Guys, i am still working on this trying to configure it. I think i am doing some kind of progress. Please bear with me as today i don't have that much time. I'll come back tomorrow. Thank you for all your advises!

@computingdon You'll need to post details. The source address of the connection, the route back to it, the firewall rules passing that traffic when it enters pfSense, and the outbound NAT rules.

@lnguyen said in Can't Route Site To Site: @dma_pf What are the allowed networks under "Peers" for both sites? Thanks for pointing me in this direction...that was it! There was an error in one of the peer IP addresses: [image: 1681327143506-00155179-c7b4-4b05-be81-a0a7f79d6e1c-image.png] The Site 2 network should have been 192.168.164.0. I made the error of seeing that the Wireguard handshake was completed and made the assumption that by doing so it was confirming that: 1) the cryptographic keys matched and 2) that the peer trying to connect had come from the Allowed IP networks. As a result I never rechecked the peer Allowed IPs because I saw a successful handshake. But now I've got to dig deeper into the Wireguard protocol as it appears that the handshake only requires the keys to match and the Allowed IPs are only used as a routing ACL to allow or reject traffic across the tunnel. Thanks again for your help!

@jazzl0ver ahhh ok not available in the kernel. That makes sense.

@viragomann Ok yeah, that makes sense, now that you mention it, I've seen that before. Just not something I typically pay attention to. Guess that leaves me pretty well stumped here.

@rustydusty1717 Accurate, comprehensive, numbered diagrams always help.

@viragomann One more question please. VLANs. What is the general concept if I want VLANs to work through PFSENSE? In this case, PFSENSE, as the core of the network, has OVPN and IPSEC clients. Should I want VLAN111 on the OVPN1 client to see VLAN111 on the OVPN2 client, or even more VLAN111 to see on the IPSEC1 client?

Got everything up and working now with the LAN block as virtual IP's. FYI: For anyone changing the WAN adapter assignment, I found that I needed to go back through the CLI instead of the web browser to reassign all adapters before it would start routing traffic. Initially, I made the change on the adapter in Esxi, but nothing connected to the internet. Then, I created a completely new adapter and assigned it as the WAN interface in the web browser, but still, nothing happened. Eventually, I went through the CLI assignment for just the WAN and LAN, and then traffic started routing again. After that, I was able to reassign and reset the interfaces with the web browser.

@darkcorner said in WAN 1 and 2 Up, but no internet access: Or leave the two Google DNS without associating them to the Gateways? Exactly this one.

@rcoleman-netgate said in "Disable gateway monitoring action" NOT working: You have to monitor an IP address with dual-WAN to make sure the interface is up I do have IP addresses setted as you can check in the first 3 images. @rcoleman-netgate said in "Disable gateway monitoring action" NOT working: Taking it offline from monitoring will treat it as though it is always up and the "member down" setting is made redundant. That is the configuration I am using now but only because the "disable gateway monitoring action" is not working. I read all the documentation about multiple wans. But still, the "disable gateway monitoring action" checkmark should be self evident. If you mark that option it should never take any action when monitoring and should never set the interface down. But it does...

@johnpoz Thanks I will look into the FFR package. As to them using RIP like I said they are a crappy ISP... They used to use all just regular SurfBoard docsis 3.0 modems and everything was great. But they got sold on this shitty taiwanese Askey hardware and management software (I think because they took over time warner and roadrunner, this is the junk they were using). Well I think I might have gave it away to you which ISP this is, hopefully I don't piss off the ISP overlords and they zap my hardware for being an ungrateful customer LMAO...

@pduk82 well its not the end of the world - double nat is not all that bad, while there are some special apps that might have problems. Generally speaking most users can be behind a double nat, even triple or have seen quadruple and never notice any issues.. More nats in your chain before public IP can be problematic for allowing inbound traffic via port forwards, but still able to do - just have to port forward on the device(s) upstream of your pfsense

@dtnb Simply means the path to your monitor IP or maybe the monitor IP itself is not healthy. edit: I see the monitor IP is 192.168.1.254 which is your ATT modem in this case. Perhaps a cabling problem? Have you tried swapping the patch cable?