@sminded said in Using WAN port to access a LAN: I want to access two separate LAN:s from a single point, so the idea was to use a netgate router with pfsense, configure two WAN ports, and connect the LAN:s to the WAN ports, and my laptop to the LAN port. But I'm not able to access the LAN:s from my laptop, what am I missing? Do I need to setup a static route on my laptop as well? You need to explain this in better detail. From the sound of it, the two LANs are in the same building and you're connecting them each to a WAN port on the same pfSense (with 2 WAN ports configured), then connecting your laptop to the LAN port of that same pfSense. Is that what you're doing?? If so, just use 2 LAN ports instead.

@TravisH The rule is not applied, however. So either it doesn't match or more probably another rule has precedence. Possibly a rule on the interface tab. If you want give priority to floating rule over interface rules you have to check the Quick option.

@darkcorner So my first solution of setting up a separate LAN segment at each office just for this device would be viable. So finally, the device moves to the remote sites, but it is accessed from an app at the central office; do I finally have it right?

@pfsense-dc , Is the Round robin method built into the rule? Because I couldn’t find documentation related to it. Thanks

@ErniePantuso Did you just post the same thing 3 times? Maybe you should start over. Say you have a 24 port switch, but you're only using 5 ports. Then you need to add a new network which needs another 5 ports. Do you go buy a new switch? No, you use vlans. Vlans make one physical switch into 2 or more logical switches. A vlan creates a new broadcast domain so they are completely separate networks. So you can take that 24 port switch and make it 2 - 6 port switches to handle both of the networks in the example. And still have 12 ports to spare. Make Sense?

@ErniePantuso Can the switch do vlans? If so, just create a clan on the switch with just those 2 ports using it.

@Melim pfSense does not support any virtualization within its software (VRF or MultiSys) That said, what are you trying to achieve here? Do you Internet links need to be placed in a VRF? That VRF shared with multiple other VRFs? Can the endpoints use pfSense as the gateway? You havent really outlined what the goal here is and why a VRF is required. Where does VXLAN fit in this? A firewall typically wouldnt be involved in routing vxlan packets across the datacenter. So depending on the technology, VRF and VXLAN go together. Where does a firewall fit in with Internet access i have no idea

@mgavrila said in IPSec & OSPF, ping YES, TCP No. OpenVPN & OSPF work as expected.: @cmcquistion_ This is an expected behavior. Take a look here https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-state-policy Thank you! This is the clue that I needed. I wasn't completely sure how to create the "Rules with Floating Policy Se" referenced on that link, so I instead I just changed my IPSec rule that was already in place for that interface (allow all) and changed the State Policy from Default to "Floating States" Once I did that and did a Filter Reload, all my traffic is working as expected! This is good to know. I have a lot of client firewalls that use IPSec and OSPF that are going to stop working when I upgrade their pfSense version unless I implement this change.

@Zotan said in Disable WAN port detection: package system has detected an IP change or dynamic WAN reconnection - 192.168.90.129 -> 192.168.90.129 - Restarting packages. system has detected an IP change ... as often as every 2 seconds. And you don't like that ? That's an understatement. But if some one is hammering on your head, don't try to remove your head. Remove the hammer. First, do the usual tests : hardware : Check / change WAN cable. Put a switch between the WAN port the the device at the other side. Swap WAN and LAN interfaces. if its now the LAN, ditch the NIC. Software side : Reset pfSense to default - no, better, re install and do not import your config back in. Problem solved ? Go have a talk with the admin, as he introduced the issue with one of his 'settings'/'config changes' ^^ More tests are possible, but I don't know how/what you use on your pfSense. edit : and as I needed 25 minutes to type all this (I'm also supposed to actual 'work') I just see your second post. You've talked to the admin

@madbrain Well, with no attic or any other type of crawl space, I suppose you don't have many options. I guess one could dig a "trench" close to the wall to hide a cable that goes around the house, unless there are concrete patios or similar, blocking that option... Another possibility would be to use the gutters to hide cables behind them... Perhaps vent drain is not the correct translation, but what I meant was the vent for your plumbing. When flushing for example, air needs to come in from somewhere. But with no attic, that is a moot point anyway...

@erdeed I'm not entirely sure I'm understanding exactly your thoughts here, but perhaps it's something like this: You want to have clients using VPN to come in via pfsense and then be directed out on the internet again on each IP depending on which client it is. So their "public IP" is now one of your IP's from the block, not their own? Sort of what you get when subscribing to NordVPN etc. So you have one physical interface with a block IP's from your ISP with N IP's available. The key here would be that you also need matching interfaces in pfsense. If you have enough physical ports on your pfsense machine, you could simply put a switch in front of pfsense and connect ISP-cable to port 1 and the other ports 2-N to your WAN ports on pfsense. Each interface will have a unique MAC and therefore get assigned individual IP's from your ISP. If you only have one WAN port on pfsense, you need to use VLAN instead. So using a managed switch you can create a matching number of VLAN's, and using only two ports on the switch where you basically allow the switch to TRUNK all VLAN's towards pfsense. Switch port 1 to pfsense (VLAN Trunk ID 1, 10, 11, 12, 13, 14 etc) So fiber to switch port 2 (fiber/cable in) (set it to VLAN TRUNK untagged I suppose??) In pfsense you create VLAN's and assign them all to the one WAN interface, and make sure again that they each have a individual MAC addresses. Then you should be getting one IP per virtual WAN interface... Whether you set up your VPN server in pfsense or have it running on a server on your LAN probably doesn't matter. It's perhaps more a matter of compute resources... But in pfsense you need to define policy routing rules to make sure each individual VPN-tunnel-IP is routed out the desired interface. I might have missed something here but I think that should cover it...

@michmoor After extra round with the ISP, they just now admitted now they forgot to inform me of maintance! So it was my ISP! "who’s MAC address changed and how do you know?" The log I posted above, you see the ISP's box changed from one mac-address to another. I assume the log line below shows the mac address of the connected device on my WAN-port (igb0). Since their box is directly connected to this port, it can't be anything else than them. May 13 00:24:06 kernel arp: ISP_BOX moved from d0:d0:4b:66:6c:75 to 30:fd:65:89:4a:1a on igb0

@ThM hey there, just a sidenote: your (static) IP for pfsense (192.168.100.5) is right in your dynamic dhcp pool (.1 - .254)... You might want to change that, so that your DHCP Pool is not overlapping with IP reservations or static IP settings...