Routing and Multi WAN

• J

  Multiwan Traffic not "sticking" to the source interface
  • jgibbs

  5
  0
  Votes
  5
  Posts
  43
  Views

  J

  Ok, for anyone else who is unable to get port forward OpenVPN to work with multi wan, where you forwarded all vpn traffic to local host. The issue I had above was a result of allowing the default protocol listing for OpenVPN. I left it at UDP for IPv4 and IPv6 on all interfaces (multihome). Once I changed it to UDP for IPv4 only, everything worked as described in the online manuals. Good luck out there!
• G

  Routing Specific IP's using MultiWAN
  • gswhite

  1
  0
  Votes
  1
  Posts
  9
  Views

  No one has replied

• A

  gateway monitoring issue
  • alireza_salehi

  5
  0
  Votes
  5
  Posts
  166
  Views

  A

  @pwood999 i tried google/ opendns / cloudflare dns for monitoring but there isn't much diffidence between them. problem not solved even with buffer bloat solution provided here.
• A

  Cannot access gateway admin panel on dual wan scenario
  • alireza_salehi

  5
  0
  Votes
  5
  Posts
  144
  Views

  A

  i'm accessing dsl modems from LAN net (isn't it obvious from the configuration i present?), when take down a WAN gateway by force the other is accessible but not when both are active. disable firewall functionality on where ? pfsense is the firewall and there isn't any rule limiting access from lan to wan, default allow rules are active.
• S

  default route no longer working
  • SpaceBass

  3
  0
  Votes
  3
  Posts
  46
  Views

  

  If you are not pulling routes then you have to policy route to the VPNs. I don't see anything there that does that.
• M

  pfSense and Microsoft NLB Virtual UP and MAC # 03:**.**
  • mlb66

  2
  0
  Votes
  2
  Posts
  59
  Views

  

  If it's local, you might not see it on the firewall. If you are using MS NLB though, you might not have realized you need to set net.link.ether.inet.allow_multicast=1 in system tunables or the firewall may drop traffic to/from the addresses it uses. https://www.netgate.com/docs/pfsense/install/upgrading-older-versions-2.2.html#microsoft-load-balancing-open-mesh-traffic
• 

  Using DHCP option 121 as aide for inter-VLAN routing on switch
  • umademelosemyusernamepfsense

  8
  0
  Votes
  8
  Posts
  87
  Views

  

  Sounds like you have some clean up for sure.. Or your going to have all kinds of asymmetrical problems.. The core router is where the routes are decided upon, if you have other routers that go to other networks other than the internet.. Then they could all be on connected to the same transit, or they could have their own transit networks, etc. How about you draw up this network and we can figure out best way to do it.. But you shouldn't be routing on hosts... Its messy and overly problematic!!! if you have to do routing on your hosts for shit to work - then your doing it wrong ;)
• M

  multiwan with PPPOE (VDSL2) load balancing firewall rule stops working after a while
  • mephisto

  1
  0
  Votes
  1
  Posts
  28
  Views

  No one has replied

• J

  multiple WAN, failover groups, reset states on failback
  • jimmychoosshoes

  1
  0
  Votes
  1
  Posts
  27
  Views

  No one has replied

• G

  2 sat modems on 2 wan, reach admin page
  • gnammyx

  4
  0
  Votes
  4
  Posts
  119
  Views

  G

  Hello, sorry for my late response. I'm tryng both DNS or IP access to the 2 modems, with same ip address but different wan interfaces. Gianmarco
• A

  No Internet after reboot, wrong gateway.
  • amorphous

  18
  0
  Votes
  18
  Posts
  179
  Views

  K

  @amorphous is there an ipv6 gateway ??? the error shows that there is Jan 19 11:37:01 pfsense php-cgi: rc.bootup: Gateway, none 'available' for inet6, use the first one configured. '' set Default gateway IPv6 to none Wanted to clarify the gateway address and wan pf address belong to the same subnet ?
• 0

  No default route after reboot using Gateway Groups.
  • 0daymaster

  29
  0
  Votes
  29
  Posts
  421
  Views

  A

  @konstanti Yeah, we should switch to : https://forum.netgate.com/topic/139570/no-internet-after-reboot-wrong-gateway Thanks for all your help so far.
• J

  Pfsense IPv6 behind AT&T Uverse 5268AC
  • jathemon

  5
  1
  Votes
  5
  Posts
  1589
  Views

  P

  @andrew_241 I have not configured VLAN but I did manage to configure two LANs on AT&T Fiber using following: Turn off IPv6 on LAN1 and LAN2 (assuming two LANs) Go to WAN settings and set PD as /60, save settings Go to LAN1 and select IPv6 (track WAN interface) and select PD as 1 (default is 0) Go to LAN2 and select IPv6 (track WAN interface) and select PD as 2 (default is 0) Go to WAN settings and set PD as /64, save settings Reboot pfSense and all the interfaces (WAN, LAN1 and LAN2) would have IPv6 address Any details not mentioned above, follow the instructions of original post from jathemon above.
• A

