@tharun518
Corrected it.

@dono96 said in Routing thru 2 pfsenses:

add more clients and pfsenses

Why do you think you need more pfsenses? There is no point to adding firewalls for the sake of firewalls.. You could have hundreds of vlans firewalled from each other with 1 pfsense.

FTP is dead - only thing you should be looking to do with that protocol is not use it ;)

You would port forward ports 502-508 from lan 2 pfsense IP to 192.168.0.4, and also setup source natting (outbound nat)

So that 192.168.0.4 thinks its coming from the pfsense 192.168.0.X IP.

Now when 192.168.2.10 tries to talk to pfsense 192.168.2.x IP it would be sent to 192.168.0.4

@dan2112
The LTE connection can only be used for outbound traffic if there is any route defined to go over it. So if there is no route, no traffic.
If you only want to use it for a dial-in VPN, you don't need to set it as gateway. Simply connect the LTE modem to a pfSense interface and fire up an OpenVPN server listening on this interface.

You will also need a dynamic DNS for the LTE, so you can connect to the hostname when you need.

@townsenk64 said in Packet loss with multiple VPN clients:

monitor gateway such as 8.8.8.8 or 1.1.1.1.

These give exactly the results that the DNS server load gives, not so relevant, DNS servers are not designed to respond to ICMP, but I know this is often the only solution.
(this is not the main objective with them = ICMP respons)

f.e.: Neither SurfShark nor ExpressVPN gateway not respond to ICMP. (security question)

Tracert...... and it will tell you what is the nearest upstream GW in your VPN tunnel that responds to ICMP

I wouldn't think it's a "dpinger" issue, because it works for me and others.

What I would do next:

First check the parameters of the WAN-only with ISP connection (pls. heavy load the link, for example with this: https://speed.cloudflare.com/ or https://www.nperf.com/en/)

I would take down all the VPN tunnels and bring them up one by one

In the meantime, I would monitor the hardware CPU load, as OpenVPN is a single-threaded beast

Step by step I would launch VPN tunnels, after you should see if doing so increases packet loss and CPU load

BTW:

What type of ISP connection do you have? (PPPOE, GPON, ADSL, etc) 😉

Further investigation

I issued the statement via shell

usbconfig

It then displayed:

ugen0.1: <Marvell XHCI root HUB> at usbus0, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=SAVE (0mA) ugen1.1: <Marvell EHCI root HUB> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen0.2: <HUAWEI Technology HUAWEI Mobile> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)

I then checked those devices:

ls -l /dev/ugen*

It then displayed:

lrwxr-xr-x 1 root wheel 9 Jun 4 21:44 /dev/ugen0.1 -> usb/0.1.0 lrwxr-xr-x 1 root wheel 9 Jun 4 21:43 /dev/ugen0.2 -> usb/0.2.0 lrwxr-xr-x 1 root wheel 9 Jun 4 21:44 /dev/ugen1.1 -> usb/1.1.0

The USB device is on /dev/ugen0.2 but the Netgate device's PPP is only acknowledging /dev/cuau0

I also tried editing the file /etc/ppp/ppp.conf and tried to replace anything the says "cuau*" into "ugen*" to test if it is about the configurations. I rebooted the device and after it was on, Netgate still just recognizes /dev/cuau0 on the PPP lists and not /dev/ugen0.2

Do you guys know what could be done to solve this? Any hint or direction is much appreciated 😄

@brandon-lizard said in Routing between WAN and LAN:

Why does this have to be so hard?

Its not hard... You have been given multiple options..

@townsenk64 Yes sometime i get packet loss, but most of the time its stable and loss is 0%..
3ac3902b-e7dc-45a4-a2d3-676f79e77016-image.png

@townsenk64 Thankyou really appreciate all the insight

I had realized I had forgotten to add my NAT rule into my list as I am manually natting on pfSense. Once I added the VIP's and NAT rule, I was able to ping externally. Sometimes it pays to step away and look at it again a different day.

@johnpoz Thanks for explaining everything. I tried what you suggested and is succesful. The only thing was that the remote user, couldn't been able to connect through a VPN Client, that's why i make it short term access using port 100. ok, now it's clear.

