier 1 gw after back online
  • obstler

  80
  0
  Votes
  80
  Posts
  17645
  Views

  S

  @markn455 Did you ever find a working configuration for failing back to a primary connection once it comes back up?
• M

  Make a static route with specified tcp port
  • mlcaffaro

  6
  0
  Votes
  6
  Posts
  56
  Views

  

  sound like you have asymmetrical mess if your gateway is going to be out your lan interface. Why don't you draw up your network and point out exactly what your trying to do.. ption use non-local gateway through interface specific route How is it you would be hitting a "gateway" that is not on the same network?
• L

  Routing between WAN and LAN?
  • Lennydk87

  2
  0
  Votes
  2
  Posts
  91
  Views

  V

  On pfSense02 you have to remove the check at "Block private networks" in the WAN interface settings, since the WAN net you want to provide access is a private address range. Additionally you have to add a route to the 172.10.10.x network devices for the 192.168.10.x network pointing to 172.10.10.254. You may do this on your DHCP. Further you have to add a firewall rule on pfSense02 to the WAN interface to allow the wanted access. Assuming you still have the default allow-any rule on the LAN interface in place.
• W

  Static route via VPN interface binds to lo0 when created from web page, but binds to tun1 when created from command line.
  • winmasta

  9
  0
  Votes
  9
  Posts
  443
  Views

  W

  @kpa Here is parts of my configs: Client Server ccd Server server.conf Server log before client connected Server log after client connected Client log Jul 3 07:45:33 openvpn 60153 Initialization Sequence Completed Jul 3 07:45:33 openvpn 60153 /usr/local/sbin/ovpn-linkup ovpnc2 1500 1570 10.10.0.2 255.255.255.0 init Jul 3 07:45:33 openvpn 60153 /sbin/route add -net 10.10.0.0 10.10.0.1 255.255.255.0 Jul 3 07:45:33 openvpn 60153 /sbin/ifconfig ovpnc2 10.10.0.2 10.10.0.1 mtu 1500 netmask 255.255.255.0 up Jul 3 07:45:33 openvpn 60153 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Jul 3 07:45:33 openvpn 60153 TUN/TAP device /dev/tun2 opened Jul 3 07:45:33 openvpn 60153 TUN/TAP device ovpnc2 exists previously, keep at program end Jul 3 07:45:33 openvpn 60153 ROUTE_GATEWAY CLIENT_EX_IP/255.255.255.192 IFACE=em0 HWADDR=00:0c:29:6c:7e:79 Jul 3 07:45:33 openvpn 60153 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 3 07:45:33 openvpn 60153 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key Jul 3 07:45:33 openvpn 60153 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 3 07:45:33 openvpn 60153 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key Jul 3 07:45:33 openvpn 60153 OPTIONS IMPORT: route-related options modified Jul 3 07:45:33 openvpn 60153 OPTIONS IMPORT: --ifconfig/up options modified Jul 3 07:45:33 openvpn 60153 OPTIONS IMPORT: timers and/or timeouts modified Jul 3 07:45:33 openvpn 60153 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.10.0.2 255.255.255.0' Jul 3 07:45:33 openvpn 60153 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Jul 3 07:45:32 openvpn 60153 [server] Peer Connection Initiated with [AF_INET]VPN_SERVER_EXT_IP:PORT Jul 3 07:45:32 openvpn 60153 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Jul 3 07:45:32 openvpn 60153 VERIFY OK: depth=0, C=RU, ST=TO, L=Tomsk, O=Kireva, OU=IT_dept, CN=server, name=oneandoneserver, emailAddress=winmasta@kireva.com Jul 3 07:45:32 openvpn 60153 VERIFY EKU OK Jul 3 07:45:32 openvpn 60153 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Jul 3 07:45:32 openvpn 60153 Validating certificate extended key usage Jul 3 07:45:32 openvpn 60153 VERIFY KU OK Jul 3 07:45:32 openvpn 60153 VERIFY OK: depth=1, C=RU, ST=TO, L=Tomsk, O=Kireva, OU=IT_dept, CN=Kireva CA, name=oneandoneserver, emailAddress=winmasta@kireva.com Jul 3 07:45:31 openvpn 60153 TLS: Initial packet from [AF_INET]VPN_SERVER_EXT_IP:PORT, sid=446f96a7 9c4b7ab0 Jul 3 07:45:31 openvpn 60153 UDPv4 link remote: [AF_INET]VPN_SERVER_EXT_IP:PORT Jul 3 07:45:31 openvpn 60153 UDPv4 link local (bound): [AF_INET]CLIENT_EXT_IP:0 Jul 3 07:45:31 openvpn 60153 Socket Buffers: R=[42080->42080] S=[57344->57344] Jul 3 07:45:31 openvpn 60153 TCP/UDP: Preserving recently used remote address: [AF_INET]VPN_SERVER_EXT_IP:PORT Jul 3 07:45:31 openvpn 60153 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 3 07:45:31 openvpn 60153 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Jul 3 07:45:31 openvpn 60153 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 3 07:45:31 openvpn 60153 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock Jul 3 07:45:31 openvpn 60082 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10 Jul 3 07:45:31 openvpn 60082 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017 Jul 3 07:45:31 openvpn 60825 SIGTERM[hard,] received, process exiting Jul 3 07:45:31 openvpn 60825 /usr/local/sbin/ovpn-linkdown ovpnc2 1500 1570 10.10.0.2 255.255.255.0 init Jul 3 07:45:31 openvpn 60825 Closing TUN/TAP interface Jul 3 07:45:31 openvpn 60825 event_wait : Interrupted system call (code=4) Jul 3 07:45:29 openvpn 60825 MANAGEMENT: Client disconnected Jul 3 07:45:29 openvpn 60825 MANAGEMENT: CMD 'status 2' Jul 3 07:45:29 openvpn 60825 MANAGEMENT: CMD 'state 1' Jul 3 07:45:29 openvpn 7621 MANAGEMENT: Client disconnected Jul 3 07:45:29 openvpn 60825 MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jul 3 07:45:29 openvpn 7621 MANAGEMENT: CMD 'status 2' Jul 3 07:45:29 openvpn 7621 MANAGEMENT: CMD 'state 1' Jul 3 07:45:29 openvpn 7621 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock 111
• J

