Never mind, I fix it forgot to give lan access to wan1 in outbound

https://docs.netgate.com/pfsense/en/latest/book/ have fun reading.

Done further checking as my VDSL line has an MTU of 1500 but the 4G only handles 1440.

Could it be the constant switch between the two that is tripping up the web browser?

@grimson Ok, I see it now. Lots of things makes sense, thank you.

First thing is make sure you not pulling routes from your vpn service.

Doesn't matter if the vlans are directly connected to pfsense or not, still just a simple policy route. Just set your firewall rules for your policies for your downstream vlans on your transit interface that connects to yoru downstream router.

BTW moved this to routing section, has zero to do with openvpn.. What your asking about is policy routing.

@rico This fix works for both IPv4 and IPv6. Thanks.

Came here to backup @candlerb. We're used to ECMP routing across two VTI tunnels on ASRs and such, but the ASA (due to the asymmetric path check) doesn't allow this.

This seems to be due to the ASA assigning an outbound VTI interface (E.g. VTI1) to the flow state table and mandating that return traffic also return on that external interface, when in realty BGP will load balance return flows to VTI2. It definitely presents a confusing issue at first.

Our way around this is to disable multi-pathing by decreasing outbound MED advertisements and increasing LOCAL_PREF for a designated 'primary' VTI interface.

Are you trying to setup a L2 site-to-site connection with your suggested VPS?

Hi

Actually VPC's DHCP server issued non-canonical interface address 10.162.0.10/32
with gateway 10.162.0.1 for network 10.162.0.0/20

I think the reason is that VM attached not to real (not to emulated) ethernet. and all communication should performed via GW

Routing table looks (look at vtnet1 routes):

Internet: Destination Gateway Flags Netif Expire default 10.200.0.1 UGS vtnet0 10.162.0.0/20 10.162.0.1 UGS vtnet1 10.162.0.1/32 42:01:0a:a2:00:0a US vtnet1 10.162.0.10 link#2 UHS lo0 10.162.0.10/32 link#2 U vtnet1 10.200.0.0/24 10.200.0.1 UGS vtnet0 10.200.0.1/32 42:01:0a:c8:00:0a US vtnet0 10.200.0.10 link#1 UHS lo0

On linux (another instance)

qq@vm-1:~$ ip r default via 10.162.0.1 dev ens4 proto dhcp metric 100 10.162.0.1 dev ens4 proto dhcp scope link metric 100 qq@vm-1:~$ ip n 10.162.0.1 dev ens4 lladdr 42:01:0a:a2:00:01 REACHABLE @vm-1:~$ ifconfig ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1460 inet 10.162.15.221 netmask 255.255.255.255 broadcast 0.0.0.0 inet6 fe80::4001:aff:fea2:fdd prefixlen 64 scopeid 0x20<link> ether 42:01:0a:a2:0f:dd txqueuelen 1000 (Ethernet) RX packets 383 bytes 502096 (502.0 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 365 bytes 49133 (49.1 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

You need a WAN CARP VIP on each WAN and set Outbound NAT to use that.

What you have is an invalid HA configuration. Both WANs should be on both firewalls in a Multi-WAN configuration.

"No address record" means one of two things:

It can't reach the Internet, typically because there is no default gateway in the routing table. Check your gateway settings, make sure the default is set as expected, then save/apply. If you are using a gateway group as default, try it with a single WAN gateway. Look under Diagnostics > Routes and see if you have a default listed. Your DNS settings are not correct or it otherwise cannot reach upstream DNS servers.

I read a bit more about it and I think I must use vSphere Hypervisor. Thank you

Fun fact, if I start pimd without a proper configuration (only interfaces are correct), kill it and then start again igmpproxy, it works. Multicast routes are correctly received.
Does anyone know the reason of this behaviour ?

See down below for screenshots of router1.

So I have done some more testing and have narrowed it down. When using a PC on this router1's LAN, downloading is using WIFILink1 and uploading is using WIFILink2. So I changed the Firewall rules not to use the gateway group but to use only the WIFI2_GW on both routers.
Router1:0_1550870097055_07a1e25f-edcb-43bc-8c74-1b156950e876-image.png
Router2:0_1550870864772_71e4ffd4-949d-495b-9292-45bdee09f186-image.png
Some traffic is still using WIFILink1. I am not sure how. See traffic graphs on router1 after I disabled the WIFILink1 interface and then enabled in on router2 with the above rules to use WIFI2_GW and WIFI_GW_2:
0_1550870647694_3d806ef3-a5bc-458e-93ad-9c6940e2d28e-image.png

Maybe I am missing something in my settings or my understanding.

Router1 screenshots:

0_1550790411939_4b984daa-0422-4924-a48c-a5262e12a007-image.png

0_1550790446656_ec6ded53-07eb-4fcd-b0e7-be4665ed1796-image.png

0_1550790756147_b40b524e-5191-470d-a5bf-3d3e9540cda2-image.png

0_1550790794079_2db95bef-d01a-433f-aab2-98f9fd59a9ed-image.png