@johnpoz said in Wake-on-LAN using directed broadcast: Can you get your port 9 forwarding thing to work, if you use a directed IP and then static arp on pfsense for that specific IP? I just managed to get it working using the aforementioned workaround. I guess that the ARP entry has to be static. Otherwise the final router would probably not forward the magic packet to the destination interface. @johnpoz said in Wake-on-LAN using directed broadcast: It could be also that sending to say 192.168.1.100 with all ffs as mac, might not be enough for that client to wake up? Maybe it wants to see its IP and mac in the WOL packet? It is enough that the packet contains the right MAC address and gets spewed out of the right interface. The IP address serves just for routing the packet through the network to the final router.

@luckman212 Super, thank you. I will have to get my head around some of that, but it's the basis to get the 2nd line installed so I can even test it.

@professor your setup is a MESS.. Yeah your going to have problem with it, its a asymmetrical nightmare.. Fix it! Use a transit network - now you can just use pfsense as a router with a any any rule..

Fixed the issue: I had to enable Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic under VPN -> IPsec -> Advanced Settings on fwl-01 and fwl-03 Documentation here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/advanced.html#advanced-ipsec-settings

@akuma1x Thank you! It's working!

This was fixed by deleting all manually added GWs and using the one assigned by the upstream DHCP as default. the DNS-Redirect rule does not seem to have any effect (enabling/disabling it does not affect connectivity). Thank you guys for helping out ^_^

@jonathanlee said in 'arp: writing to routing socket: Operation not permitted': turn off logging same as what you recommended. There is a better solution. Turning off logging : [image: 1650962768337-3a257798-1f8b-41d0-a305-a1959432b3d3-image.png] is a sledge hammer approach. You can keep logging for the default rule activated. Just added a block rule that doesn't log, and it should block UDP port 68 (DHCP stuff) as you know it exists, but you 'trust' it as it can do no harm except eating up a very small fraction of your WAN band width. Other non solicited WAN traffic will still get logged.

@idefixrc There are some very dubious statements on your ISPs web site.

@netblues So I got it working now. There were two things wrong: I did have that Outbound NAT setting you suggested (it was part of the provider's instructions). But where the instructions said to use "192.168.1.1" I had put "192.168.1.0" (actually, I have a different subnet, but I had put a"0" instead of "1"). And I changed the firewall rule to direct the subnet's traffic through the gateway. Instead of choosing source "LNy", I had chosen source "VPN" - that one clearly was a main culprit. Thanks for your help!!!

@johnpoz Ah, I see. Well, I just took a leap of faith and updated my dynamic DNS with "whatever" pfSense found. And now - after the update - it does show on the Dynamic DNS page. I had just hoped to be able to check the IP beforehand (in order to avoid updating with an incorrect IP). But it all seems to have worked fine. Thanks for your help!!!

The problem was my NAT outbound rules which were not set. Also I had a problem with the MSS / MTU because my ISP requires there specific values.

@dotdash Thank You!

No, i've removed any switches between the router and the tv-box. Had it working fine with my old router. Anyways, we figured out that we didn't really miss it much, as we mostly stream stuff anyways. So, I gave up and canceled my TV-subscription and instead increased my bw to 750mbps.

So, I guess I have a couple of questions. 1/ Can I tune the "High Latency" trigger to be different values for different gateways. Why not load balancing and the failover you get as a benefit on top? 2/ Anyone know why, even if I select packet loss, the system is choosing to drop the Sat link (which isn't loosing packets but does have a high ping). It perhaps pending on what you where configuring out! For the record, the test rig is currently on a SG1100 but I'm going to swap a 7100 in today to see if that has any impact. (but I don't think it will) All is pending on your throughput! How many are the three internet connections are delevering to you? 3 x 1 GBit/s or less or more? I think the Negate 6100 will do the job with ease for you! Also a small APU4D4 can be enough, if you have not so high WAN throughput.

@wufwuf DDNS can also be setup in pfSense! So over DDNS you may be able to connect to your pfSense from outside and then "locally" to the NAS. If you set up the DDNS at the Synology NAS, it is directly able to connect from outside, but also for other peoples!