  Multi wan and slow upload
  • Jusromaine

  2
  0
  Votes
  2
  Posts
  109
  Views

  K

  Are the lines bonded?
• M

  A bit confused about HAProxy single frontend to multiple domains
  • Mastiff

  9
  0
  Votes
  9
  Posts
  122
  Views

  M

  Finally! For some reason it didn't work to set a rule allowing traffic to the destination IP for the proxy. Opening for port 80 to any destination fixed it!
• K

  Routing table with policy-based routing
  • kevindd992002

  5
  0
  Votes
  5
  Posts
  96
  Views

  K

  @kpa said in Routing table with policy-based routing: It's more like that the routing process uses information tagged on to the packets traversing the system to detect if a set of packets need special handling and bypasses the normal routing table when it sees those special tags. The firewall rules that match the incoming traffic apply these special tags to the incoming packets. Gotcha, that makes more sense. Thanks for the explanation!
• O

  Can a Netgate instance on Azure inject BGP routes to internal Virtualnetwork?
  • opticalc

  1
  0
  Votes
  1
  Posts
  63
  Views

  No one has replied

• 

  Routing to redirect external to internal
  • Sitobeli

  2
  0
  Votes
  2
  Posts
  84
  Views

  D

  If I understand you correctly, you want users hitting the external link to be directed to the internal. This is usually handled by a DNS service. In pfSense if you are using the DNS Resolver, a host override should suffice. Services -> DNS Resolver -> General Settings -> Host Overrides -> Add Host: testcompany Domain: sytes.net IP Address: 192.168.88.88 Description: my site override Save Apply Test Of course this will redirect not only that page, site, http, but any request to that host incl https and any other protocol trying to hit that host name.
• J

