@dennypage Thank you. I didn't realize the loss interval influence on latency thresholds. -Devan

@viragomann I want to thank you for your guidance. I really appreciate your time on this topic. Finally, I solved the problem, just adding an outbound rule on the /30 interface where the source is the VLAN over the LAN interface, destination any, and translating to one of the /29 addresses. With that, our clients can go out to the internet using this service. So, if anyone finds a scenario like this, this is what I did: 1-. Set up the interconnection: use one of the /30 addresses and create a GW with the other address on the interface connected to the ISP Interfaces - Select the one connected with the ISP Configuration Type: Static Ip Address: one of the /30 (usually the highest) Add a new gateway Gateway Name: as you want Gateway IP: the other address Add Save 2-. Create an IP alias: Firewall - Virtual IP - Add Type: Ip Alias Interface: The one connected to the ISP Address: One of the public address Save 3-. NAT outbound rules: one with static port and another without static port. Firewall - NAT - Outbound Outbound Type: Hybrid Save Add Rule Interface: The one connected with the ISP Address Family: IPV4 + IPV6 (if you use IPV6) Protocol: Any Source: LAN network. If you have multiples VLAN on your LAN, then the source should be the network of the VLAN you need to go out to the internet Destination: Any Translation: The Ip alias that was created before. Dropdown the list to find it Check the Static Port for one of the rules. Then create another one exactly like before but without the static port checked Save 4-. Set a policy to use the gateway of your ISP: Firewall - Rules - LAN (or VLAN on the LAN) Tab and add a rule where the gateway is your interface connected with your ISP. Firewall - Rules - LAN (or VLAN over your LAN) Tab and then click on Add Interface: The LAN or VLAN on the LAN interface Address Family: IPV4 + IPV6 Protocol: Any Source: Lan or Vlan Net Destination: any Display Advanced options and scroll down until find Gateway Select the gateway created before Click Save And that's it. This works for me. Maybe is not too fancy but, works fine. Thanks everyone for the help.

@dlrqdm You would have to adjust your outbound nat to not nat.. Here to do an example... I created a special outbound rule for my test interface to not be used for nat outbound using hybrid mode.. With my test interface IP 192.168.200.1, set unbound to only use the test interface for outbound. Sniffing on wan while I do a dns query, which never get answered of course you can see the traffic going out with my 192.168.200.1 address. You would have to adjust to use your vpn interface, etc.. [image: 1642549814037-nonat.jpg]

This post is in the wrong spot. Sorry about that.

@viragomann Thanks for your further interest in my circumstances. Just to clarify, following your advice (hopefully I have fully understood) I made the following changes System/Routing/Gateways Changed default IPv4 gateway to automatic (IPv6 is none) System/Routing/Static Routes Removed static routes System/Routing/Gateway Groups Created a Gateway Group comprising the two outbound VPN Clients (set as Tier1/Tier2). Routing out via this GG is configured via LAN Firewall Rules (previously I thought this was undertaken by way of the above gateway setting, but I now recognise this seems to be only appropriate to change this where there are two physical WAN connections. You may recall that I have configured Unbound to only use the 2 outbound VPN's for DNS resolution (looking to avoid any possibility of a DNS leak). To negate the possibility of a catch 22 (DNS waiting for VPN to come up/VPN Client seeking DNS response to Gateway query) I have hard coded the IP address of the VPN Gateways into the OpenVPN clients. Not withstanding the above I still seemed to be afflicted by a loss of local client DNS resolution post pfsense reboot. This does seem to be an know issue (possibly with Unbound) and whilst a bit of a "bodge" seems to be easily resolved by restarting Unbound reboot using CRON. At the risk of "teaching you how to suck an egg", I found this discussion here helpful https://www.reddit.com/r/PFSENSE/comments/lxu3yg/workaround_unbound_restart_at_reboot_using_cron/ Thanks again for your help.

@viragomann Thanks.

@qits_charles said in Can't Communicate With Host Over OVPN Connection: When I add PFSense as the gateway it is able to connect but as soon as I remove it I lose access. That's what I except. Why do you want to remove it? Also the latency is 50+ ms. Only to the Ubuntu host or other destinations as well? A single core may be not ideal for modern operating systems, but depends on the cpu speed. The RAM usage depends on what is running on pfSense. For firewalling only it should be sufficient.

@gusto again what they are showing is a horrible example of working with their limited devices. That first link goes over what you can do to get around using asymmetrical routing, but asymmetrical should not be something you would actually setup on purpose.. If your wanting to learn about routing - I sure wouldn't start with what amounts to a shit show ;) Your downstream router should use a transit network to connect to the upstream router. Here is a diagram that should help with doing routing on pfsense for multiple network, and adding a downstream router into the mix. [image: 1642259495364-pfsense-layer-3-switch.png]

This may help: https://github.com/pfsense/pfsense/pull/4551

Thank you works fine

@viragomann said in 2 WANs to different vlans: @sintei said in 2 WANs to different vlans: Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc). But I can access it FROM the internet. The only reason for this, I can think of is that on the web server you are using a DNS server in the LAN subnet. If that's not the case enable logging in the block rule and check the firewall log to see, which access from the web server to LAN is blocked. You my dear sir are correct! I could find some DNS settings and changed them manually and it worked! Thanks. Also, big thanks to @Silence for helping me troubleshooting this. Have a good night!

@stephenw10 That worked, Thank you very much for your help. Best Regards

@trumee Thank you explaining. I figured out a workaround by creating a static route to host addresses I can direct the wireguard service separately from the rest of pfsense.

@rubber_duck13 What @johnpoz says is correct, as usual. I did have to get some mimo antennas to make it actually work. The antenna ports were non standard and need some adapters.

@viragomann ok thanks....