@KOM

the original diagram had a second pfSense box in the 10.x network but was followed with a question mark to show it was possible. i admit not clear.
thanks for the suggestions, it makes sense and i will give it a shot!

@johnpoz

if you cannot follow this topology of a simple network, there is little else i can provide to help you.

and your insistence that your earlier rant about 10.x subnets was simply to find out my level of networking experience is ludicrous and a very transparent attempt at covering up your inability to simply admit that that line of snarkiness had nothing to do with the question at hand.

have a great memorial day weekend.

technical skills are a dime a dozen, technical skills coupled with empathy and understanding are invaluable.

@vinicius-santosl said in multi-wan load balancing with more than 2 WAN, High Availability.:

If possible, how can it be done?

Hi,

You can run it smoothly 😉 , the descriptions are only examples.

Pick up the gateways and configure them here (GW Group) following the Netgate guide and this should also help, I repeat myself here:
https://forum.netgate.com/topic/163934/sg-3100-loadbalance-and-failover/4?_=1622307884780

This will help (this is a rough link - suddenly- I couldn't find a better one for you): 😉 😉

https://www.cyberciti.biz/faq/howto-configure-dual-wan-load-balance-failover-pfsense-router/?cf_chl_captcha_tk=b19a8d5b347fd3f6a25579b8c123f3ca7dd76d3a-1621868538-0-AaaAJyc-XA0E_URuyvq0PWv1HMcVWaLA4YlA9uq7f61D_EDbT6SdOjLrN1YNALceSrBn9ni3SZ0nlGyt5I_Tq84TJGAbMGvFE9M7ZUbtNDxplLM-ZDHu6NnftrAaEQiFjYg0SgL9q-83tjIlR1-hq6N5VWtGAqZW-u-sKKAHkSDa1EG4FRJdiQHDSekvGkAr93cuC4GnTw2McCMXeac3PZGteBkSCKnT5IkEPmR1oP7rJur3TAmtorH07uMw3O73r53cFKo29BCVD04qJ07Qqe86tKSZw2SQEskOz20mes1NUh1CMK1LPO7vJaSfqjgEl6pVzIX_tK-0-pzww_zsjSaX0iNlwF5JfEMBwmvxlgRnodHOCufP-w35cf8KbvnRKQGLaKS__z1tTiZiS5WiDldda7TcLE8xLL10jbHjV0eMrUrmmbxYSl_KiInn8845gbYf4I2yNrt2T6GMCAXXtQpWD6v3kQcl4VMKwCD_LL_BP9uy0ufhoBoFhjS-j1cbThASyTs8WufVhg143Rj2seGN4SKQsXmwHdUNzzJ_DOv7TucHqZhY0ZmiCG2QNqRLPRZ2rsl5wJi1oXadTQTrTpLVvfWVXdePbuzjslThiK10ztKkbfr6JqOAxQ2xWXnRG7fRqKFXE5Z5p_bVWVh8yoKa78YY2ag107cLwOp3J2lJtNiWSiIGC-mcRFx7FyMPqSitREY1-u-1gJh95ulIogyvrYz_LNtVDcyJ-WEgVhKah2KFo6Kg6cuFzHDiFEMf4w

59fea0be-99d4-4079-96a0-adcf3e41a515-image.png

@kom I agree with you but for some reason it was failing to ping the gateway. thanks for your help along the way

@smithgcovert You could run a packet capture filtered on your TV device to see what it's talking to and on which ports when you run your Spectrum app. From there you would create rules to direct traffic from that device to those IPs/ports out the WAN2 gateway. The trick is separating traffic the device normally generates versus the traffic specifically from the Spectrum app so you might have to play around with it.

@viragomann
Thank you so much for taking the time to answer my queries, and to educate me, I really appreciate that. I'm learning new things all the time.

@mountainlion I disabled pf filter, now I cant get admin gui access.
From console, I was able to issue pfctl -e and the gui still didnt work.
I shutdown and started, still no go.

Any ideas how to re-enable the gui after issuing the "disable pf-filter"?