@McMurphy
Remember that the routes have been added correctly on both VPN endpoints to work. So also check the remote site.

Also ensure the the respectively remote networks are entered in the Wireguard settings at allowed networks on both sites.

@Ximulate said in Routing rather than Gateway Group?:

but at least in my use case I think policy routing might be easier to manage

Why?

You can specify the failover group as the default gateway. So it is used by any device behind pfSense as well as by pfSense itself.
Policy routing rules have to be defined on each interface on the other hand.

The meaning of policy routing is to direct traffic from certain sources or to certain targets to a specific gateway.
If this is, what you want, you can go with it. Otherwise I'd prefer a gateway group as the default.

@oscar-pulgarin What VLAN ID's does your ISP say that you need?

If for example they use ID 100 for internet, I'm thinking you should do the following...

Create a VLAN with ID 100, using the physical interface used for WAN (igb0 for example). This is under Interfaces > VLAN's Under Interfaces / Assignments, click the drop down box for WAN and select the newly created VLAN.

That should take case of your internet traffic.

To pass through IPTV I suppose you have to add that VLAN ID to both WAN and LAN as well as any switches that sit between pfsense and your TV-box.

@fcostars Descobri!

O link da operadora ALGAR não deixa passar, mudei o link para a operadora da vivo para testar e funcionou!

Que loucura!

Obrigado pessoal!

@Gertjan Thanks for the tip @Gertjan!
I have done similar modifications of the config when changing NIC's. And it is as you say nothing more than search and replace. Didn't think about that for this type of change though, so this goes into my list of good things to remember...

@prochid
Ensure that the firewall rules for allowing incoming access are defined on the respective WAN interface tab.

Don't use interface groups for the WANs and don't configure floating rules for allowing incoming traffic!

@uggiz A simple test would be to open a browser on a PC that is on the CREWVSAT73 subnet and check "whatismyip.com"...

@larrygs Ah, so the PC's also have SFP+ ports, not RJ45?

Anyway, sounds like you are on to something there, with the Qotom (2.5G) and 10G (TP-Link) connection. So in that case you have an RJ45 module plugged into the TP-Link and ethernet cable to the Qotom, right?
And that port is set manually to 1G in pfsense as well, or is it set to auto?

I have read that there were problems with the i226's but I thought it was fixed in 2.7.2. And one solution is actually to virtualize pfsense on the Qotom (Proxmox) and give it a virtual NIC, instead of a full pass thru. Assuming the drivers in debian are working... You will not have any problems getting the full 1G even in such a setup (actually way more than that with that CPU).

The only issue I have had with the SX3008 is that it doesn't autonegotiate to 1G and that it overheated. But I have not tested with any of my devices that have 2.5G NIC's, as they are connected to a SX3206HPP which works fine @2.5G.

@stephenw10 Thanks for confirming.

@eribob Wow, really good numbers, congratulations!

@wisepds 11 days and where is the comunity?.. i know a lot of people lost conectivity when wan ip change and your DDNS ip change.
Can anybody tell me what must i do?
Is there a script for pfsense that fix this.. i don't know... for example via script + Cron every 30 seconds?

Please Help!

I am not really that familiar with the 2100, but my undertanding is that the VLAN ID's used internally for the switch, are only internal to the switch unless you tell it otherwise.

So you can use e.g. VLAN 4081 for WAN and 4082 for OPT1 and that will maintain them separated in the switch. Then in the interface setting you just repeat what you already did for your WAN connection earlier. And since they are separated you are free to reuse the same VLAN ID 7 without any conflicts....

@w0w no, it's a carrier problem (currently). Either a node is failing or a customer on the node is sending noise back to the node, causing high packetloss everyday between 2p & 4p. I can set my clock to it almost....but it causes pfSense to flip sheep with the failover.

I had a truck rolled today, showed them the latency logs from 2 different addresses in the neighborhood. They agreed it was a "them issue".

@egates Cool, glad that you got it working!

@boulesmoonraker
Thanks guys. I was able to get this to work with your advice, but unfortunately wildcards are not supported in the IP Alias list as @viragomann pointed out. It would be a cool feature if pfSense did support wildcards for hostnames.

With some packet captures I was able to determine the handful of hosts I needed to add to the list and it worked like a champ.

@Shinigami
So configure the UNIFI properly to accept access from its WAN facing iterface.

@johnpoz I actually tinkered with this, it didn't seem to help unfortunately. I believe what I'm going to do is get a small managed switch and put it in front of the pfSense VM, I've seen a few people say that did the trick.

Thanks for the reply friend!