  ARP Table reporting routes for entire /22 subnet
  • andrew_241

  1
  0
  Votes
  1
  Posts
  39
  Views

  No one has replied

• G

  OpenVPN Routing & Socket Disconnects
  • geudrik

  1
  0
  Votes
  1
  Posts
  50
  Views

  No one has replied

• L

  The default route gets lost after a reboot
  • LeCygne

  5
  0
  Votes
  5
  Posts
  141
  Views

  A

  Unfortunately that didn't work in my case. Same errors, same behaviour. I don't use gateway groups though.
• D

  Routing between WAN and LAN, OPT1 Interface
  • DerBorbecker

  5
  0
  Votes
  5
  Posts
  119
  Views

  

  WAN as as source (starting pint) , and you're going in. The firewall isn't just doing what it is ought to do ?
• S

  Multiple WAN issue with IPSec VTI + FRR
  • shellingfox

  1
  0
  Votes
  1
  Posts
  32
  Views

  No one has replied

• B

  SOCKS5 proxy (dante) on Virtual IP to use OpenVPN (ovpnc1) as Gateway
  • BearTM

  8
  0
  Votes
  8
  Posts
  368
  Views

  B

  @rico - Apologies for the slow reply. In the screenshots, the IP Alias is bound to LAN (can't be otherwise). Also, the floating rule was bound to BOTH of LAN and WAN (I was trying anything), but having the rule bound only to LAN or only to WAN has the same issue - every ping gets through. Do you know of any global settings which may be changed (i.e. I have them incorrect)? It doesn't make any sense to me that these rules are not being applied. Cheers.
• F

  Backup route with single WAN box?
  • fw_bob

  7
  0
  Votes
  7
  Posts
  116
  Views

  F

  @nogbadthebad interesting. I can free up OPT1 and then make it WAN2 then follow the other suggestions for groups. Excellent. I will give that a try. Thanks
• D

  Can I change static route admin cost
  • dr8g0ns

  1
  0
  Votes
  1
  Posts
  52
  Views

  No one has replied

• S

  Disabling MTU mismatch detection
  • serversupport

  2
  0
  Votes
  2
  Posts
  75
  Views

  L

  Hello there! May you pose more details regarding your issue? That way we can help you better.
• A

  WAN Failover Time to live exceeded
  • andrsharov

  2
  0
  Votes
  2
  Posts
  135
  Views

  L

  Hello there! I'm sorry but your words aren't as clear as they should be for getting help back on your issue. Thus if you can make a diagram would be much better. Also as far as I've grasped from your post, I would like to suggest switching the mode of fail over from "packet lost" to "member goes down" and observe the issue. Let's see what you will get back. Good luck
• Y

  Access remote subnet through IPSEC VTI ?
  • Yathus

  8
  0
  Votes
  8
  Posts
  115
  Views

  Y

  @yathus said in Access remote subnet through IPSEC VTI ?: Now i just need to understand where i can add rules if i want to limit access to this remote subnet. it's done too, i just have to add a rule in firewall and wait (or kill states...).
• K

  can't ping and traceroute between subnet
  • kulaku

  6
  0
  Votes
  6
  Posts
  146
  Views

  K

  @lecygne thanks for the insight chief
• S

  cannot assign WAN to an interface group nor assign WAN to no interface at all nor destroy WAN interface
  • skullnobrains

  6
  0
  Votes
  6
  Posts
  78
  Views

  S

  btw, i have another pfsense instance that does not have a WAN interface at all. guess i just skipped creating one during the initial install setup. so apparently, there is a way to skip it's creation but no way to remove it once it has been created.
• F

  Dual remote access on the same network (from 2 WAN)
  • fred7911

  6
  0
  Votes
  6
  Posts
  169
  Views

  L

  Yes! It can be accessed if you configure your routes and related settings the proper way. Usually running pfsense with CARP, both of the boxes will be "identical" in the required configuration. Thus, regardless of which pfsense box you are using, both of them are identical.
• C

  Fast convergence time
  • cygnus21

  10
  0
  Votes
  10
  Posts
  140
  Views

  L

  Yes that is what I've been suggesting since a while. To replace CARP between routers with OSPF! Static routes, of course, should be removed because OSPF will take care of exchanging routes between involved routers. Kindly before thinking that way about slowness of OSPF perform a test in your environment and observe for how well OSPF performs. Don't forget OSPF is being used in many huge enterprise networks all over the world!
• B

