Hi,

One reco regarding your pfSense VM settings in Proxmox : I'd recommend disabling the Proxmox firewall from this VM's interfaces, as it might interfere with the rules you'll set in pfsense.

For instance, if you allow some traffic on the pfSense interface, but did not also allow it on the proxmox firewall for the VM, then you might run into trouble.

As pfSense is a firewall, there's no point in enabling Proxmox's filtering on top of it 😉

In addition, if the 192.168.7.214 interface is the "outside" (WAN) interface of you firewall, all incoming traffic is discarded by default, you'll have to define explicit rules allowing ICMP for instance for your tests.

@johnpoz Yes, I searched the web for the error and came to the same thought. I disabled Both Nortons and also the inbuilt firewall and it made no difference. Also not using VPN at all internally.

@gertjan Thanks Gertjan!

My 2440, one of the problem machines, crashed. I am going to replace it. Perhaps it has been hardware all along. That little box has problems with the clock on the Celeron. Still, having the information on the location of the code and how the code works for SMTP will be immensely helpful for me on the other machine.

@core7 said in different IP ranges:

two of them in bridge mode

Any special reason for this?

Can you have two bridges with different IP ranges?

Yes. But this question is unsuitable, since you only have one bridge, as I got the above.
Or do you mean different subnets on the member interfaces of a single bridge?

@mindtwist it’s a YY/MM date based version. They are targeting 3 Plus versions per year.

@jarhead I didn't do a range, I couldn't remember if it assigns 1 or 254 as the router, so I just did both, for each subnet I've seen.

You are correct, I did use the word "range", but I meant to "cover those two ranges for possible router addresses". Sorry for the confusion.

@steveits That fixed it! You're a superstar! I owe you a pint. Or six.

@steveits That fixed the problem - changing the gateway from "Default" to the gateway group resolved my issue. Thanks.

@testcb00 said in Trying to connect two devices behind two interfaces:

Finally, I find that I have to set up a static route in the NUT server.

You shouldn't have to do that in a normal setup.. That would only make sense if this nut sever was not using pfsense as its gateway.

If you can ping the pfsense IP of this vlan interface, but not devices on this vlan. That normally screams host firewall not allowing remote IPs, or again this device not using pfsense as its gateway either.

I have found the answer to the first part of my own question:

https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#skip-rules-when-gateway-is-down

I needed to check "System/Advanced/Miscellaneous tab/Gateway Monitoring section/Do not create rules when gateway is down", this makes the rules behave the way I wanted.

If anyone can still explain when/how/why OpenVPN needs a default gateway for connections to be made successfully, and whether it can be made to work without one, that would still be useful.

I applied all the changes and tested and everything works! Thanks for all the help.

@aduzsardi
Basically the default gateway is used. But if a request goes to an IP out of the second subnet pfSense uses this IP for response as well, of course. Now if the default gateway lies outside of this subnet it will use the gateway that matches the subnet.

@eds89 That's the same as I meant, i.e. setting priorities on LAN to PfSense traffic !!

If the shaping rules are the same, then the only change is the WAN config. What is different ?

@ervin23 I would guess you would divide those groups by vlans but if you don't want to, it should be doable like you have described it, not done it like that myself though.

You should beginn with something like this and get it working. Also see this.

@nikim
Did you by any change nat the outbound of pfSense to the CARP VIP?
Show the outbound NAT rules please, if unsure.

Did you state an alternative monitoring IP?

@johnpoz I wouldnt. Sorry. I misunderstood you :)