It's not simple. It's asymmetric. It breaks TCP through stateful firewalls as you have found out. I can't make anything out of that "diagram". I'll need more detail. Like interface addresses, subnets, etc.

Easy. Setup VLAN 4094 on the interface, you'll plug in WAN. Switch/configure WAN to <physical interface>:4094 configure static IP as per your connection details set up LAN as per your LAN details with pfSense getting .17 enter NAT settings, go to Tab outbound switch to manual mode remove all NAT entries besides the 127.0.0.x ones so you have NO NAT rules besides the localhost ones. enter Firewall rules create a WAN rule "block from any to firewall address port any" rule so no access to your firewall from the outside internet is possible create a WAN "pass any to LAN net" rule to allow anything else check LAN that "pass any to any" (default) is still there. if you want to manage pfSense via a special third interface you should use that as "lan" and setup the third interface as "DMZ" or "SRV" and create a block firewall address and pass anything else rule there. -> Now you have no NATting from LAN to WAN and pass traffic from WAN->LAN and LAN->WAN without blocking anything. So you're routing only. I'd advise to go the extra mile and add a third interface and use a dedicated interface to manage your pfSense so to not allow traffic to the webUI from WAN or you "server network".

SOLVED The following LAN rule solved the problem StatesProtocol Source Port Destination Port Gateway Queue Schedule Description 66/4.92 MiB IPv4* 10.10.122.0/24 * * * * none Thanks to viragoman !!!

@roniskitea Please also describe the situation What are the antennas?

Check https://www.netgate.com/resources/videos/pfsense-244-short-topics.html (32:25). -Rico

I rebooted the clients on the remote computers and reinitiate the connections and I am able to reach them after the openVPN connections were established. So I did not do much really. Meanwhile the error "static route 192.168.101.1 (mask 0xffffffff) --> 192.168.101.1 impossibly lacks ifp" is still present in the status/system logs/system/routing. I guess it has nothing to do with the problem I faced. Its just a noise.

Perfect! Thanks, I didn't think of browsing the system advanced settings. That's what I needed!

Hi talaverde, I am new at this, so please take whatever I say wit ha grain of salt or two, but you may want to examine the settings used to determine "Member down". The testing is usually based on a monitored IP. It is quite possible that transient instability is causing the rule to trigger your tier2 connection. Below are my settings from System -> Routing -> Gateways -> Edit. [image: 1560199687345-8a256521-9131-4277-9323-b3194b2a5788-image.png] If you are seeing more hits on your tier2 connection, you may need to adjust these values to account for any transient events that are triggering member-down.

@jonnetg I'm doing the same, it just better to limit all traffic as most websites don't need that much bandwidth. It's almost impossible to create an aliase for YouTube. i managed to do it but sooner or later the ips will change.

No problems. A pity that the oracle side is such a downgrade in security... SHA1 and anything smaller then 3k in PFS Key Groups should be shamed in 2019. And we haven't even talked about supporting AES-GCM yet... Anyway nice you got it working with that. Cheers, Jens

Thank you very much. Very informative

Like I said not going to hurt anything... But amount of places that actually have those ports open at the isp level is not very much.. More an exercise in how to do it more than actual security.. Here is from one of my vps box out of the net Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:54 CDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.015s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 1022 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds Here is from my home connection Starting Nmap 7.01 ( https://nmap.org ) at 2019-06-02 09:48 CDT Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.062s latency). Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 1012 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 55/tcp filtered isi-gl 67/tcp filtered dhcps 77/tcp filtered priv-rje 80/tcp open http 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 496/tcp filtered pim-rp-disc Nmap done: 1 IP address (1 host up) scanned in 322.31 seconds As you see 25 blocked by isp as well.. Home connections that is almost always blocked as well.. But if your on some sort of fiber...