@dimskraft said in Dpinger sendto error: 65 on one of identically configured WANs: sendto error: 65 Maybe this is relevant? https://forum.netgate.com/topic/98656/gateway-send-to-error-65

@hebein glad to help you! I think log analyzing will help to reach 100%)

Put the other members of the gateway group on a lower tier. If you have them all on tier 1 then it won't switch when the down member comes back.

Well, the only rule that has seen any traffic at all is the Default allow LAN to any rule, so nothing is being blocked. That's why I suggested you try looking at it from the Synology side.

Sure with the HA proxy you can do that. I do it now for a couple different fqdn. But that is going to work with http protocols, not going to be able to work with say smtp.

Add each WAN IPs you want to use to the WAN interface. Firewall >Virtual IPs. Use type "IP Alias". Go to Firewall >NAT >Outbound. Switch into the manual mode. pfSense should take over the automically generated rules for each of your subnets into the manual mode. Edit each one, go down to the translation address and select the outbound IP from the drop-town you want to assign the respective source network.

Create the vlans on pfsense, with the IDs of your vlans and then assign them to the physical interface that is connected to switch.

nobody with ideas?

Thanks. I'll see what I can do.

This was not the fix. needed to adjust a routing statement in the VPN router to include the full / 24 I had mistakenly set it to /28

Okay, my bad. This seems to be an issue with my APs versus pfSense. When I run test-ipv6.com on a wired client, it passes. I'd delete this post, but it errors out. My apologies for the diversion.

Yeah you normally do not have access to manipulate routing inside the mpls network. But you could ask. Proxy on your end, which you just run on pfsense would be easier way to go for sure ;) Other solution would be to create a tunnel between their end your end where you could route internet through the tunnel. This removes any routing concerns inside the mpls path.. You could do openvpn from the branch pfsense to yours.

If it makes multiple outbound connections and the protocol doesn't like it coming from two different addresses you will have problems. If it only makes one connection it should be fine. Try it and see? If it gives you issues you can policy route just that traffic out one WAN. You might also try sticky connections. https://docs.netgate.com/pfsense/en/latest/book/multiwan/load-balancing-and-failover.html#problems-with-load-balancing

You have to use the tag because, as that blog describes, traffic heading out WAN has already had outbound NAT applied by the time the outbound floating rule is checked so you lose the ability to match on the hosts' inside IP addresses.