Ok Problem solved.

Issue can be closed

@johnpoz said in Static Route - Gateway - Firewall Rules - Question:

How is it someone with what seems like zero understanding of routing wants to do routing on their switch for a HUGE freaking /16, which would seem to indicate a lot of downstream networks if using a /16 as the route..

This is the configuration on the 172.30.0.0/16 that is required for the AV equipment (which i agree that the /16 is a ridiculous amount of IPs to have available)
https://support.justaddpower.com/kb/article/349-vlan-switching-protocol/

If devices on your 192.168.50 network and your 172.30/16 network talk to each other you could run into problems.

There is a controller on the 192.168.50.X network that does talk to a software that communicates to AV devices that are within the 172.30.0.0/16 There is communication but experiencing some packet loss when monitoring the Gateways which only the WAN and this 192.168.50.250 Gateway Exist

Thank you @viragomann.
All ISP routers are on the same /24 VLAN.
Now I can:

Use two distinct WAN interfaces. In this case, can I use the same /24 subnet and split both outbound and inbound traffic? If I use only one WAN interface will I have to create two VLANs? Say (192.168.50.x and 192.168.60.x) In one I put Router A and Router B in the other Router C. In this case, if I only have layer2 switches, can I use pFsense for routing?

Any suggestion for NAT in the best case?

@JonathanLee
There is no traffick shaping configured.
I partially solved it with some changes to the DNS Resolver.
Everything seemed resolved, but this morning the problem recurred.

I can't understand if it's due to the two ISPs which are different, but share part of the same line, or if there is someone who goes to touch something in the rack where the firewall is located (and then obviously doesn't say they didn't do it) .
I'm closing this ticket, but opening another to configure alerts.

Thank you for your support.

@viragomann Problem resolved.

OBS: Não sei se essa informação é relevante ou não, mas já configurei e habilitei o HTTPS no pfSense com certificado de autoridade e tudo mais... e marquei as opções "DNS Rebind Check" e "Browser HTTP_REFERER enforcement" em System > Advanced (vi em alguns fóruns que precisava fazer isso)

@johnpoz Yes, I am trying to access the front through the public IP since it is a computer that is located elsewhere

Hi all!

In the end, I was able to solve my problem.

To fix this, I mean, it was just another try, but fixed it: I removed all the VLANs and kept my WAN set up as PPPoE. I also stopped spoofing my MAC ADDRESS. And configure rules on my firewall that allow for communication between LAN and OPT1.

Initially, I believed I had overcomplicated things by following many different sources on the internet, but now everything is working perfectly. I have three interfaces (WAN, LAN, and OPT1) with DHCP enabled, and some firewall rules. Simple like that!

Thank you all for your help!

@johnpoz @viragomann one thing I've noticed, the firewalls I'm testing with are in a HA pair. If I reboot them, the CARP kicks in but it appears the states are lost/having issues failing over as they appear to drop on reboot... ? Latest reboot, one of the 2 networks stayed up pinging, but the other timed out and not come back. It will come back however if I manually terminate the state...

@scilek 2 pings a second.. That seems pretty freaking insane to me - but sure its possible, and the only thing that comes to mind that pfsense send on its own that is repetitive and constant.

There really should be pretty much zero broadcast or multicast coming off of pfsense.

From a remote OpenVPN client I can access web servers running on the host on the OpenVPN server LAN only by LAN IPv4 address, not host name or IPv6. I can't ping the windows host by IPv4 or IPv6 nor by hostname despite pushing routes in the OpenVPN advanced configuration. It almost seems as though the client isn't using pfSense as the DNS server, which is running DNS resolver. Is a route available between VPN and LAN subnets, as I can access hosts on the pfSense LAN by IPv4 address? Why not IPv6 or hostname? Does it matter I put fd45::0/64 in the IPv6 tunnel network, what should I put there?