  2 subnets on 1 lan interface
  • jwr17

  15
  0
  Votes
  15
  Posts
  403
  Views

  J

  With above info from you I contacted again the ISP and it's finally clear... Had indeed to install LACP ( LAGG ) on OPT3 and OPT4 and all is working now in my test environment. They do the VRRP on their side and just bring 2 cables to our rack (aggegration and redundancy in case of cable problem). So problem solved thanks to your help! Highly appreciated @Derelict ! Thanks! Jan
• E

  Domain/hostname based routing?
  • Ender117

  5
  0
  Votes
  5
  Posts
  127
  Views

  E

  @kpa said in Domain/hostname based routing?: All correct but the document makes no mention of policy based routing on the outgoing direction which is not possible in pfSense, normal rules or floating rules. PBR on the inbound direction works just fine with floating rules just like it does with normal rules. Oh I just assume that PBR is just a firewall action like pass/drop so if you can apply firewall you can PBR. Looks like things are a bit more complex. Anyway if Proxy2 is setup on a dedicate VM instead of pfsense then it should work? It might be a bit too complicated though.
• M

  OPT interface exit route nightmare
  • mike315

  13
  0
  Votes
  13
  Posts
  186
  Views

  M

  Ok, it's working now that I've disabled the NAT rule, not sure what was wrong before...
• G

  OpenVPN routing issue?
  • Gr1pen

  12
  0
  Votes
  12
  Posts
  388
  Views

  

  @gr1pen said in OpenVPN routing issue?: After comparing these two setups I found that pfSense seems to create a "client to server" config and not a "site to site" config when selecting "Peer to peer (SSL/TLS)" in the GUI. I have tried to recreate it and confirmed this... Not a bug. As @kpa mentioned it creates a site-to-multi-site configuration by default in SSL/TLS mode. If you want a basic site-to-site config with SSL/TLS you can do that, but you must manually define a tunnel network that has a /30 subnet mask so that it only includes two endpoints (pfSense and VyOS in this case).
• A

  Increase the internet speed by merging links
  • anis.sidhoumi

  3
  0
  Votes
  3
  Posts
  165
  Views

  A

  Thanks a lot i will try it and give you a feedback as soon as i can.
• O

  OpenBGP routes not getting installed
  • opticalc

  2
  0
  Votes
  2
  Posts
  109
  Views

  O

  not sure if im supposed to manually create an SA for the bearer traffic (between 192.168.0.0/22 and 192.168.255.0/24) to go along with the SA I created between the BGP peer IPs? I noticed I was not getting any encrypted traffic out my wan interface when trying to ping from 192.168.0.0/22 to 192.168.255.0/24, so I did add an additional SA between 192.168.0.0/22 and 192.168.255.0/24 in pfsense, and now I do see encrypted traffic when I ping, but still no routes in netstat -nr, so this leaves me a bit concerned as to whether/not Ill have good BGP routing resilience in the first place...
• 

  2 NICs, 2 inbound WANs?
  • SparkyRih

  1
  0
  Votes
  1
  Posts
  109
  Views

  No one has replied

• H

  Routing OpenVPN clients over IPSEC to secondary site, and reaching LAN at the same time
  • H4537H

  7
  0
  Votes
  7
  Posts
  400
  Views

  H

  @tsho_admin Yes, you need to add 10.2.1.0/24 to the phase 2 on site A as well, so that the IPSEC tunnel is aware of the addresses for the OpenVPN network.
• D

  Routing between 2 pfsense and internet
  • Della83

  4
  1
  Votes
  4
  Posts
  130
  Views

  

  no problem glad you got it sorted.. See how short threads can be when decent amount of info and drawing to show how all connected given ;) Wish more posts were like yours for detailed information when asking for help.
• G

  Connecting to a third network across an ipsec VPN.
  • gbartley

  1
  0
  Votes
  1
  Posts
  85
  Views

  No one has replied