@0x010C LAN should typically NOT show up as a gateway in that list... You can have a gateway in the LAN segment, like a standalone VPN server or similar. In that case you set up a static route to it though...

Are you saying that C automagically became a default gateway when you created it? Have you tried changing the default, saving and changing back again?
Also, under gateway group you can create like a failover group, using A, B and C, and setting A to Tier 1 and the others at some higher Tier 2 and 3. Then use this group as the default gateway. All normal traffic wil then go through A, unless A is down. All policy routed traffic will go as per the policy... through B or C.

@totalimpact said in Pfsense cannot port forward to Layer 3 switch:

having static routes requires a gateway on the Transit network.

Not on the interface - you create a gateway to the IP on the transit network, but you don't actually put that gateway on the interface of pfsense on the transit.. Or pfsense thinks a wan interface and creates an outbound nat on it.

You create the gateway in the routing gateway section not on the specific interface.

pfsense-layer-3-switch.png

@seanr22a said in IPsec routing problem:

I have three web sites including Nextcloud on the server at siteB and they are behind Cloudflare CDN (free version). I use an Apache reverse proxy at siteA now to get around the port blocking issue (Sending the traffic over the IPsec to the server at siteB). The ping time is around 230ms and I get around 10Mb up and 45Mb down from siteB to siteA. I spend most of my time in Thailand so the speed I get here is most important.

I get the Proxy setup, that's what I use to access my NextCloud server, as well as my Homeassistant and some other stuff. I just happen to use Nginx.

But I'm not sure I understand how Cloudflare CDN fits into this setup that you have?
If you host your server at your home in Thailand, and you access it via Sweden using some DynDNS service to find your Swedish IP, then you go directly via the VPN to site B. Where does Cloudflare come into play?

And I'm curious, which ISP is it, and which ports do they block? And what ports don't they block?

I've seen that many users say nginx is faster and use less resources but in my very small setup I really don't think it matters.

I agree, probably wouldn't make a noticeable difference if you changed. If you are curious however, and use docker, it's actually super simple to set up and has a very intuitive UI...

BUT, what could potentially improve performance quite a bit is if you change VPN to Wireguard. Depends on what HW you run pfsense on of course, but on smaller machines I can see a real difference even at moderate speeds.
I have a site with pfsense running on a tiny PC Engines APU2 and I can saturate the 250 Mbit connection to that site over Wireguard. But on an IPSec connection I can perhaps get 80-90 Mbit when testing with e.g. iperf or openspeedtest.

Looks like this is starting to happen again.

However it is limited, only some traffic is being routed over the backup connections.

@patient0 said in What is wrong with my routing?:

fgrep 62.155.245.31 /cf/conf/config.xml

shows no (=empty) output

but a 'cat /cf/conf/config.xml' reveals that the version of the config file (line 3) is "23.6".

@johnpoz well, yeah unfortunately. I was looking to strengthen my current setup but it seems there is nothing I can do for now.

Make sure when you are switching devices behind the modem that you hard reboot the modem as it will stick to one MAC address at a time.. when it is not in bridge mode it becomes that one MAC address by itself so you don't have to worry about the reboot process. But in this case pfSense is the router and the interface of your win needs to be that MAC address..

@Bob-Dig I am not said wireguard, i am said the WAN.

@tgl I looked into that. They combine TV and Internet service and the non-residential TV service sucks. That's why I went this way. At present, it is only personal playing with software development and the extra expense was not warranted for having 2 internet services.

@StormGate said in Mac Filtering ISP Side:

I knew not to make any changes as it is always the ISP

Put that one first 👍

@frog

You are better off with an external modem that connects via Ethernet. Makes it completely transparent to pfSense.

LM1200

$40 from Netgear, $25 from Amazon

I have the older LB2120 connected to pfSense for dual WAN failover.

But I came across this

Huawei E3372s LTE USB-stick
Link interface: /dev/cuaU0.1
Init string: &F&C1&D2E0S0=0

And this

Modems reported to work as Ethernet devices
Huawei E3372-325

https://docs.netgate.com/pfsense/en/latest/cellular/hardware.html

@Lauryx Ok, so perhaps it's the Static route that you are missing then. If you go into System / Routing and static routes you need to add a route to 192.186.0.0/24 using the Wireguard Gateway.

Again, how you do this on the OpenWRT side is something I don't know...

@pablomichelin NAT the entire subnet at each end like the Netgate docs then.

Documentation

@Gblenn To be honest its not very often i do it. just a pain if i have to and then restart the process.

@Gertjan oh cool i will give that a try

@khb But to answer your question. You should use the 2100 because of the superior feature set and support that comes with it compared to Edgerouter 4. Not to mention pfBlockerNG and so on.

@CFC Thanks for the reply Glad you are back in business. I'm about to swap out my pfSense firewall for a dumb router and see what happens.
If the problem remains I'll follow your route. If the problem goes away I'll know its the pfSense.
Thanks for the feedback.