Here are some of the OpenVPN server settings:

openvpn tunnel settings.png
openvpn advanced client.PNG
openvpn advanced config.png

Here is a windows 10 host on the LAN that I can access it's web servers:

Windows IP Configuration Host Name . . . . . . . . . . . . : media-server-pc Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : mypublicdomain.com Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : mypublicdomain.com Description . . . . . . . . . . . : Mellanox ConnectX-3 Ethernet Adapter Physical Address. . . . . . . . . : EC-0D-9A-2C-14-70 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2601:xxxx:xxxx:3800:f749:b327:f336:3572(Preferred) IPv6 Address. . . . . . . . . . . : fd38:xxxx:xxxx:1:367c:dfef:fcbc:5eeb(Preferred) Link-local IPv6 Address . . . . . : fe80::a0e7:5877:e5e8:4035%4(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.50(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Thursday, December 21, 2023 4:05:15 PM Lease Expires . . . . . . . . . . : Monday, January 1, 2024 6:38:52 PM Default Gateway . . . . . . . . . : fe80::225:90ff:febb:bf0c%4 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 552340890 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-19-13-C7-40-8D-5C-B6-47-55 DNS Servers . . . . . . . . . . . : 192.168.1.1 2601:xxxx:xxxx:3800:225:90ff:febb:bf0c NetBIOS over Tcpip. . . . . . . . : Enabled Connection-specific DNS Suffix Search List : mypublicdomain.com

Here is the Windows 10 OpenVPN client ipconfig:

Windows IP Configuration Host Name . . . . . . . . . . . . : oo-reg01-lt Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Unknown adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect Physical Address. . . . . . . . . : 00-FF-82-8B-3D-A8 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2601:xxxx:xxxx:3800::1000(Preferred) Link-local IPv6 Address . . . . . : fe80::567c:53a3:83c7:7d99%14(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.2.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : 687931266 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-F3-39-C1-B4-A9-FC-EF-76-C2 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Enabled

I notice the VPN client ipconfig doesn't say it is on mypublicdomain.com, is that a problem? Where have I gone wrong in connecting the VPN client to the OpenVPN LAN?

@FCS001FCS said in Routing Log is Empty:

@viragomann said in Routing Log is Empty:

@FCS001FCS
pfSense docs > Routing Logs

Thanks, yes, I found that already but honestly did not understand what was supposed to show up in the logs from that short explanation page.

All these are features that are not enabled by default on pfSense. Some are actually packages, which would have to be installed.
So I think, if you use it you would be aware of it.

hi @greenlight

I tried setting 'Default gateway IPv4' from 'Automatic' to 'None' and it seemed to fix the issue. I will observe more and update this post if it does not really fix the issue. Thank you I got the idea from your question earlier.

@KingTChoka said in Not receiving WAN IP when connecting to my SHAW modem in bridge mode, thus not able to connect to internet:

"Without more info" - What more info could I provide?

"Does the modem have multiple ports?" - Yup, it has 4, and I've tried plugging the ethernet cable in 2/4, but I guess I can try the other 2.

"Did you try to plug a pc directly into the modem when bridged? Does it get an IP?" - Haven't tried that yet but I will soon. Am I suppose to expect an IP? Why would a PC plugged directly into a bridged modem expect an IP?

Is this cable internet, fiber, other?
What model is the modem?
As said already, DHCP, PPPoE, other?

If cable, you'll have to reboot the modem after changing the directly connected device as they 'record' the mac of that directly connected device.

Usually if bridged, they may only work on port 1.
Alternatively, when bridging, they sometimes need to to enter the MAC of the device you want to receive the IP. Was there a field asking for that when you put it in bridge mode?

Why wouldn't a PC connected get an IP? Whatever you connect to the modem, when bridged, will get the public IP.

@kiokoman said in Do I need a static router for my network?:

ndeed you need a static route to the wireless router

No not really, but if was going to create routes to the network behind the router, he would need to do it on all the hosts on his lan network

Or he is going to run into asymmetrical traffic..

I really don't see the point of letting that old access point do any nat.. Just use it as an AP and put it on another segment on your pfsense be it physical or vlan..

Running some downstream nat router is just going to be problematic.. And there is no rules you could do on pfsense to stop these clients connected to that wifi router from talking to anything on pfsense lan.. That would have to be done on that router, and guest normally stop wifi from talking to the wifi lan, but not its wan, etc..

You be much better off just doing it correctly via another segment on pfsense and using it as just an AP.. Or if your not actually worried about communication between lan and your wifi, then just use it as AP and put on the same pfsense lan network.