@rikazkhan Your message was just a quote. Did you mean to add something ?

@manjotsc glad you got it sorted, and thanks for explaining what the actual problem was - this for sure helps the next guy!

@klubar well I would just delete the other route as well to see if they come back. The only thing that I recall where routes like that would be set is if had set dns per interface. With the gateway, see my dropdown that says none above.. And I thought that if you allowed dns to be overriden by dhcp it could add a route there too Maybe one of those things is where they got added, but never got deleted.. I would just delete the other route, and make sure next time you reboot that they don't come back. Are they using dns to resolve what they should ping to see if hey have internet? Not a fan of company XYZ using some other service to check if your device you sell has an internet connection.. And you sure and the heck shouldn't hard code IPs.. If you want to check if your device you sell to people can get to the internet it should use what ever dns was provided to your device by either dhcp or set on it and look up some fqdn that you the company controls.. If you then want it to ping that IP, it should be pinging your resource not some other companies IP.. NTP is in line with this as well - if you making a device that will want/use ntp.. And you want to point it to the ntp pool, then get with ntp org and get your own vendor fqdn.. And if your just going to point to ntp in general, don't for F sake point to your country code..When the device is going to be used in different country.. I had one of those smart wifi plug things, still do actually just use it when put out the xmas lights. But clearly the thing is not going to be used in the UK.. We use different power plugs, so there is no freaking way I bought this in the uk and just using it in the us.. But it wants to check its time with the uk.ntp pool.. So I created a host override for what is was looking for.. [image: 1714671290374-ntp.jpg] Just pure laziness if you ask me, or they are hiring the cheapest developers they can hire? Or they have some developer and said hey make this work by tmrw we need to start shipping them out next week.. And failed to even give him any parameters or where it might be used.. Hey have it check ntp time while your at it ;) My other pet peeve is these iot devices that have zero dns cache.. Ok we know you want to talk to fqdn xyz.. But do you really need to ask dns every 2 seconds for it, when you were just given the answer 10 seconds with a ttl of 24 hours ;) I mean it takes really nothing to store the dns record for the next time you want to go there in 2 seconds.. You don't have to store 10k records you need to store the handful you might be wanting to talk too.. Well now I have just gotten off on a rant, sorry ;)

@heliop100 I think you have to give permission - route - to the LAN segment to go out each of the gateways. This is done under firewall, NAT, Outbound. Usually it is recommended before adding rules to select manual then save. Then start adding rules for routing. [image: 1714666796595-untitled.jpg]

@viragomann said in HA, gateway groups and firewall's default route.: Is it this, why you were looking for localhost? Not OpenVPN, but the outbound connections from the firewall itself. In the documentation, localhost should be 'NATted' to interface IP address, which is OK, this part is clear to me. What wasn't clear to me is if I should have created a new gateway group, using Interface address, to use as the default route of the firewall. However, since it doesn't translate anything and everything is working, including IPsec, I'll leave as it is right now, everything using the same gateway group, that has the CARP IP there. Note that without those CARP IPs in the gateway group, IPsec tunnels won't go up.

Gut, denn das sollte einfach so funktionieren, wenn die IP der Fritz im Netz liegt was durch den VPN Tunnel geroutet wird. Also Route in die Fritz mit Ziel pfSense für das gleiche netzt und auf geht es.

@Dobby_ Yes, this is how we are setup. There is not a static IP address, but the cable modem assigns an address to the WAN port on the pfsense router through DHCP. This has been stable for several years before it suddenly stopped working and showed an IP address of 0.0.0.0. Since MAC spoofing solves it, I think the cable modem or ISP is somehow locking the old MAC address and excluding it.

@madbrain I rebooted one more time, and the problem went away - Verizon gateway no longer showed. Very strange. It's an intermittent problem. I decided to remove the USB Realtek 8156B NIC, and replace it with a PCI-E Intel I-225V (B3) that I bought at Central Computers earlier today. This necessitated shutting down the machine to insert the PCI-E card. During the next boot, this is what the interface assignment screen looked like (MAC adresses omitted) : [image: 1714104594603-58150e9e-53b2-46dd-81e9-09f2c62e0d3d-image-resized.png] As you can see, both the Comcast and Verizon interfaces are assigned to the same ix0 network port. Previously, Verizon was assigned to the ue0 network port for the RTL8156B. That port no longer exists since the USB NIC was unplugged. It is a bit disconcerting to see two interfaces on the same NIC, to say the list. Not sure what the right behavior should be, though. Maybe have the interface be unbound (no network port) ? So far, I am not seeing the same issue with all 4 Ethernet ports using Intel NICs (motherboard 1 Gbe, X550-T2 2 x 10 GBe, I225-V (B3) 2.5 Gbe), but it's only been a few minutes.

@viragomann perfect - thank you for the response

@ssppcc You just need to add a static route for the docker subnet. So in System > Routing > Gateway add a new gateway within the server network with the IP 10.0.200.8. Then go to the Static routes tab and and a new static route for 10.31.0.0/16 and state the gateway you've created before.

@Gblenn I teach daily, days and nights so my occurrences are likely more visible. Typically, it fails over to Tier 2 and often is unnoticable. (I find out later looking at logs.) However, on this latest instance, the Tier 1 was flapping and zoom reported my connection was unstable. Students reported poor audio and video. It was only resolved by changing the backup to Tier 1 and restarting zoom. Later that night my main connection stabilized. so naturally I'm thinking it is trying to switch back as soon as Tier 1 is available. I will test to verify.

@viragomann I’ll work on that and some spare time Another quick question from another Bundoo machine and two other windows machines I’m not able to get a SSL connection to the Qnap machine even though I imported the CA certificate into the browsers this goes for chrome and Firefox getting a machine reboot cleared cookies and data from browsers. Any suggestions on this one? Thank you,

@viragomann I figured it out in the end. The guide I followed to setup the site to site wireguard tunnel specified not setting the upstream gateways on the tunnels and using static routes to avoid double nat. It also stops reply-to working correctly.

@SteveITS Indeed that was the issue! You're a legend mate, I've been struggling with this for almost a week now, whats even worse is that I scoured the docs and still somehow managed to miss the bit you highlighted for me ‍️

@viragomann Super - and thanks for the patience anf final explanations