@mcury @viragomann
Thanks!
I guess my mechanical brain wanted to see a hardwire to a port that was a physical public IP. That was probably the issue that would not let me see/understand the virtual IP solution.

Thanks again for all the help.

OK. I am an idiot :-)
For some reason I had the static ip of WAN2 the same as the gateway :-)

Seems to work now!
Sorry for wasting your time!

Nevermind! My situation is literally explained here:

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

@dennypage

Thank you. I didn't realize the loss interval influence on latency thresholds.

-Devan

@viragomann I want to thank you for your guidance. I really appreciate your time on this topic. Finally, I solved the problem, just adding an outbound rule on the /30 interface where the source is the VLAN over the LAN interface, destination any, and translating to one of the /29 addresses. With that, our clients can go out to the internet using this service.

So, if anyone finds a scenario like this, this is what I did:

1-. Set up the interconnection: use one of the /30 addresses and create a GW with the other address on the interface connected to the ISP

Interfaces - Select the one connected with the ISP Configuration Type: Static Ip Address: one of the /30 (usually the highest) Add a new gateway Gateway Name: as you want
Gateway IP: the other address
Add
Save

2-. Create an IP alias: Firewall - Virtual IP - Add

Type: Ip Alias

Interface: The one connected to the ISP

Address: One of the public address

Save

3-. NAT outbound rules: one with static port and another without static port. Firewall - NAT - Outbound

Outbound Type: Hybrid

Save

Add Rule
Interface: The one connected with the ISP
Address Family: IPV4 + IPV6 (if you use IPV6)
Protocol: Any
Source: LAN network. If you have multiples VLAN on
your LAN, then the source should be the
network of the VLAN you need to go out to
the internet
Destination: Any
Translation: The Ip alias that was created before.
Dropdown the list to find it
Check the Static Port for one of the rules. Then create
another one exactly like before but without the static
port checked
Save

4-. Set a policy to use the gateway of your ISP: Firewall - Rules - LAN (or VLAN on the LAN) Tab and add a rule where the gateway is your interface connected with your ISP.

Firewall - Rules - LAN (or VLAN over your LAN) Tab and then click on Add

Interface: The LAN or VLAN on the LAN interface

Address Family: IPV4 + IPV6

Protocol: Any

Source: Lan or Vlan Net

Destination: any

Display Advanced options and scroll down until find Gateway

Select the gateway created before

Click Save

And that's it. This works for me. Maybe is not too fancy but, works fine.

Thanks everyone for the help.

@dlrqdm You would have to adjust your outbound nat to not nat..

Here to do an example... I created a special outbound rule for my test interface to not be used for nat outbound using hybrid mode.. With my test interface IP 192.168.200.1, set unbound to only use the test interface for outbound.

Sniffing on wan while I do a dns query, which never get answered of course you can see the traffic going out with my 192.168.200.1 address.

You would have to adjust to use your vpn interface, etc..

nonat.jpg

This post is in the wrong spot.

Sorry about that.

@viragomann

Thanks for your further interest in my circumstances.

Just to clarify, following your advice (hopefully I have fully understood) I made the following changes

System/Routing/Gateways

Changed default IPv4 gateway to automatic (IPv6 is none)

System/Routing/Static Routes

Removed static routes

System/Routing/Gateway Groups

Created a Gateway Group comprising the two outbound VPN Clients (set as Tier1/Tier2). Routing out via this GG is configured via LAN Firewall Rules (previously I thought this was undertaken by way of the above gateway setting, but I now recognise this seems to be only appropriate to change this where there are two physical WAN connections.

You may recall that I have configured Unbound to only use the 2 outbound VPN's for DNS resolution (looking to avoid any possibility of a DNS leak). To negate the possibility of a catch 22 (DNS waiting for VPN to come up/VPN Client seeking DNS response to Gateway query) I have hard coded the IP address of the VPN Gateways into the OpenVPN clients.

Not withstanding the above I still seemed to be afflicted by a loss of local client DNS resolution post pfsense reboot.

This does seem to be an know issue (possibly with Unbound) and whilst a bit of a "bodge" seems to be easily resolved by restarting Unbound reboot using CRON.

At the risk of "teaching you how to suck an egg", I found this discussion here helpful

https://www.reddit.com/r/PFSENSE/comments/lxu3yg/workaround_unbound_restart_at_reboot_using_cron/

Thanks again for your help.

@viragomann
Thanks.

@qits_charles said in Can't Communicate With Host Over OVPN Connection:

When I add PFSense as the gateway it is able to connect but as soon as I remove it I lose access.

That's what I except. Why do you want to remove it?

Also the latency is 50+ ms.

Only to the Ubuntu host or other destinations as well?

A single core may be not ideal for modern operating systems, but depends on the cpu speed. The RAM usage depends on what is running on pfSense. For firewalling only it should be sufficient.

@gusto again what they are showing is a horrible example of working with their limited devices.

That first link goes over what you can do to get around using asymmetrical routing, but asymmetrical should not be something you would actually setup on purpose..

If your wanting to learn about routing - I sure wouldn't start with what amounts to a shit show ;)

Your downstream router should use a transit network to connect to the upstream router.

Here is a diagram that should help with doing routing on pfsense for multiple network, and adding a downstream router into the mix.

pfsense-layer-3-switch.png

This may help:

https://github.com/pfsense/pfsense/pull/4551

Thank you
works fine

@viragomann said in 2 WANs to different vlans:

@sintei said in 2 WANs to different vlans:

Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc).
But I can access it FROM the internet.

The only reason for this, I can think of is that on the web server you are using a DNS server in the LAN subnet.

If that's not the case enable logging in the block rule and check the firewall log to see, which access from the web server to LAN is blocked.

You my dear sir are correct!
I could find some DNS settings and changed them manually and it worked!
Thanks.

Also, big thanks to @Silence for helping me troubleshooting this. Have a good night!

@stephenw10 That worked, Thank you very much for your help.

Best Regards

@trumee

Thank you explaining. I figured out a workaround by creating a static route to host addresses I can direct the wireguard service separately from the rest of pfsense.