@SteveITS yeah I would think restarting pf would force the loading of rules.. Which you could just also do with filter reload under status. Or you would of thought of just reboot pfsense if something wasn't working, etc. Not sure how they would of gotten that deep into the weeds of disable and then reenable pf?

@underling89 Yes, since the gateway is configured by DHCP, you need to connect to the server to get it. But for sure you can state the interface IPs and gateways static for the time being, configure the gateway group and rules and switch the interfaces back to DHCP after connecting.

@johnpoz agreed! The problem right now is losing the internet access if i disable this rule on the Wan. I am ways away from getting to know how the rule apply on PfSense. Just getting back online is the first step right now. Thank you for your support John! I will let you know once I have a better grip on the rules.

@dangersheep @viragomann We discussed the need (or not!) for a static route/gateway. Isn't that related to the bug report here: https://redmine.pfsense.org/issues/14200 ?

Nevermind, just read the bit about connecting to home via OpenVPN. You mention using OpenVPN, if so have you selected "don't pull routes" if you don't it's likely your default route is via your OpenVPN connection rather than your WAN link. [image: 1696873391067-screenshot-2023-10-09-at-18.41.50.png]

Any thoughts? I know it's not the phone configuration or providers ISP because I had the same issue at my last job with other phones. However, the same set up worked just fine on Sonicwalls.

@Antonii Yes, exactly.

@Itay1787 I don't think you can do that with WG on pfSense. With OpenVPN you would be able to chain Clients though. Maybe use a VMs for your first client...

@viragomann Gateway is set to none, When sniffing packets, I see them come in but not come out of the firewall. They just terminate with Time to live exceeded This firewall is setup in HA and testing the route using the secondary firewall works fine. I suspect it's a routing bug somehow caused on the primary firewall. I guess a restart will be required for further troubleshooting. Thanks for your help.

@jstride Is this Gateway group "WAN_VPN_GATEWAY" in your firewall rule the one from from your failover group you created in System/Routing/Gateway Groups? It should be. It looks like your failover group name is "WAN" from your first post.

@pczinser Not personally super experienced with pfSense in AWS, but wanted to at least try and help or get this topic a bit of a bump haha. So, just to be clear, where are you seeing the default deny happen? In pfSense right? But on what interface in specific? I'd first be suspect of that and see if you can get the traffic to pass, but yes could be asymmetric for some reason. Again, not a huge AWS person, but is there a reason the VPN is built with AWS and not setup within pfSense at each location itself?

@alexnyc On vlan3 set an outbound nat so that when 77.4.5 pings 10.10.10.4 it looks like it comes from pfsense 10.10.10.1 address. But why would you even want that to be used, why would 77.4.5 not just access 777.4.4? I would put a outbound nat on that vlan3 so any source comming from 71.77.4/24 going to 10.10.10/24 would look like it came from 10.10.10.1

@jankol said in Single public IP subnet on WAN scenario but pfSense router as default gateway for WAN clients: My main motivation for the alternative setup (compared to documentation) was the ability to control upstream communication from the server to the internet (so pfBlockerNG could block advertisements and possibly do port forwarding VIP => Server IP). I hoped that it is somehow possible You can do this anyway. All traffic to and from the server have to Pass pfSense, hence you can block and oass whatever you want. This is also true for pfBlocker rules.

Admin: You can delete this post. I got things working by adding a basic pass rule. John

@viragomann thanks a lot!