@tmevent Danke für das Angebot. Könnte mal sein... Gut möglich auch, dass die Chancen auf Hilfe in einem anderen Forum besser stehen. Bspw. reddit oder administrator.de. Azure mit seinem SDN spielt da nach ganz anderen Regeln als ein Standard-Router wie pfSense, und ich glaube dort liegt das Problem.

Der aktuelle Stand ist folgender: Ich habe auf AZURE eine Eigene Pfsense aufgesetzt und greife dort per IKEv2 drauf zu. Leider erreiche ich aus dem Azure-LAN nur meine Pfsense. Weder das Internet noch die per site2site verbundenen Netze sind erreichbar Setup: Azure WAN 192.168.0.0/24, PfSense 192.168.0.4 auf dieser Seite gibt es keine Routing Tabelle, lediglich die Azure NSGs mit den Regeln für meine IPsec Tunnel Azure LAN 10.3.0.0/24, Pfsense 10.3.0.5 Hier gibt es eine Routing Tabelle: [image: 1707375705758-unbenannt.png] Azure Server Windows Server 2019 10.3.0.4 2x Site2Site IPsec Verbindung 10.0.0.0/24 und 10.2.0.0/24 zur pfsense mehrer Client IPsec Verbindungen zur Pfsense Ich erreiche von der GUI der Pfsense sowohl meine Azure Server, als auch das Internet. Ich erreiche über die Tunnel die Pfsense und den Server auf Azure. Ich habe nun ein bisschen versucht die Pakete zu verfolgen(Diagnose>Paketverfolgung). Wenn ich von meiner Azure-VM auf 8.8.8.8 pinge, sehe ich diesen Ping am LAN Port 20:41:46.674926 IP 10.3.0.4 > 8.8.8.8: ICMP echo request, id 1, seq 1054, length 40 und am WAN Port 20:45:53.162014 IP 8.8.8.8 > 10.3.0.4: ICMP echo reply, id 1, seq 1058, length 40 Was mir unklar ist warum sehe ich den Ping nur eingehend und nicht ausgehend? An welcher Stelle verlässt das Paket mein Netz und warum schickt die pfsense es nicht raus? Wenn ich über Diagnose>Ping meine VM 10.3.0.4 pinge sehe ich eingehende und ausgehende Nachrichtem, so wie es sein soll. WAN 20:48:47.679123 IP 192.168.0.4 > 10.3.0.4: ICMP echo request, id 39016, seq 0, length 64 20:48:47.680056 IP 10.3.0.4 > 192.168.0.4: ICMP echo reply, id 39016, seq 0, length 64 LAN nichts Ich stehe leider echt auf dem Schlauch. Mehr Infos schicke ich auch gerne, einfach fragen. Ich freue mich auf jeden Hinweis ....

@SteveITS Thanks. I tryied to restore to the default settings and configuring again the system. Now seems to work. I opened a ticket but we are still investingating.

ok, I was not looking at the correct palce. Snort was just blocking the IP I added it to whitelist [image: 1706963904294-37c041c6-7455-4b5d-b5ac-0bbfc12be6cc-image.png]

@gwrobinjj So which interface settings do you have on the Zywall, which works as you said? Maybe the ISP has a MAC lock? Outbound NAT rules are generated correctly?

@viragomann Thank you very much, it worked.

Solved! This is what I did: Change from Automatic Outbound NAT to Hybrid Outbound NAT Create a rule at the top like this: [image: 1706710058726-3a5ef097-03b1-4c4b-8092-4beeb4570dbc-image.png]

@viragomann Thanks, I will try this out, i'll keep you informed if something goes wrong.

@Happydog For group 7 try 4 instead of 4t: "18. Type 4084 for the VLAN Tag and 4 for Member(s). This represents LAN4 (port 4) and tagged should be unchecked. Click + Add Member to add the LAN Uplink, 5. This member should be tagged as shown." [image: 1706224105771-4df9afa3-aaa8-40ac-9436-a34240dd9272-netgate-2100-edit-vlan-group-0.jpg]

Nevermind, everyone. This was magically solved for no reason at all. Network engineering, ladies and gentlemen.

Thanks ip worked

@zer0vini One more thing about a MULTI-WAN environment. You have to be very careful what you use to monitor. Everything you associate with one WAN interface, you can not try from the other interface. In case you configure DNS, you must associate them to an interface (See System/General Setup). So, for 2 interfaces, you should use 4 DNS for redundancy, 2 on each interface. If you are going to use a monitor IP on the Gateway, make sure that it is not used on the other interface for anything! So, if you are going to use 8.8.8.8 as DNS for the failing WAN, you can also use it as a monitor IP on the same WAN but not on the other one. Yes, have a look Diagnostics/Routes to make sure that they are properly routed. Think about this in a spreadsheet before configuring, to make sure that everything will be properly configured. Sorry if you already knew that, but if you didn't, it is important.

@SteveITS It seems that when I try to make this access with my computer connected to WAN 1, all services for WAN 1 works, be it GUI access or remote access, but not WAN 2. If I connect to WAN 2, all WAN 2 rules apply, but not WAN 1. Now I have to find a way to indeed make accesses to 192.168.1.X network using 192.168.0.X. So I really should go for the inbound traffic configs just how @viragomann said, I suppose.

@emad4 said in How to make routing: Note : I did a static route from pfsense (System - routing - static route) to router2 and is working but I cannot make a route from pfsense to router1 (does not accept that and says "A route to these destination networks already exist " ) So I guess, NetA and NetB are overlapping. You will have to provide details about the networks and gateways to get closer.