@dangersheep @viragomann

We discussed the need (or not!) for a static route/gateway. Isn't that related to the bug report here: https://redmine.pfsense.org/issues/14200 ?

Nevermind, just read the bit about connecting to home via OpenVPN.

You mention using OpenVPN, if so have you selected "don't pull routes" if you don't it's likely your default route is via your OpenVPN connection rather than your WAN link.

Screenshot 2023-10-09 at 18.41.50.png

Any thoughts? I know it's not the phone configuration or providers ISP because I had the same issue at my last job with other phones. However, the same set up worked just fine on Sonicwalls.

@Antonii
Yes, exactly.

@Itay1787 I don't think you can do that with WG on pfSense. With OpenVPN you would be able to chain Clients though.
Maybe use a VMs for your first client...

@viragomann Gateway is set to none,
When sniffing packets, I see them come in but not come out of the firewall. They just terminate with Time to live exceeded
This firewall is setup in HA and testing the route using the secondary firewall works fine.
I suspect it's a routing bug somehow caused on the primary firewall. I guess a restart will be required for further troubleshooting.

Thanks for your help.

@jstride Is this Gateway group "WAN_VPN_GATEWAY" in your firewall rule the one from from your failover group you created in System/Routing/Gateway Groups? It should be. It looks like your failover group name is "WAN" from your first post.

@pczinser Not personally super experienced with pfSense in AWS, but wanted to at least try and help or get this topic a bit of a bump haha.

So, just to be clear, where are you seeing the default deny happen? In pfSense right? But on what interface in specific? I'd first be suspect of that and see if you can get the traffic to pass, but yes could be asymmetric for some reason.

Again, not a huge AWS person, but is there a reason the VPN is built with AWS and not setup within pfSense at each location itself?

@alexnyc On vlan3 set an outbound nat so that when 77.4.5 pings 10.10.10.4 it looks like it comes from pfsense 10.10.10.1 address.

But why would you even want that to be used, why would 77.4.5 not just access 777.4.4?

I would put a outbound nat on that vlan3 so any source comming from 71.77.4/24 going to 10.10.10/24 would look like it came from 10.10.10.1

@jankol said in Single public IP subnet on WAN scenario but pfSense router as default gateway for WAN clients:

My main motivation for the alternative setup (compared to documentation) was the ability to control upstream communication from the server to the internet (so pfBlockerNG could block advertisements and possibly do port forwarding VIP => Server IP). I hoped that it is somehow possible

You can do this anyway. All traffic to and from the server have to Pass pfSense, hence you can block and oass whatever you want.
This is also true for pfBlocker rules.

Admin: You can delete this post.

I got things working by adding a basic pass rule.

John

@viragomann thanks a lot!

@Bravo-0 said in How to have SVI's in a L3 switch route to the internet through a Pfsense router?:

Just got more information from the firewall and interface monitoring dosn't pick up any incoming traffic form each device an a SVI. So it's not even hitting the device.

I'm not sure how to interpret this ...
Didn't you say you had some succesfull pings ??

Also the interface gi10 does have the no switchport command

So it should operate as a L3 IF , not a switchport ??
I'm not experienced w. the 300 series ....

If it's a "pure L3" IF , try to connect a PC to gi10 , and give it the pfSense ip.
Then test if you can ping the switch:
If yes (switch l3 config) ought to be ok , (challenge is on pfSense).
If no ... (challenge is on switch)

/Bingo