Der aktuelle Stand ist folgender:

Ich habe auf AZURE eine Eigene Pfsense aufgesetzt und greife dort per IKEv2 drauf zu.
Leider erreiche ich aus dem Azure-LAN nur meine Pfsense. Weder das Internet noch die per site2site verbundenen Netze sind erreichbar

Setup:
Azure WAN 192.168.0.0/24, PfSense 192.168.0.4
auf dieser Seite gibt es keine Routing Tabelle, lediglich die Azure NSGs mit den Regeln für meine IPsec Tunnel

Azure LAN 10.3.0.0/24, Pfsense 10.3.0.5
Hier gibt es eine Routing Tabelle:

Unbenannt.PNG

Azure Server Windows Server 2019 10.3.0.4
2x Site2Site IPsec Verbindung 10.0.0.0/24 und 10.2.0.0/24 zur pfsense
mehrer Client IPsec Verbindungen zur Pfsense

Ich erreiche von der GUI der Pfsense sowohl meine Azure Server, als auch das Internet.
Ich erreiche über die Tunnel die Pfsense und den Server auf Azure.

Ich habe nun ein bisschen versucht die Pakete zu verfolgen(Diagnose>Paketverfolgung).
Wenn ich von meiner Azure-VM auf 8.8.8.8 pinge, sehe ich diesen Ping am LAN Port
20:41:46.674926 IP 10.3.0.4 > 8.8.8.8: ICMP echo request, id 1, seq 1054, length 40
und am WAN Port
20:45:53.162014 IP 8.8.8.8 > 10.3.0.4: ICMP echo reply, id 1, seq 1058, length 40

Was mir unklar ist warum sehe ich den Ping nur eingehend und nicht ausgehend? An welcher Stelle verlässt das Paket mein Netz und warum schickt die pfsense es nicht raus?

Wenn ich über Diagnose>Ping meine VM 10.3.0.4 pinge sehe ich eingehende und ausgehende Nachrichtem, so wie es sein soll.

WAN
20:48:47.679123 IP 192.168.0.4 > 10.3.0.4: ICMP echo request, id 39016, seq 0, length 64
20:48:47.680056 IP 10.3.0.4 > 192.168.0.4: ICMP echo reply, id 39016, seq 0, length 64

LAN
nichts

Ich stehe leider echt auf dem Schlauch. Mehr Infos schicke ich auch gerne, einfach fragen.
Ich freue mich auf jeden Hinweis ....

@SteveITS
Thanks.
I tryied to restore to the default settings and configuring again the system.
Now seems to work.
I opened a ticket but we are still investingating.

ok, I was not looking at the correct palce.

Snort was just blocking the IP

I added it to whitelist
37c041c6-7455-4b5d-b5ac-0bbfc12be6cc-image.png

@gwrobinjj
So which interface settings do you have on the Zywall, which works as you said?

Maybe the ISP has a MAC lock?

Outbound NAT rules are generated correctly?

@viragomann Thank you very much, it worked.

Solved!

This is what I did:

Change from Automatic Outbound NAT to Hybrid Outbound NAT Create a rule at the top like this:

3a5ef097-03b1-4c4b-8092-4beeb4570dbc-image.png

@viragomann

Thanks, I will try this out, i'll keep you informed if something goes wrong.

@Happydog For group 7 try 4 instead of 4t:

"18. Type 4084 for the VLAN Tag and 4 for Member(s). This represents LAN4 (port 4) and tagged should be unchecked.

Click + Add Member to add the LAN Uplink, 5. This member should be tagged as shown."

4df9afa3-aaa8-40ac-9436-a34240dd9272-netgate-2100-edit-vlan-group-0.jpg

Nevermind, everyone. This was magically solved for no reason at all.

Network engineering, ladies and gentlemen.

Thanks ip worked

@zer0vini One more thing about a MULTI-WAN environment.

You have to be very careful what you use to monitor. Everything you associate with one WAN interface, you can not try from the other interface. In case you configure DNS, you must associate them to an interface (See System/General Setup). So, for 2 interfaces, you should use 4 DNS for redundancy, 2 on each interface.

If you are going to use a monitor IP on the Gateway, make sure that it is not used on the other interface for anything! So, if you are going to use 8.8.8.8 as DNS for the failing WAN, you can also use it as a monitor IP on the same WAN but not on the other one. Yes, have a look Diagnostics/Routes to make sure that they are properly routed. Think about this in a spreadsheet before configuring, to make sure that everything will be properly configured.

Sorry if you already knew that, but if you didn't, it is important.

@SteveITS It seems that when I try to make this access with my computer connected to WAN 1, all services for WAN 1 works, be it GUI access or remote access, but not WAN 2. If I connect to WAN 2, all WAN 2 rules apply, but not WAN 1.

Now I have to find a way to indeed make accesses to 192.168.1.X network using 192.168.0.X. So I really should go for the inbound traffic configs just how @viragomann said, I suppose.

@emad4 said in How to make routing:

Note : I did a static route from pfsense (System - routing - static route) to router2 and is working but I cannot make a route from pfsense to router1 (does not accept that and says "A route to these destination networks already exist " )

So I guess, NetA and NetB are overlapping.

You will have to provide details about the networks and gateways to get closer.