@viragomann

Didn't know it was this plain simple.
Many thanks!

Yes, virtual IPs is the correct way, but this f..k Fritzbox

The routes are looking the same...

pfSense routes:

Destination Gateway Flags Use Mtu Netif default WW.XX.YY.201 UGS 6859567 1500 vtnet0 ... WW.XX.YY.200/29 link#1 U 307660 1500 vtnet0 WW.XX.YY.205 link#1 UHS 188 16384 lo0 ...

OPNSense routes:

Proto Destination Gateway Flags Use MTU Netif Netif (name) ipv4 default WW.XX.YY.201 UGS NaN 1500 vtnet0 WAN202 ... ipv4 WW.XX.YY.200/29 link#1 U NaN 1500 vtnet0 WAN202 ipv4 WW.XX.YY.202 link#1 UHS NaN 16384 lo0 Loopback ipv4 WW.XX.YY.203 link#2 UHS NaN 16384 lo0 Loopback ipv4 WW.XX.YY.204 link#5 UHS NaN 16384 lo0 Loopback ...

I really don`t understand the difference between OPNSense and pfSense in this topic...

@bob-dig said in No routing between local networks:

@gueaje Just start over freshly.

Will need to find time later, probably over long weekend.
Currently can't afford downtime due to work from home.

I also emphasize that all the VPN of the Branches are under the same public IP

Hello Ilyaa,

Have you obtained clarification on this issue? I'm also looking into this in CE version 2.6, please give me a light.

Thank you

@mcury didn't figure it out still. Our configs are similar, just that I use 1 wireguard instance currently. NAT outbound is different.

Another thing I noticed was that when I switch to WAN as default gateway, my IP address uses the public ISP IP address even when wireguard is on.

I'll keep digging... If I cant figure out I might switch VPN providers to mullvad...

@nogbadthebad said in Multiple networks on the same VLAN:

https://docs.netgate.com/pfsense/en/latest/interfaces/qinq.html

Hi @nogbadthebad!
Unfortunately, I tried looking into it before setting the whole thing up (with the idea of creating an "overlay" between the hypervisors), but I found reports of it not being possible on my hosting provider.
To be honest, I did not try myself (also because I did not want issues with reduced MTU).
I sent a ticket to the support, but I'm not feeling lucky about this

While old, in case anyone stumbles upon this, I had to allow the LAN-assigned IP for the Google router as a rule. This allows ALL wifi traffic to the LAN. From there - and for me - I just set the rule to a specific IP and port on the LAN.

@shanev said in Outgoing internet traffic out IPSEC tunnel:

There are no floating rules and yes there is a pass rule on the WAN. Like I said it works just fine without the ipsec tunnel.

The rule is responsible for the proper routing here, therefor I'm asking holes. To ensure that the rule is applied, enable its logging and check the firewall log.

What pfSense version are you on?

@vincentjanv
Consider that the traceroute UDP packets may be blocked as mentioned in the GUI. Better to use ICMP for testing.

Also possibly your destination devices block access from outside of the subnet they reside by their own firewall. That is the default behavior of Windows and most Linux machines.
So maybe you have to allow access from outside by the devices firewalls.

@departy said in Cannot initiate HTTPS connection from any type of VPN:

Now question is why LAN (10.10.0.1) could have established connection with 192.

What was talking to what - from your routing table your have 3 different networks there attached to your esxi host. Are you overlapping those IPs on the same L2? Do you have multi homed devices (interfaces in more than 1 network)?

vmk - those are you vmkernal networks? Why would you have more than 1? I could see putting different vms on a different network. But have never setup esxi with vmkern in more than 1 network.. Multi homing devices is almost always a bad idea ;) Can lead to asymmetrical traffic flow is normally the problem.

If you have a completely isolated san that is different..

My nas and pc are multi homed, but only in the sense that they have an isolated network that they can talk to each other at 2.5ge for file movement, a san if you will.

@johnpoz Many thanks for the reply.

I am pinging from the web interface of the pfSense itself so I expect the packet to be generated for the WAN interface directly, although I have also tried from a PC on the LAN interface, I wanted to simplify the issue as much as possible. As mentioned, this is a fresh install with as little as possible changed to demonstrate the problem. No WAN firewall rules, no NAT rules, only the default LAN firewall rules that are not policy routed as I did not change any of their configuration options.

I will attach some screenshots with my routed network hidden although I guarantee it is not the same or overlapping with the WAN or LAN subnets.

The Ping: pfsense_ping.png

The ARP table: pfsense_arp.png

The route table: pfsense_routes.png

The captured ping packet going to the default route MAC address rather than the OtherGW MAC address: pfsense_wireshark.png

@crucialguy Thank you. That helps a bunch.

please see this post for way more information.

Hello,

Did you get that to work?

I'm also trying to advertise OpenVPN client static routes via BGP (FRR) but until now without success
pfSense doesn't create a /32 route (client) in its routing table.

image_2022-03-22_131355.png

My aim is:

connect the road warrior to pfSense (WAN) using SSL/TLS + User Auth (LDAPS) mode (ok, working) advertise the static IP (10.10.10.22) assigned to the road warrior to PE2 (BGP neighbor) (not working)

In my scenario:

PE2 has a BGP session established to pfSense PE3 (10.200.200.50) has ACL control allowing the network 10.10.10.0/24 to get SSH access

Thanks

@vitosmaldino re: point 2, that part is correct. You can use a web site, other DNS (1.1.1.1), basically anything that responds to pings.