Just to be clear, you just want your mobile IPsec clients to be able to communicate with an endpoint device across an OpenVPN tunnel?  Or is there more to it then that?

is it possible to change default gateway from command shell ?

the problem is:
i have two different internet connections and i have to use Squid proxy.
When i activate squid, it uses only default gateway.

and i have to change active internet connection to other gateway at 7pm

if there is an option to change default gw from command shell, i just add the command to cron and l'll solve the problem.

Post a network map.  Are you using a L2 switch trunked to PFsenseLAN or separate dumb switches?

What does your log look like?  Are you seeing blocks?  If so, on what interfaces?

The first thing I would do is add an any/any rule to every interface.  Second, disable the software firewall on your test endpoint devices until basic IP connectivity is established.

At this point, you should have a route to all subnets (check your routing table) and an any/any rule on all your interfaces…. so you "should" be able to ping anything from anywhere.  If not, you would just need to start in with a troubleshooting progression.... e.g.... Verify connections.  Verify IP's and subnet masks.  Verify your DHCP server is handing out the correct default gateway.  Can the PC's ping the default gateway?

Then, depending on your topology and equipment used... are the correct VLAN's tagged/untagged on the correct ports?  If you're using cisco gear and have an "allowed" statement configured... are the correct VLAN's allowed across the trunk?  Did you configure a custom native VLAN?

Not that this is contributing to your main issue, but it appears you are using a mixture of tagged and untagged traffic on your network...  but what many do... is leave the LAN interface (parent interface) unconfigured and use all VLAN's.  Worth a shot if nothing else works.... but there are many questions that need answers first.

thank for your reply sir…

my vlan200 is a new interface

this is my lan rule
IPv4*  lan.net  *  room3.net  *  *  none

this is my vla200 rule
IPv4*  vlan200.net  *  lan.net  *  *  none

Post a network map, so we can get a better visual of your topology.

If you're adding a 2nd WAN interface, it shouldn't be conflicting with any LAN interfaces…. unless you're using public IP's on your LAN (which you shouldn't be) and they truly do conflict.... do they?

Also, be sure to add an upstream gateway on the 2nd WAN interface or PFsense will consider it a LAN interface.

Sure, you can do "policy routing" meaning create Aliases with internal IPs of hosts and use LAN > WAN rules to route them through the gateways you like. Make sure those LAN rules to be above the main LAN > WAN rule.

Best regards

Kostas

It is possible as a stand-alone proxy, though not ideal. It can't act as a gateway, so whatever the actual gateway on the network is, it would have to forward traffic to the proxy. That or you'd have to add the proxy settings to user's PCs/Browsers/Devices directly and maybe setup WPAD.

Same as any other stand-alone proxy. Basically you'd only be using it as a GUI for squid at that point.

As long as pfSense sees the modem and can use it like a WAN, it should work fine. Same as any other Multi-WAN setup. You will probably want to disable gateway monitoring on the 4G modem so it doesn't consume bandwidth for the monitoring traffic.

@walkerx:

cheers

i have my current lan on 1.1 with gateway .254 and my ipv6 is set to tracked interface via wan.

I was looking at getting a zyxel ap at later date, currently i'm using a mixture of tplink, bthh and sky router for ap's

so as test if setup the following

vlan1 is default - 1.1
vlan2 is wifi  - 2.1
vlan3 is pcs - 3.1
vlan4 is servers - 4.1
vlan5 is guest - 5.1

configure these on the switches and then add them in pfsense

must i reboot between each add on pfsense as have seen this on thread/youtube video that you need to reboot pfsense when configuring each vlan I didn't need to reboot my router

must i then do anything else on pf so vlan3 can talk to vlan4 and internet, vlan5 can only talk to internet or will the vlan configuration on the switches sort this bit out Add pass/deny firewall rules on each pfSense interface as required

also you mention an edge switch? I assume you mean pfsense? Nope I mean switch 2 3 & 4

ie my network is as follows

VDSL modem (HG612) -> pfsense (WAN using PPPoE and DHCP login) -> switch 1 (lan) which then connects to the other switches and access points

pfsense only has 2 nics and configured wan and lan interfaces The parent interface for the vlans will be the lan interface

Change the routers (at least one of them) LAN address/network.

You can use 192.168.1.x to the one and 192.168.2.x to the other one.

Your pfsense LAN address/network must be in another range as well.

So:
pfsense: 192.168.0.x/24
Router 1: 192.168.1.x/24
Router 2: 192.168.2.x/24

Best regards

Kostas

In case it helps others:
I solved this by adding a new firewall rule on pfsense 1 LAN1 with state sloppy.

I would suspect some kind of configuration problem.
The network performance between to systems on the same server is basically limited only by the memory-bandwith
therefore 5 Gbit seems poor.
Which version of iperf are you using?

Have a look at https://www.bsdcan.org/2016/schedule/events/681.en.html

Be aware that it is not advisable to activate tso and lro on a routing device.

Is it possible to do the folllowing things:

PIN CPUs  (as HT-CPUs will harm the performance) Increase RX and TX-Ques ?

This type of rules I've used to route traffic via MultiWan because this is default behavior for this subnet.

Now I added 2 virtual IP: 192.168.10.1/24 and 192.168.11.1
Firewall rules are set to route via specific WAN according to source network and this i working fine.

Thanks for an idea.

Just wanted to add that I also am having this issue; if I set the DHCP Option set to my Domain Controller, pfSense will try to route via the WAN mac address. (In my case I only have 1 WAN)
If there's anyway to avoid this, please let me know. For now I'll disable the DHCP Option Set and set each client's DNS manually.

Hi viragomann,

thank your very much for your hint.

Adding a route to this router is not possible.

I have added a SNAT rule and now everything works like a charm.

Cu
Thomas