@heliop100 I think you have to give permission - route - to the LAN segment to go out each of the gateways. This is done under firewall, NAT, Outbound. Usually it is recommended before adding rules to select manual then save. Then start adding rules for routing. [image: 1714666796595-untitled.jpg]

@viragomann said in HA, gateway groups and firewall's default route.: Is it this, why you were looking for localhost? Not OpenVPN, but the outbound connections from the firewall itself. In the documentation, localhost should be 'NATted' to interface IP address, which is OK, this part is clear to me. What wasn't clear to me is if I should have created a new gateway group, using Interface address, to use as the default route of the firewall. However, since it doesn't translate anything and everything is working, including IPsec, I'll leave as it is right now, everything using the same gateway group, that has the CARP IP there. Note that without those CARP IPs in the gateway group, IPsec tunnels won't go up.

Gut, denn das sollte einfach so funktionieren, wenn die IP der Fritz im Netz liegt was durch den VPN Tunnel geroutet wird. Also Route in die Fritz mit Ziel pfSense für das gleiche netzt und auf geht es.

@Dobby_ Yes, this is how we are setup. There is not a static IP address, but the cable modem assigns an address to the WAN port on the pfsense router through DHCP. This has been stable for several years before it suddenly stopped working and showed an IP address of 0.0.0.0. Since MAC spoofing solves it, I think the cable modem or ISP is somehow locking the old MAC address and excluding it.

@madbrain I rebooted one more time, and the problem went away - Verizon gateway no longer showed. Very strange. It's an intermittent problem. I decided to remove the USB Realtek 8156B NIC, and replace it with a PCI-E Intel I-225V (B3) that I bought at Central Computers earlier today. This necessitated shutting down the machine to insert the PCI-E card. During the next boot, this is what the interface assignment screen looked like (MAC adresses omitted) : [image: 1714104594603-58150e9e-53b2-46dd-81e9-09f2c62e0d3d-image-resized.png] As you can see, both the Comcast and Verizon interfaces are assigned to the same ix0 network port. Previously, Verizon was assigned to the ue0 network port for the RTL8156B. That port no longer exists since the USB NIC was unplugged. It is a bit disconcerting to see two interfaces on the same NIC, to say the list. Not sure what the right behavior should be, though. Maybe have the interface be unbound (no network port) ? So far, I am not seeing the same issue with all 4 Ethernet ports using Intel NICs (motherboard 1 Gbe, X550-T2 2 x 10 GBe, I225-V (B3) 2.5 Gbe), but it's only been a few minutes.

@viragomann perfect - thank you for the response

@ssppcc You just need to add a static route for the docker subnet. So in System > Routing > Gateway add a new gateway within the server network with the IP 10.0.200.8. Then go to the Static routes tab and and a new static route for 10.31.0.0/16 and state the gateway you've created before.

@Gblenn I teach daily, days and nights so my occurrences are likely more visible. Typically, it fails over to Tier 2 and often is unnoticable. (I find out later looking at logs.) However, on this latest instance, the Tier 1 was flapping and zoom reported my connection was unstable. Students reported poor audio and video. It was only resolved by changing the backup to Tier 1 and restarting zoom. Later that night my main connection stabilized. so naturally I'm thinking it is trying to switch back as soon as Tier 1 is available. I will test to verify.

@viragomann I’ll work on that and some spare time Another quick question from another Bundoo machine and two other windows machines I’m not able to get a SSL connection to the Qnap machine even though I imported the CA certificate into the browsers this goes for chrome and Firefox getting a machine reboot cleared cookies and data from browsers. Any suggestions on this one? Thank you,

@viragomann I figured it out in the end. The guide I followed to setup the site to site wireguard tunnel specified not setting the upstream gateways on the tunnels and using static routes to avoid double nat. It also stops reply-to working correctly.

@SteveITS Indeed that was the issue! You're a legend mate, I've been struggling with this for almost a week now, whats even worse is that I scoured the docs and still somehow managed to miss the bit you highlighted for me ‍️

@viragomann Super - and thanks for the patience anf final explanations

@Troniclab sorry, correction: both subnets are /24 ;-)

@SteveITS no they are internal networks. i want to redirect all traffic from one client to use another route. this used to work in previous days.

@madbrain Firewall > NAT > port forwarding You have to add these rule manually.