@viragomann

Thanks for your further interest in my circumstances.

Just to clarify, following your advice (hopefully I have fully understood) I made the following changes

System/Routing/Gateways

Changed default IPv4 gateway to automatic (IPv6 is none)

System/Routing/Static Routes

Removed static routes

System/Routing/Gateway Groups

Created a Gateway Group comprising the two outbound VPN Clients (set as Tier1/Tier2). Routing out via this GG is configured via LAN Firewall Rules (previously I thought this was undertaken by way of the above gateway setting, but I now recognise this seems to be only appropriate to change this where there are two physical WAN connections.

You may recall that I have configured Unbound to only use the 2 outbound VPN's for DNS resolution (looking to avoid any possibility of a DNS leak). To negate the possibility of a catch 22 (DNS waiting for VPN to come up/VPN Client seeking DNS response to Gateway query) I have hard coded the IP address of the VPN Gateways into the OpenVPN clients.

Not withstanding the above I still seemed to be afflicted by a loss of local client DNS resolution post pfsense reboot.

This does seem to be an know issue (possibly with Unbound) and whilst a bit of a "bodge" seems to be easily resolved by restarting Unbound reboot using CRON.

At the risk of "teaching you how to suck an egg", I found this discussion here helpful

https://www.reddit.com/r/PFSENSE/comments/lxu3yg/workaround_unbound_restart_at_reboot_using_cron/

Thanks again for your help.

@viragomann
Thanks.

@qits_charles said in Can't Communicate With Host Over OVPN Connection:

When I add PFSense as the gateway it is able to connect but as soon as I remove it I lose access.

That's what I except. Why do you want to remove it?

Also the latency is 50+ ms.

Only to the Ubuntu host or other destinations as well?

A single core may be not ideal for modern operating systems, but depends on the cpu speed. The RAM usage depends on what is running on pfSense. For firewalling only it should be sufficient.

@gusto again what they are showing is a horrible example of working with their limited devices.

That first link goes over what you can do to get around using asymmetrical routing, but asymmetrical should not be something you would actually setup on purpose..

If your wanting to learn about routing - I sure wouldn't start with what amounts to a shit show ;)

Your downstream router should use a transit network to connect to the upstream router.

Here is a diagram that should help with doing routing on pfsense for multiple network, and adding a downstream router into the mix.

pfsense-layer-3-switch.png

This may help:

https://github.com/pfsense/pfsense/pull/4551

Thank you
works fine

@viragomann said in 2 WANs to different vlans:

@sintei said in 2 WANs to different vlans:

Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc).
But I can access it FROM the internet.

The only reason for this, I can think of is that on the web server you are using a DNS server in the LAN subnet.

If that's not the case enable logging in the block rule and check the firewall log to see, which access from the web server to LAN is blocked.

You my dear sir are correct!
I could find some DNS settings and changed them manually and it worked!
Thanks.

Also, big thanks to @Silence for helping me troubleshooting this. Have a good night!

@stephenw10 That worked, Thank you very much for your help.

Best Regards

@trumee

Thank you explaining. I figured out a workaround by creating a static route to host addresses I can direct the wireguard service separately from the rest of pfsense.

@rubber_duck13

What @johnpoz says is correct, as usual. I did have to get some mimo antennas to make it actually work. The antenna ports were non standard and need some adapters.

@viragomann

ok thanks....

@johnpoz thank for the reply. No I have a Raspberry Pi running as a NAS separate from the firewall on our lan. I am also running development mode. There is only pFsense firewall packages on the Netgate. Yes I was sure I saw 445 natted it is gone now. I will check again and get a screenshot of it. I set the DNS back to local 127 loopback first.

@viragomann Thanks for this.
I have already ordered the switches to set this up.

I made a bit more testing on this though and I have found the following:

If I have VDSL and 5G on different Tiers in the Gateway groups all works well.

If I switch them to the same tier then things start to collapse - I can't even ping other devices that are connected physically to the same switch.
Restarting, unplugging the 5G modem sometimes fixes it but I need to have them on separate tiers to get a stable connection.

Does the above behavior still point to the ARP issue?

If you want to buy aws without your free credit card on amazon then i suggest you to try real credit card generator.

@mcmurphy said in WAN changeover:

Is it possible to make Port2 (new ISP) the default WAN port

Yes. Configure the WAN2 interface accordingly with static or automatic IP settings. If static don't forget to set the upstream gateway.

To set the new WAN as default go to System > Routing > Gateways > Default gateway and switch to the new gateway.

and have pfSense use Port1 (old ISP) if Port2 fails to work?

For failover you have to add a gatway group.
System > Routing > Gateway Groups
Set WAN2 as "Tier 1" and WAN1 as "Tier 2" and set a name for the gateway group.
Then set the gw group as default gateway instead of WAN2 gw.