i'm accessing dsl modems from LAN net (isn't it obvious from the configuration i present?), when take down a WAN gateway by force the other is accessible but not when both are active. disable firewall functionality on where ? pfsense is the firewall and there isn't any rule limiting access from lan to wan, default allow rules are active.

If you are not pulling routes then you have to policy route to the VPNs. I don't see anything there that does that.

If it's local, you might not see it on the firewall. If you are using MS NLB though, you might not have realized you need to set net.link.ether.inet.allow_multicast=1 in system tunables or the firewall may drop traffic to/from the addresses it uses. https://www.netgate.com/docs/pfsense/install/upgrading-older-versions-2.2.html#microsoft-load-balancing-open-mesh-traffic

Sounds like you have some clean up for sure.. Or your going to have all kinds of asymmetrical problems.. The core router is where the routes are decided upon, if you have other routers that go to other networks other than the internet.. Then they could all be on connected to the same transit, or they could have their own transit networks, etc. How about you draw up this network and we can figure out best way to do it.. But you shouldn't be routing on hosts... Its messy and overly problematic!!! if you have to do routing on your hosts for shit to work - then your doing it wrong ;)

Hello, sorry for my late response. I'm tryng both DNS or IP access to the 2 modems, with same ip address but different wan interfaces. Gianmarco

Unfortunately that didn't work in my case. Same errors, same behaviour. I don't use gateway groups though.

WAN as as source (starting pint) , and you're going in. The firewall isn't just doing what it is ought to do ?

Hello there! May you pose more details regarding your issue? That way we can help you better.

Hello there! I'm sorry but your words aren't as clear as they should be for getting help back on your issue. Thus if you can make a diagram would be much better. Also as far as I've grasped from your post, I would like to suggest switching the mode of fail over from "packet lost" to "member goes down" and observe the issue. Let's see what you will get back. Good luck

@yathus said in Access remote subnet through IPSEC VTI ?: Now i just need to understand where i can add rules if i want to limit access to this remote subnet. it's done too, i just have to add a rule in firewall and wait (or kill states...).

@lecygne thanks for the insight chief

btw, i have another pfsense instance that does not have a WAN interface at all. guess i just skipped creating one during the initial install setup. so apparently, there is a way to skip it's creation but no way to remove it once it has been created.

Yes! It can be accessed if you configure your routes and related settings the proper way. Usually running pfsense with CARP, both of the boxes will be "identical" in the required configuration. Thus, regardless of which pfsense box you are using, both of them are identical.

Yes that is what I've been suggesting since a while. To replace CARP between routers with OSPF! Static routes, of course, should be removed because OSPF will take care of exchanging routes between involved routers. Kindly before thinking that way about slowness of OSPF perform a test in your environment and observe for how well OSPF performs. Don't forget OSPF is being used in many huge enterprise networks all over the world!

@chrcoluk I have discovered a work-around that seems to work. AirVPN assigns my pfSense firewall an IP address in the 10.0.0.0/8 CIDR based on the server pfSense is connected to. For example, I may get an address like 10.52.68.42. If I change the last digit to 1 (i.e., 10.52.68.1), and insert the result IP address into the Monitor IP field of the gateway settings, I get proper ping times. I believe the X.X.X.1 effectively specifies the internal address of AirVPN's respective gateway. Unfortunately, this work-around is not a complete solution to my problem. In my OpenVPN configuration, I actually have four AirVPN server connections active. A first pair corresponds to one physical location (e.g., New York, NY) and a second pair corresponds to another physical location (e.g., Newark, NJ). I choose the physical locations based on their corresponding servers ping times, namely, the first pair has the lowest ping times and the second pair has the next lowest ping times. pfSense is configured to load balance the servers within each pair, and the higher latency pair serves as a failover to the lower latency pair. If try to set the Monitor IP of each respective gateway to X.X.X.1, I get proper latency values for only one (and sometimes two) AirVPN servers. The others are listed as offline. So the work-around seems to function okay for one active server, but with more than one, pfSense seems to have issues.

You maybe could look at Interfaces -> Interface Groups "Interface Groups allow setting up rules for multiple interfaces without duplicating the rules. If members are removed from an interface group, the group rules are no longer applicable to that interface." https://www.netgate.com/docs/pfsense/interfaces/interface-groups.html You'd just need to add any new interface / vlan to the group or floating rule.