• Dpinger and LTE alerts

    6
    0 Votes
    6 Posts
    818 Views
    D
    @dennypage Thank you. I didn't realize the loss interval influence on latency thresholds. -Devan
  • Small WAN IP Subnet with Larger LAN IP Subnet

    13
    0 Votes
    13 Posts
    1k Views
    R
    @viragomann I want to thank you for your guidance. I really appreciate your time on this topic. Finally, I solved the problem, just adding an outbound rule on the /30 interface where the source is the VLAN over the LAN interface, destination any, and translating to one of the /29 addresses. With that, our clients can go out to the internet using this service. So, if anyone finds a scenario like this, this is what I did: 1-. Set up the interconnection: use one of the /30 addresses and create a GW with the other address on the interface connected to the ISP Interfaces - Select the one connected with the ISP Configuration Type: Static Ip Address: one of the /30 (usually the highest) Add a new gateway Gateway Name: as you want Gateway IP: the other address Add Save 2-. Create an IP alias: Firewall - Virtual IP - Add Type: Ip Alias Interface: The one connected to the ISP Address: One of the public address Save 3-. NAT outbound rules: one with static port and another without static port. Firewall - NAT - Outbound Outbound Type: Hybrid Save Add Rule Interface: The one connected with the ISP Address Family: IPV4 + IPV6 (if you use IPV6) Protocol: Any Source: LAN network. If you have multiples VLAN on your LAN, then the source should be the network of the VLAN you need to go out to the internet Destination: Any Translation: The Ip alias that was created before. Dropdown the list to find it Check the Static Port for one of the rules. Then create another one exactly like before but without the static port checked Save 4-. Set a policy to use the gateway of your ISP: Firewall - Rules - LAN (or VLAN on the LAN) Tab and add a rule where the gateway is your interface connected with your ISP. Firewall - Rules - LAN (or VLAN over your LAN) Tab and then click on Add Interface: The LAN or VLAN on the LAN interface Address Family: IPV4 + IPV6 Protocol: Any Source: Lan or Vlan Net Destination: any Display Advanced options and scroll down until find Gateway Select the gateway created before Click Save And that's it. This works for me. Maybe is not too fancy but, works fine. Thanks everyone for the help.
  • 0 Votes
    9 Posts
    1k Views
    johnpozJ
    @dlrqdm You would have to adjust your outbound nat to not nat.. Here to do an example... I created a special outbound rule for my test interface to not be used for nat outbound using hybrid mode.. With my test interface IP 192.168.200.1, set unbound to only use the test interface for outbound. Sniffing on wan while I do a dns query, which never get answered of course you can see the traffic going out with my 192.168.200.1 address. You would have to adjust to use your vpn interface, etc.. [image: 1642549814037-nonat.jpg]
  • CE 2.6/2.7 and PIMD

    2
    0 Votes
    2 Posts
    414 Views
    W
    This post is in the wrong spot. Sorry about that.
  • Gateway Internet with mikrotik

    1
    0 Votes
    1 Posts
    283 Views
    No one has replied
  • 0 Votes
    5 Posts
    721 Views
    F
    @viragomann Thanks for your further interest in my circumstances. Just to clarify, following your advice (hopefully I have fully understood) I made the following changes System/Routing/Gateways Changed default IPv4 gateway to automatic (IPv6 is none) System/Routing/Static Routes Removed static routes System/Routing/Gateway Groups Created a Gateway Group comprising the two outbound VPN Clients (set as Tier1/Tier2). Routing out via this GG is configured via LAN Firewall Rules (previously I thought this was undertaken by way of the above gateway setting, but I now recognise this seems to be only appropriate to change this where there are two physical WAN connections. You may recall that I have configured Unbound to only use the 2 outbound VPN's for DNS resolution (looking to avoid any possibility of a DNS leak). To negate the possibility of a catch 22 (DNS waiting for VPN to come up/VPN Client seeking DNS response to Gateway query) I have hard coded the IP address of the VPN Gateways into the OpenVPN clients. Not withstanding the above I still seemed to be afflicted by a loss of local client DNS resolution post pfsense reboot. This does seem to be an know issue (possibly with Unbound) and whilst a bit of a "bodge" seems to be easily resolved by restarting Unbound reboot using CRON. At the risk of "teaching you how to suck an egg", I found this discussion here helpful https://www.reddit.com/r/PFSENSE/comments/lxu3yg/workaround_unbound_restart_at_reboot_using_cron/ Thanks again for your help.
  • Monitor IP in rules?

