I wasn't finding the advanced options on the firewall rules to override the default gateway. Works great. Thank you.

Are these difficult questions? With microsoft pptp VPN the client is put directly in the local subnet, and can use the remote gateway, and can access other subnets. I have followed this article https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 There is no gateway, the first client gets the .1 address. I have tried to add firewall rules to allow the traffic, but it does not seem to help. Again, is vpn traffic routable?

No. They are different broadcast domains. You might be able to bridge them to the LAN side but not WAN to LAN. That setup is kind of funky.

I forgot to say: Thank you very much for the info.  I will put it to good use.

Status > Gateways Diagnostics > Routes

Different tiers provide failover

Please see packet capture and diag>>states [image: 4.png] [image: 4.png_thumb] [image: 5.png] [image: 5.png_thumb]

Are you using Google 8.8.8.8 or 8.8.4.4 as your gateway monitoring destination?  If so, change it.  Google will drop packets thereby creating a false positive packet loss.

Manual reset of the states is a good idea when you change your rules in any significant way, Diagnostics > States >Reset States.

A quick update, just in case it can help anyone else trying to accomplish a similar task… @calebh: a single NAT rule got the job done! It almost did! My attention was redirected to another project before I could completely test the theory. Adding the NAT rule did, in fact, allow the Backup firewall to access the resources on the host in subnet A, however, the Master firewall could not access the same resources via the virtual IP. So it appears that a firewall in an HA cluster can not fully route packets to the VIP while it is the Master? If someone knows how to address that issue, please do share! To address the issue, in pfBlockerNG on the firewalls for subnet B, I've added both the real IP of the host in subnet A (this will be used by the Master), as well as the VIP used by the firewalls for subnet B (this will be used by the Backup). Which ever list entry isn't the one intended for the respective firewall will timeout on that firewall, but it will get the same content via the entry intended for it.

It doesn't sound like you actually understand what CARP is so I still have no idea what you are doing. Running CARP VIPs and HA with a pfSense bridge interface is not compatible.

You can definitely put an interface on the inside and 1:1 NAT addresses in the /28 to it but the hosts on the inside will have real addresses in RFC1918 private space and pfSense will have to NAT for them.

Yes, that is what I am trying to do, there was no firewall before, but as I said, this is causing some trouble

Thanks for answering, I'll look into it, because the place where I am installing this, has a server with a fixed 192.168.89.2 IP, and that can't be changed, since it's the domain server, any idea here?

Hello. Yes you are correct. I would want stealth mode. In modem mode i get stealth but in router mode i get closed. I am just concerned that in router mode the LAN , WAN , OPT1 are all in RFC1918 addresses and it seems that it might be routing between them Craig

@viragomann: @TPCoMatt: Do I add a 'static route' in pfSense?  If so, so I need to create a 'Gateway' at 2.2.2.247, so the static route has a gateway to go through? Yes. Basically you need two routes for accessing the internet: the upstream route and the downstream route. For the upstream route you have to set the ISP gateway as default gateway on the external firewall and select it in the WAN interface settings. On the secondary firewall you have to the same with the external FW's LAN address. For the downstream you need a static route on the external firewall. First set 2.2.2.247 as gateway (not default!) and then add a static route for 3.3.3.0/24 and select 2.2.2.247 for the GW to be used. Thanks!  That worked perfectly!!

Were are you running wireshark? I would try a packet capture on the pfsense interfaces and compare what is arriving to what it leaving, also trying looking over the pfsense logs, if it is doing anything to the packets and erroring it should so up here status > system > routing