  RTT values for VPN gateways unrealistically low
  • bclothier

  7
  0
  Votes
  7
  Posts
  158
  Views

  B

  @chrcoluk I have discovered a work-around that seems to work. AirVPN assigns my pfSense firewall an IP address in the 10.0.0.0/8 CIDR based on the server pfSense is connected to. For example, I may get an address like 10.52.68.42. If I change the last digit to 1 (i.e., 10.52.68.1), and insert the result IP address into the Monitor IP field of the gateway settings, I get proper ping times. I believe the X.X.X.1 effectively specifies the internal address of AirVPN's respective gateway. Unfortunately, this work-around is not a complete solution to my problem. In my OpenVPN configuration, I actually have four AirVPN server connections active. A first pair corresponds to one physical location (e.g., New York, NY) and a second pair corresponds to another physical location (e.g., Newark, NJ). I choose the physical locations based on their corresponding servers ping times, namely, the first pair has the lowest ping times and the second pair has the next lowest ping times. pfSense is configured to load balance the servers within each pair, and the higher latency pair serves as a failover to the lower latency pair. If try to set the Monitor IP of each respective gateway to X.X.X.1, I get proper latency values for only one (and sometimes two) AirVPN servers. The others are listed as offline. So the work-around seems to function okay for one active server, but with more than one, pfSense seems to have issues.
• M

  Best Practice for Guest Network
  • MeCJay12

  14
  0
  Votes
  14
  Posts
  150
  Views

  

  You maybe could look at Interfaces -> Interface Groups "Interface Groups allow setting up rules for multiple interfaces without duplicating the rules. If members are removed from an interface group, the group rules are no longer applicable to that interface." https://www.netgate.com/docs/pfsense/interfaces/interface-groups.html You'd just need to add any new interface / vlan to the group or floating rule.
• K

  Gateways, FRR and the multi-WAN solution
  • KiloFoxtrotMike

  2
  0
  Votes
  2
  Posts
  112
  Views

  L

  *" Hi all, I'm having some trouble understanding the role of assigning a gateway to an interface when one gets installed by an IP routing manager such as Zebra in the FRR package. I have a pfSense VM and have installed FRR. I've configured it to talk to two BGP neighbours for redundancy. They do this over the WAN - i.e. all on the same /29. Each of these neighbours provide a gateway to the internet. I use local BGP weights to preference one over the other. When I look at Diagnostics -> Routes, the gateway there is the one defined by System -> Routing -> Default Gateway IPv4. While it happens to be one of the neighbours, it's not the one I have preferenced. Is there a way to install a default route advertised by either of the BGP neighbours?"* Hello there! You have to know that there is a concept called AD which stands for administrative distance. AD used as a way to choose a route among other competing routes. So in case you define a default route from pfsense WebGUI actually you define a static default route. While default routes defined by BGP are dynamically defined. Here you have to now that the "AD of static default routes have a lower AD(lower means better in terms of AD) than BGP-learned routes. That is why the default route defined statically is the route according to which your traffic being forwarded to. Check out this link for further details about AD concept So to get route this issue simply don't define any "default routes" and pfsnse will route traffic according to BGP-learned routes assuming there are no "better" routes in the IP routing table. "Or am I doing this wrong and just use gateway groups (consisting of both the neighbours) instead and just ditch FRR/BGP altogether?" Well the answer depends on your needs. And by the way the gateway group is not an alternative to BGP protocol. If all you need a fail-over from one WAN to another one you can use gateway groups. No need for BGP at all. BGP is used for something very different although it can be used to receive default routes from ISP but actually you are wasting computing resources running BGP only for receiving defaults routes. If you need to traffic specific traffic for specific destinations over specific WAN then BGP is the answer assuming those destinations are changing dynamically. "The other thing I'd like to ask is what are the implications if I do/don't have a gateway defined under the WAN interface itself? I know that if there is no gateway defined then no automatic outbound NAT rules get created. Does this mean NAT is not happening before a packet leaves when entering from a LAN-like interface? Will outbound NAT rules get applied if I manually create them?" If you know what you do I guess you would face no issues with not designating an interface as WAN. for instance if know when NAT comes into play you really know when you have to use it. But in case you don't know about NAT and you simply attach your Internet access to an interface which is not designated as WAN then you would go into trouble by not being able to access the Internet. So designating an interface as WAN instruct pfsense to make a few assumptions such as, any traffic out of WAN interface should be NATed, WAN interface should be the default route.. etc. "Right now, I don't have a gateway defined under the WAN interface even though one is defined under System -> Routing -> Default Gateway. Yet from the outside, I can still get to my internal webservers via 1:1 NAT and appropriate firewall ACLs. I assume this is because it creates implicit rules to allow traffic back out like most firewalls do? If so, then is outbound NAT solely for traffic originating from a LAN-like interface and leaving the WAN interface?" Yes. pfsense behaves that way. You can even disable the auto-creation for ACLs which allow reply back connections. I guess a better question is this. When does NAT come into play? And the answer simply defined under Firewall->NAT->Outbound. That section tells you which traffic being NATed.
• T

  pfSense with ESXi 6.5
  • twrigglesworth

  4
  0
  Votes
  4
  Posts
  77
  Views

  G

  @twrigglesworth said in pfSense with ESXi 6.5: Thank you =) this is all new to me so sorry if it's a little silly asking things like this. Then read the whole pfSense book.
• P

