@johnpoz said in Static routes ignored in 2.7.0 ?:

well it doesn't effect me in any way shape or form, if I was going to add a 2nd wan, I would bring it in on its own connection, etc..

For me it kinda is.

Capture.PNG

@Proton

I just found from mullvad VPN docs that my vpn gateways should tick the "use non-local gateway" in advanced settings

Not sure if i needed this or what this will do for the firewall since i already managed to get this working.

But in many of the docs i have read they seldom mention the firewall rule i had to add to allow access from WAN1_GW to VPN_GW? I did not get internett access for my clients in my lan if this rule is not there...

This is probably a routing issue.

Both routers, router1 and 2, need a static route pointing to pfsense re1 and re2 ips respectively , saying that LAN is behind it.

@coxhaus i guess you didn't follow along the testing.
the 2 pfsense boxes was just for experiment.
the target was to use one network interface LESS, than the previous setup, (and also bypass the traffic from pfsense).
The initial setup was like you say.

@Starlord_006 so your using your lan as your transit to a downstream router.. Well that is going to be asymmetrical and yeah not going to work..

You need to setup a transit network.

Here is how to proper setup a downstream router

pfsense-layer-3-switch.png

@viragomannб I'll try to implement it. Thanks for the advice!

The Problem has just been solved with a reboot of the firewall.
I hadn't considered that earlier.

@RobbieTT 🤓 🤔 🤓

@russm
You would use the DHCP Relay function for that, you can enable "per inteface".
I use it to forward my Vlans to a Linux DHCP server.

Note . DHCP Server & DHCP Relay are mutually exclusive.
So you'd need a "new pfsense instance" , as you mention ... Since you're already runníng DHCP server on your prod box.

@ghelfrich919 There is no routing in that setup.. You have 1 network shown 192.168.102.0/24 - pfsense has ZERO to do with devices in that network talking to each other.,.

Maybe dns was down? but in that setup as drawn pfsense could be off and 192.168.102.x could talk to 192.168.102.y

Unless your drawing is suppose to show some other downstream network via that 192.168.1 network? But the way you have that drawn would assume that is your internet. You list it having a gateway..

Where is the internet in that drawing - did you just leave it off? But if the internet is some other interface on pfsense - and it was down pfsense would still route its other local networks.

When your internet goes down, can you ping 192.168.102.65 from something else in the 192.168.102 network?

@manilx Solution:

Had 3 create to new LAN rules:

ScreenShot 2023-09-11 at 13.39.42.png

Fixed, thank you.

I removed my router again and configured my Pfsense WAN to DHCP like before. Then I tried to ping 8.8.8.8 from Pfsense and received route unreachable. So I looked to verify the gateway address assigned by DUCP and saw it the entry but it was not the default IPv4 gateway. I changed that and bingo, everything is working.

I still don't know why on my test box it worked for the LAN address of 192.168.1.XXX but not 192.168.10.XXX, but since it is working on my prod Pfsense box I'm not going to complain.

Again thank you for the clue which got me looking at the default gateway setting.

I have isolated the problem to my qbittorrent client. When this client is routed through the new ISP, it causes all sorts of loss packets in my network. I just have the global max connection limit set to 200 and nothing is downloading. There's a handful of torrents seeding but the total upload bw consumed is very minimal.

Is this normal for some ISP's?

@hydrian
You can get it work with a single public IP, but probably not with a MAC lock. CARP uses certain MAC addresses, which cannot be spoofed as far as I know.

@nightcode said in How to set outbound IP of Firewall itself?:

The problem is, if I set the interconnect IP from the /30 network as WAN-IP, I cannot access any services like http etc. Just ping is possible from this IP.

If you can ping out to public IPs I"d expect that the outbound NAT is working.
However, you can change the outbound settings in Firewall > NAT > outbound. For the firewall itself use 127.0.0.0/8 respectively ::1 as source.

But maybe you have a DNS issue. Try to ping by host name.

@johnpoz

thanks for the info, yes i had 1 device to ping in other side.
I think it's already working now.

Thanks for the advice.

cheers