If I understand you correctly, you want users hitting the external link to be directed to the internal. This is usually handled by a DNS service. In pfSense if you are using the DNS Resolver, a host override should suffice. Services -> DNS Resolver -> General Settings -> Host Overrides -> Add Host: testcompany Domain: sytes.net IP Address: 192.168.88.88 Description: my site override Save Apply Test Of course this will redirect not only that page, site, http, but any request to that host incl https and any other protocol trying to hit that host name.

With above info from you I contacted again the ISP and it's finally clear... Had indeed to install LACP ( LAGG ) on OPT3 and OPT4 and all is working now in my test environment. They do the VRRP on their side and just bring 2 cables to our rack (aggegration and redundancy in case of cable problem). So problem solved thanks to your help! Highly appreciated @Derelict ! Thanks! Jan

@kpa said in Domain/hostname based routing?: All correct but the document makes no mention of policy based routing on the outgoing direction which is not possible in pfSense, normal rules or floating rules. PBR on the inbound direction works just fine with floating rules just like it does with normal rules. Oh I just assume that PBR is just a firewall action like pass/drop so if you can apply firewall you can PBR. Looks like things are a bit more complex. Anyway if Proxy2 is setup on a dedicate VM instead of pfsense then it should work? It might be a bit too complicated though.

Ok, it's working now that I've disabled the NAT rule, not sure what was wrong before...

@gr1pen said in OpenVPN routing issue?: After comparing these two setups I found that pfSense seems to create a "client to server" config and not a "site to site" config when selecting "Peer to peer (SSL/TLS)" in the GUI. I have tried to recreate it and confirmed this... Not a bug. As @kpa mentioned it creates a site-to-multi-site configuration by default in SSL/TLS mode. If you want a basic site-to-site config with SSL/TLS you can do that, but you must manually define a tunnel network that has a /30 subnet mask so that it only includes two endpoints (pfSense and VyOS in this case).

Thanks a lot i will try it and give you a feedback as soon as i can.

not sure if im supposed to manually create an SA for the bearer traffic (between 192.168.0.0/22 and 192.168.255.0/24) to go along with the SA I created between the BGP peer IPs? I noticed I was not getting any encrypted traffic out my wan interface when trying to ping from 192.168.0.0/22 to 192.168.255.0/24, so I did add an additional SA between 192.168.0.0/22 and 192.168.255.0/24 in pfsense, and now I do see encrypted traffic when I ping, but still no routes in netstat -nr, so this leaves me a bit concerned as to whether/not Ill have good BGP routing resilience in the first place...

@tsho_admin Yes, you need to add 10.2.1.0/24 to the phase 2 on site A as well, so that the IPSEC tunnel is aware of the addresses for the OpenVPN network.

no problem glad you got it sorted.. See how short threads can be when decent amount of info and drawing to show how all connected given ;) Wish more posts were like yours for detailed information when asking for help.

@caltommo said in HELP APPRECIATED** 3G/4G Modem as WAN Interface?!: Is there an alternative? It doesn’t have to be 100% reliable ... You mean as unreliable as your main internet connection? Be prepared that it fails the exact moment your regular connection is down already. There is no place for cheap when you need a backup for failsafe operation. Or vice versa, if it has to be cheap then it's not needed. I had positive results with this device https://www.amazon.co.uk/D-Link-DWR-921-Router-abnehmbare-Antennen/dp/B00BN36NMM

I managed to fix this. Annoyingly I was selecting the wrong physical NIC for the virtual switch...

Your route is 192.168.1.0/32 That is never going to work.. But since its your default it should work.. So your remote client knows to get to 192.168.42/24 it needs to go down the tunnel. Then your VPN devices knows how to get to this as well via pfsense. And your allowing the firewalling? And your not natting at pfsense. Or are you port forward and having your client try and talk to pfsense wan IP 172.17.20.98 So are you still having issues.. If so going to need the details ask about.

@viragomann Thanks a lot! I find the solution: for changing gateway there are have to be two rules for VLAN: Access to local VLANS via Default gateway (x.x.x.254). Access outdoor where you can change gateway ( GW to internet ) [image: 1529232793327-screen-shot-2018-06-17-at-13.46.26-resized.png] Problem was occurred because seting not default gateway not working as expecting. When your set custom GW (not default) at some VLAN your VLAN can not access to other VLANs via it. When set Default GW pfSense know which route to go to access other VLANS and even go outdoor for internet access. So first rule sase how to access VLANs indoor, and second sase how to go outdoor. Thanks very much! Problem solved! Now I understand how to setup failover

I read those docs. They seem simple enough. I tried creating firewall rules and they didn't do anything. I have tried various rules this morning and none of them did anything at all. Can you explain how I would setup rules to allow traffic from only one VLAN to go through my failover interface? Thanks!

There are automatic NAT rules that get put in place to mask VPN client networks on the way out. You can override that: Navigate to Firewall > NAT, Outbound tab Switch to Hybrid Outbound NAT mode and save Click Add to top (upward pointing arrow) Check "Do Not NAT" Interface=WAN, protocol=any Set the source to your public subnet (e.g. 2.2.2.0/29) Destination=Any Description="Do not NAT OpenVPN public clients" Save, Apply Changes