@professor your setup is a MESS.. Yeah your going to have problem with it, its a asymmetrical nightmare..

Fix it! Use a transit network - now you can just use pfsense as a router with a any any rule..

Fixed the issue: I had to enable Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic under VPN -> IPsec -> Advanced Settings on fwl-01 and fwl-03

Documentation here:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/advanced.html#advanced-ipsec-settings

@akuma1x Thank you! It's working!

This was fixed by deleting all manually added GWs and using the one assigned by the upstream DHCP as default. the DNS-Redirect rule does not seem to have any effect (enabling/disabling it does not affect connectivity).
Thank you guys for helping out ^_^

@jonathanlee said in 'arp: writing to routing socket: Operation not permitted':

turn off logging same as what you recommended.

There is a better solution.

Turning off logging :

3a257798-1f8b-41d0-a305-a1959432b3d3-image.png

is a sledge hammer approach.

You can keep logging for the default rule activated.
Just added a block rule that doesn't log, and it should block UDP port 68 (DHCP stuff) as you know it exists, but you 'trust' it as it can do no harm except eating up a very small fraction of your WAN band width.
Other non solicited WAN traffic will still get logged.

@idefixrc There are some very dubious statements on your ISPs web site.

@netblues

So I got it working now. There were two things wrong:

I did have that Outbound NAT setting you suggested (it was part of the provider's instructions). But where the instructions said to use "192.168.1.1" I had put "192.168.1.0" (actually, I have a different subnet, but I had put a"0" instead of "1").

And I changed the firewall rule to direct the subnet's traffic through the gateway. Instead of choosing source "LNy", I had chosen source "VPN" - that one clearly was a main culprit.

Thanks for your help!!!

@johnpoz

Ah, I see.

Well, I just took a leap of faith and updated my dynamic DNS with "whatever" pfSense found. And now - after the update - it does show on the Dynamic DNS page.

I had just hoped to be able to check the IP beforehand (in order to avoid updating with an incorrect IP). But it all seems to have worked fine.

Thanks for your help!!!

The problem was my NAT outbound rules which were not set. Also I had a problem with the MSS / MTU because my ISP requires there specific values.

@dotdash Thank You!

No, i've removed any switches between the router and the tv-box. Had it working fine with my old router.
Anyways, we figured out that we didn't really miss it much, as we mostly stream stuff anyways. So, I gave up and canceled my TV-subscription and instead increased my bw to 750mbps.

So, I guess I have a couple of questions.
1/ Can I tune the "High Latency" trigger to
be different values for different gateways.

Why not load balancing and the failover you get as a benefit on top?

2/ Anyone know why, even if I select packet loss,
the system is choosing to drop the Sat link (which
isn't loosing packets but does have a high ping).

It perhaps pending on what you where configuring out!

For the record, the test rig is currently on a SG1100
but I'm going to swap a 7100 in today to see if that
has any impact. (but I don't think it will)

All is pending on your throughput! How many are the
three internet connections are delevering to you?
3 x 1 GBit/s or less or more? I think the Negate 6100
will do the job with ease for you! Also a small APU4D4
can be enough, if you have not so high WAN throughput.

@wufwuf

DDNS can also be setup in pfSense! So over DDNS
you may be able to connect to your pfSense from
outside and then "locally" to the NAS. If you set up
the DDNS at the Synology NAS, it is directly able to
connect from outside, but also for other peoples!

@steveb53 You could get one of the little GL.iNet travel router boxes. These things allow you to connect to a WAN over a bunch of different ways: smart phone tethering, direct ethernet cable, 3G/4G USB modem, or even over a wifi connection.

I use one of these in a pinch, and it works great. There are newer models, with antennas and faster CPU processors, so plenty of options.

https://www.amazon.com/GL-iNet-GL-AR750-300Mbps-pre-Installed-Included/dp/B07712LKJM

In the manual, here's the specific section on the supported WAN connections. You're looking at using the "repeater" function to be able to get to the community wifi, like you say...

https://docs.gl-inet.com/en/3/setup/gl-ar750/internet/

@viragomann
Wow that I didn't see coming... what a good and quick fix! Thanks! It is solved.

@vfisher
You need also to push the route to the remote IP to the OpenVPN clients, of course.
So you have to add "172.31.17.150/32" to the "IPv4 Local Networks" in the server settings. Have you done this already?

Also ensure that firewall rules on the VPN interface allow access.

@viragomann i setup outbound NAT, source "This firewall", destination "IP of the radius server", NAT address "CARP WAN IP". when i go into diagnostic to test radius auth, it does not authenticate.

@pgs said in XG-7100: Can't get pppoe to work, any advice?:

If one has an explanation why VLAN on the modem must not be set, I'd be pleased.

I only know that Vlan7 has to be set in modem OR router - why its not working if its set on both I have no technical explanation - maybe the Deutsche Telekom can answer that ;-)

Draytek Advice