Unfortunately that didn't work in my case. Same errors, same behaviour. I don't use gateway groups though.

WAN as as source (starting pint) , and you're going in.
The firewall isn't just doing what it is ought to do ?

Hello there! May you pose more details regarding your issue? That way we can help you better.

Hello there! I'm sorry but your words aren't as clear as they should be for getting help back on your issue. Thus if you can make a diagram would be much better. Also as far as I've grasped from your post, I would like to suggest switching the mode of fail over from "packet lost" to "member goes down" and observe the issue. Let's see what you will get back.

Good luck

@yathus said in Access remote subnet through IPSEC VTI ?:

Now i just need to understand where i can add rules if i want to limit access to this remote subnet.

it's done too, i just have to add a rule in firewall and wait (or kill states...).

@lecygne thanks for the insight chief

btw, i have another pfsense instance that does not have a WAN interface at all. guess i just skipped creating one during the initial install setup.

so apparently, there is a way to skip it's creation but no way to remove it once it has been created.

Yes! It can be accessed if you configure your routes and related settings the proper way. Usually running pfsense with CARP, both of the boxes will be "identical" in the required configuration. Thus, regardless of which pfsense box you are using, both of them are identical.

Yes that is what I've been suggesting since a while. To replace CARP between routers with OSPF! Static routes, of course, should be removed because OSPF will take care of exchanging routes between involved routers. Kindly before thinking that way about slowness of OSPF perform a test in your environment and observe for how well OSPF performs. Don't forget OSPF is being used in many huge enterprise networks all over the world!

@chrcoluk

I have discovered a work-around that seems to work. AirVPN assigns my pfSense firewall an IP address in the 10.0.0.0/8 CIDR based on the server pfSense is connected to. For example, I may get an address like 10.52.68.42. If I change the last digit to 1 (i.e., 10.52.68.1), and insert the result IP address into the Monitor IP field of the gateway settings, I get proper ping times. I believe the X.X.X.1 effectively specifies the internal address of AirVPN's respective gateway.

Unfortunately, this work-around is not a complete solution to my problem. In my OpenVPN configuration, I actually have four AirVPN server connections active. A first pair corresponds to one physical location (e.g., New York, NY) and a second pair corresponds to another physical location (e.g., Newark, NJ). I choose the physical locations based on their corresponding servers ping times, namely, the first pair has the lowest ping times and the second pair has the next lowest ping times. pfSense is configured to load balance the servers within each pair, and the higher latency pair serves as a failover to the lower latency pair.

If try to set the Monitor IP of each respective gateway to X.X.X.1, I get proper latency values for only one (and sometimes two) AirVPN servers. The others are listed as offline. So the work-around seems to function okay for one active server, but with more than one, pfSense seems to have issues.

You maybe could look at Interfaces -> Interface Groups

"Interface Groups allow setting up rules for multiple interfaces without duplicating the rules.
If members are removed from an interface group, the group rules are no longer applicable to that interface."

https://www.netgate.com/docs/pfsense/interfaces/interface-groups.html

You'd just need to add any new interface / vlan to the group or floating rule.

@twrigglesworth said in pfSense with ESXi 6.5:

Thank you =) this is all new to me so sorry if it's a little silly asking things like this.

Then read the whole pfSense book.

Kinda depends on how smart your AP is. If it is capable enough to have one SSID tagged on the wired side and another untagged, then you are good to go. I.E. "original SSID" would stay untagged (no VLAN field inserted), and the "new SSID" would be set to get tagged w/ VLAN 50.

PFSENSE will handle things just fine from there.

I got that to work by using a PAC file.
I have enabled SQUID in my pfsense.

So, basically, when my browser calls for netflix, the PAC file send it to the proxy, thus using my WAN IP, which is default gateway of Pfsense.

Everything else goes direct, through the VPN.

I had to make a policy rule, without enabling any of advanced options, so my PC can speak with the proxy on port 3128.

After that, I`ve made another policy rule, setting in the advanced options, source MY LAN, destination ANY, gateway VPN gateway.

So, by doing like this, I could route based on the domain name.

@vacquah ...Back I got it working take a look at https://forum.netgate.com/topic/139218/sonos-speakers-and-applications-on-different-subnets-vlan-s

good luck and cheers,

Qinn

Glad you have it working. ☺

-Rico

Yeah get an ISP that allows you to actually route a cidr block of IPs to you if you want to use them like your using so you can actually put them behind pfsense vs being wan IPs..

Then you would have actual transit networks for your different ISP connections...

Option 2
Put your services in actual DC that will assign you IP block vs ding what amounts to a home user hack trying to run services off dynamic IPs..

Why are you dealing with dynamic IPs? Just don't get it - get a block of addresses and route it to you so you can do this correctly..

@kartoff If you also exclude http traffic from load balancing, then there isn't much to load balance.
https has issues with the tls mechanism and ip's changing.
http is much more forgiving.
Enable sticky connections, put 1800 (sec) as timeout and you should be ok