@jimp Thanks for posting this. This is exactly my problem with my pfSense Plus. I have two WANs with my default one being GCNAT. My secondary WAN has a static IP which is used for inbound connections which need entry to my network.

I didn't have any problems with 2.4.5p1. I can only make it work now if I change my default gateway to my static IP WAN. This connection is very slow compared to my other WAN. Hopefully they come up with a workaround soon.

@johnpoz said in Force traffic trough a getaway with specific mac address:

If so then really all you need to do is fudge the last 3 numbers... Ie the device ID, the block ID or OUI the 1st 3 numbers could be left alone, this only identifies the vendor that made the device. Not the actual device.

I am very pleased with this model USB-to-LAN. I have previously tried up to 9-10 USB2LAN adapters, pfSense (and probably FreeBSD) had no drivers for some or others had large load losses. But only this model surprisingly endured tests with high loads on the net without loss.

@steveits said in dpinger shows 100% loss after gateway recovers:

If you view the gateways page does it recover?

No, the Status -> Gateways page shows 100% loss.

As I said, if I run dpinger in shell manually, it shows the same behavior - the output shows 100% loss even after 10 minutes passed since physical link recovery, but if I restart dpinger, it shows 0% loss as it should.

@louis2 said in Identical!! access and filtering towards a local server, for internet located clients as for local clients:

is handled "exactly" like a call coming from the internet.

The most simple solution is probably : Not inviting the Internet in your own local infrastructure.
Use a VPS (or cloud thing, whatever they call it these days), somewhere in a data center. The cost will close to nothing these days.
Internet clients -and your access, will be guaranteed treated equally. You'll have nothing to do to enforce this.

Another solution : use a second ISP, so your local servers have their own WAN IP, and you access them just like the other clients.

Both propositions don't need any fancy setup.

Solved this -- kinda. I disabled CoDeL and everything went back to normal. Maybe I'll try setting it up again once 2.5.1 comes out.

@viragomann Well that's great. Thank you so much

Well, I figured out the issue, so thought I should post what I found, even though I feel a bit stupid now. Seems the main problem was a lack of knowledge on my part and that of Comcast Tier 1 support. Basically I had my gateway IP and static IP reversed.

Turns out that since we were originally using the Comcast CM as a modem/gateway without a firewall behind it, and then later set up the firewall in the CM's DMZ, the gateway IP was functioning as our public static IP. It didn't help that the person who set up the network had documented the gateway IP as our static and vice versa. And Tier 1 support apparently had no clue. It took Tier 2 support to point out my mistake and of course it seems fairly obvious to me now. I suppose my one remaining question is whether this is typical behavior of static IP implementations or specific to Comcast and/or other ISPs? Either way, lesson learned.

I should note one thing. I am 99% sure I did try reversing the gateway/public IPs when I first failed in configuring the static WAN interface, and that it did not work. What I did differently this time, however, was power cycle both the CM and FW, as opposed to just rebooting each; a simple step, mentioned by others in various posts, that might have helped me solve this sooner. Another lesson learned. 🙂

@viragomann

I give it a try tomorrow, thanks !

@incognito Were u able to make this work? Since WG has been disabled in 2.5

@luckyh_de said in Multi-WAN with Backup down:

So i have to prevent any Packet to the LTE-router AS Long as primary ist okay

Hi,

The failover mechanism does not allow this, you definitely need something that, which tells the firewall that the connections are alive
(minimum GW pinger ICMP traffic)

It turns out that I have to set up a bridge in Interfaces→Bridges. For mDNS bridging I also set up Avahi between the different subnets.

@cool_corona Yes I know it looks so - but that's not the case.

@ofloo This is not limited to IPsec this happens in wireguard also. Not sure why but sometimes reloading some settings makes it not filter maybe it's I'm just imaging it but it comes and goes and it's not limited to just IPsec.

I have do not filter traffic on same interfaces, I have just allow all traffic on the interface so no any firewall rule is there just allow any from any to any and yet !!! It filters.

Lately it happens to happen more on WIREGUARD Interface then it does on IPSec.

Also there is nothing in filtering rules to deny anything all the interfaces are allowed to pass through the traffic. Neither its showing anything on the system logs as well

I put my camera on the same subnet, but I am not very happy with that.
My MQTT devices did work cross VLAN, but I had a lot of errors telling me the packet was too short, shorter than expected. I moved these too to the same subnet and the errors are gone.

There seems to be a layer 3 routing issue in pfsense.

Can anyone who understands what is happing comment on this?

Thanks, Sebastian

@viragomann how would i do that over the same port as the dhcp etc etc