  Want to Set up A new VLAN where None Exist...questions
  • PctSevens

  2
  0
  Votes
  2
  Posts
  93
  Views

  F

  Kinda depends on how smart your AP is. If it is capable enough to have one SSID tagged on the wired side and another untagged, then you are good to go. I.E. "original SSID" would stay untagged (no VLAN field inserted), and the "new SSID" would be set to get tagged w/ VLAN 50. PFSENSE will handle things just fine from there.
• F

  Route netflix outside VPN on pfsense 2.4.4
  • fallingsloth

  2
  0
  Votes
  2
  Posts
  97
  Views

  M

  I got that to work by using a PAC file. I have enabled SQUID in my pfsense. So, basically, when my browser calls for netflix, the PAC file send it to the proxy, thus using my WAN IP, which is default gateway of Pfsense. Everything else goes direct, through the VPN. I had to make a policy rule, without enabling any of advanced options, so my PC can speak with the proxy on port 3128. After that, I`ve made another policy rule, setting in the advanced options, source MY LAN, destination ANY, gateway VPN gateway. So, by doing like this, I could route based on the domain name.
• 

  Sonos IGMP proxy
  • Qinn

  8
  0
  Votes
  8
  Posts
  660
  Views

  

  @vacquah ...Back I got it working take a look at https://forum.netgate.com/topic/139218/sonos-speakers-and-applications-on-different-subnets-vlan-s good luck and cheers, Qinn
• D

  Second (private) IP on WAN for modem management
  • dannyyy

  4
  0
  Votes
  4
  Posts
  82
  Views

  

  Glad you have it working. -Rico
• G

  Same gateway IP on multiple WAN interfaces?
  • grateful

  10
  0
  Votes
  10
  Posts
  181
  Views

  

  Yeah get an ISP that allows you to actually route a cidr block of IPs to you if you want to use them like your using so you can actually put them behind pfsense vs being wan IPs.. Then you would have actual transit networks for your different ISP connections... Option 2 Put your services in actual DC that will assign you IP block vs ding what amounts to a home user hack trying to run services off dynamic IPs.. Why are you dealing with dynamic IPs? Just don't get it - get a block of addresses and route it to you so you can do this correctly..
• Z

  fixing wan ip for particular user in pfsense load balance
  • zainali525

  6
  0
  Votes
  6
  Posts
  131
  Views

  N

  @kartoff If you also exclude http traffic from load balancing, then there isn't much to load balance. https has issues with the tls mechanism and ip's changing. http is much more forgiving. Enable sticky connections, put 1800 (sec) as timeout and you should be ok
• J

  Configure BGP - announce ASN and our public ips
  • jubimathew

  9
  0
  Votes
  9
  Posts
  178
  Views

  J

  @kartoff said in Configure BGP - announce ASN and our public ips: @jubimathew said in Configure BGP - announce ASN and our public ips: @kartoff @kartoff said in Configure BGP - announce ASN and our public ips: @jubimathew said in Configure BGP - announce ASN and our public ips: I have configured a device with the lan ip, but when doing show my ip address on google, it reflects the wan IP. How do we reflect ip on all outgoing traffic and can use our public ips on our devices, such that they can be accessed directly outside the firewall. Please let me know if you require more information on the setup that i have done. thank you As i understand you have firewall turned on ? Or you just mentioned it... Are you sure NAT is disabled ? Did you disable firewall in System>Advanced>Firewall&NAT ? Hi kartoff, thank you for your response. Disabling firewall in system>>advanced>>Firewall&NAT would cut off internet. Please let me know, if you require more information on the current setup. Would cut off internet if you don't have public IP's... When you have public /24, leaving firewall on cuts their publicity... Choice is yours :) Ok, what all parameters shall i check in openbgp_status which could confirm if the BGP settings is set correctly. thanks
• T

  Non-local default gateway via interface broken after updating 2.4.4 to 2.4.4_p1
  • tomst

  20
  0
  Votes
  20
  Posts
  422
  Views

  T

  Registered the issue under https://redmine.pfsense.org/issues/9232. I suppose, if people read this, any support in that issue is welcome. First time I filed a bug for this software so I hope its in order.