    3
    0 Votes
    3 Posts
    594 Views
    L
    @viragomann Thanks.
  • Can't Communicate With Host Over OVPN Connection

    6
    0 Votes
    6 Posts
    827 Views
    V
    @qits_charles said in Can't Communicate With Host Over OVPN Connection: When I add PFSense as the gateway it is able to connect but as soon as I remove it I lose access. That's what I except. Why do you want to remove it? Also the latency is 50+ ms. Only to the Ubuntu host or other destinations as well? A single core may be not ideal for modern operating systems, but depends on the cpu speed. The RAM usage depends on what is running on pfSense. For firewalling only it should be sufficient.
  • I won't reach the subnet

    13
    0 Votes
    13 Posts
    1k Views
    johnpozJ
    @gusto again what they are showing is a horrible example of working with their limited devices. That first link goes over what you can do to get around using asymmetrical routing, but asymmetrical should not be something you would actually setup on purpose.. If your wanting to learn about routing - I sure wouldn't start with what amounts to a shit show ;) Your downstream router should use a transit network to connect to the upstream router. Here is a diagram that should help with doing routing on pfsense for multiple network, and adding a downstream router into the mix. [image: 1642259495364-pfsense-layer-3-switch.png]
  • Setting host as Monitored IP makes it unreachable?

    4
    0 Votes
    4 Posts
    890 Views
    luckman212L
    This may help: https://github.com/pfsense/pfsense/pull/4551
  • Static IP with failover

    1
    0 Votes
    1 Posts
    266 Views
    No one has replied
  • OpenVPN clients problems

    7
    0 Votes
    7 Posts
    1k Views
    U
    Thank you works fine
  • Routing Different subnet

    1
    0 Votes
    1 Posts
    279 Views
    No one has replied
  • 2 WANs to different vlans

    13
    0 Votes
    13 Posts
    1k Views
    S
    @viragomann said in 2 WANs to different vlans: @sintei said in 2 WANs to different vlans: Right now I can't block the VLAN WEBSITES from accessing LAN via rule as then the website looses connectivity to internet (for instance to check updates etc). But I can access it FROM the internet. The only reason for this, I can think of is that on the web server you are using a DNS server in the LAN subnet. If that's not the case enable logging in the block rule and check the firewall log to see, which access from the web server to LAN is blocked. You my dear sir are correct! I could find some DNS settings and changed them manually and it worked! Thanks. Also, big thanks to @Silence for helping me troubleshooting this. Have a good night!
  • Remote openVPN phone setup that need to exit on a different firewall

    Moved voip vpn
    28
    0 Votes
    28 Posts
    3k Views
    G
    @stephenw10 That worked, Thank you very much for your help. Best Regards
  • How do services in pfSense know which GW to use?

    4
    0 Votes
    4 Posts
    680 Views
    D
    @trumee Thank you explaining. I figured out a workaround by creating a static route to host addresses I can direct the wireguard service separately from the rest of pfsense.
  • USING GRYPHON AP (DHCP CANNOT BE DISABLED) WITH PFSENSE

    1
    0 Votes
    1 Posts
    562 Views
    No one has replied
  • Multi-WAN Multi-LAN and Multi-VLAN Routing Problems

    1
    0 Votes
    1 Posts
    263 Views
    No one has replied
  • Anyone try KeepGo for a backup WAN???

    5
    0 Votes
    5 Posts
    987 Views
    D
    @rubber_duck13 What @johnpoz says is correct, as usual. I did have to get some mimo antennas to make it actually work. The antenna ports were non standard and need some adapters.
  • Help in vpn site-to-site with remote client VPN

    7
    0 Votes
    7 Posts
    958 Views
    S
    @viragomann ok thanks....
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.