Wooow nice :)

I was not aware that it might work this way :)
I've never connect internet to the router from lan site :P
(at least not with the intention that it will work)

It's work perfect

Thanks for help

Happy to say that this issue has been fixed in the latest 2.5.1 snapshots:

https://redmine.pfsense.org/issues/11602

Before - 2.5.0:

--- X.X.X.X ping statistics --- 500 packets transmitted, 500 received, 0% packet loss, time 701ms rtt min/avg/max/mdev = 0.175/25.373/109.791/27.343 ms, pipe 8

After - 2.5.1-RC:

--- X.X.X.X ping statistics --- 500 packets transmitted, 500 received, 0% packet loss, time 96ms rtt min/avg/max/mdev = 0.181/0.267/0.365/0.040 ms

A big thank you to entire Netgate / pfSense team for addressing this so quickly.

I've since updated this script to handle failover to a second VPN where required.

#!/bin/sh # Variables # VPN_IFACE1 is the primary VPN interface, VPN_IFACE2 is the backup VPN interface VPN_IFACE1=ovpnc1 VPN_IFACE2=ovpnc2 SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf # Check whether VPN interfaces are connected and assign connected interface to VPN_IFACE. Exit if both are down VPN_IFACE1_STAUS=$(ifconfig $VPN_IFACE1 | awk '{print $2}' | egrep -o UP) VPN_IFACE2_STAUS=$(ifconfig $VPN_IFACE2 | awk '{print $2}' | egrep -o UP) if [ -z "VPN_IFACE1_STATUS" ] then VPN_IFACE=$VPN_IFACE1 elif [ -z "VPN_IFACE2_STATUS" ] then VPN_IFACE=$VPN_IFACE2 else echo "Both VPN interfaces down" exit 1; fi # Get current IP address of VPN interface VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+') # Check current IP for VPN interface in squid.conf file VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+') # Check if the config file matches the current VPN interface IP, and if so exit script if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ] then exit 0; fi # Replace the previous IP address in the squid.conf file with the current VPN interface address sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE # Force reload of the new squid.conf file /usr/local/sbin/squid -k reconfigure

@viragomann
Like I said, it was late and I was frustrated, so I didn't approach troubleshooting in a methodical way. But I did try pinging the google dns servers (can't remember if I tried the gateway address or not) and the only one that worked was pinging google dns from the WAN using IPv6.

I can tell you that I manually configured my laptop ethernet adapter with the static IP, mask and gateway, along with the default Comcast DNS servers (75.75.75.75/75.75.76.76) and connected directly to the CM. When I did that I did I was able to connect to some websites, but not others. The one that didn't load gave me a DNS error (can't recall the exact wording). I couldn't connect to anything from my PC when going through pfsense.

@pentangle Just to say that last night's candidate release fixed the second WAN issue, but pfBlockerNG needed to be disabled and re-enabled after upgrade because I could only ping the upstream gateway and the monitor IP (1.1.1.1) until I did that. Other pingable IPs (e.g. 1.0.0.1) were timing out until I did that.

Good Evening,

I figured out the transmission issue. It had to do with the negotiation between the MetroNode and the Chelsio NIC. I contacted my ISP and they turned off auto negotiation on the MetroNode and it started transmitting. It seems to be something in the driver for the T540-CR that I am using inside of ESXI. Therefore, everything seems to be working now.

Thanks for the replies!

@alex-atkin-uk I have tried routing data from the interface's page but also not working specially for TCP connections.

also tried the manual fix by adding rules for TCP connections on the interface's page with any flags and sloppy state but not even routing to the determined gateway.

but if i made servers of Facebook or twitch static routes on specific gateway and bypassing firewall rules for it's traffic, it works just fine.

@ddbnj said in 21.02p1 policy based routing not passing replies on ipsec-VTI:

@jimp

Does wireguard also need static routes to exist before creating policy based routing rules?

If you place the rules to pass traffic on the assigned wireguard interface rule tabs, then it will work properly in both directions, just like it would work an appropriate OpenVPN setup.

@maddy_in65 You do not mention if you have set that load balance group as your default gateway or defined some firewall rules to use it.

Without either of those, it will default to the first WAN.

@larsn-0 Check System, Advanced, Miscellaneous.

This should only be happening if "Skip rules when gateway is down" is ticked, maybe that somehow got enabled on upgrade?

If not then it looks like a bug.

If so then a short term fix would be to add a block rule underneath that rule to deny connectivity for that IP address, it will only ever be used if the rule above it does not match/is missing.

@monaco not sure. From searching google, it seems to be a problem that has existed for a while

@bingo600

I used to work for a telecom that provided Telenet service in Canada. We had PADs that converted plain ASCII via dial up modem to X.25, which then connected to Pr1me computers, which the Telenet network ran on.

I relly liked IBM's OS/2 Communications Manager , used it alot back then

I also used to work at IBM Canada, providing 3rd level OS/2 support. I never worked with CM, but I did support Personal Communications, which provided 3270, 5250 and telnet terminal emulation over IP & SNA. Back in those days I actually memorized my 5 SNA addresses, 1 for my own computer and 4 for testing in my work. I also had 5 IP addresses. The one for my computer 9.29.146.147.

@snewby said in Issue Routing Between Subnets With Multi-WAN:

f you select a gateway group that using a different routing table than when you use the default gateway.

Pretty much - when you set a gateway like that, you take the normal routing table that pfsense would use to know where to send traffic X, and just shoves it down that gateway.. Be it can get to where it wants to go or not.

Rules are evaluated top down, first rule to trigger wins, no other rules are allowed. If you have a rule before you shove it out a gateway that allows said traffic - pfsense will then route that traffic per its normal routing table. if the traffic is also attached, it knows exactly where to send it. Or if say you had another gateway for a downstream router via typical routing then it would know to send it to that gateway.

Glad you got it sorted - here to help, even if just a general sort of networking question. Happy to help when I can, even if not some specific to pfsense.. Just ask it in the off topic section if has zero to do with pfsense.

@sokolum said in many Interfaces assinged to an FIB:

I have found a post about how to assign a interface to a FIB, in my that would be a VLAN interface on PFsense.
The example is using net.conf, what is not used on the PFsense, what is the proper way to assign interface to a FIB on PFsense?

https://forums.freebsd.org/threads/using-same-ip-address-on-different-fibs.52565/

Use case:
I want (need) to create 5 VLAN interfaces, al has the same /24 subnet configured (mandatory) and every interface has configured the same IP address on their interface.
I believe this is possible with FIB.

Example:

vmx1 - vlan 10 : fib 1 - all traffic is handled on fib 1 - VM 10.0.0.1/24
vmx1 - vlan 20 : fib 1 - connected to LAN
vmx1 - vlan 30 : fib 2 - all traffic is handled on fib 2 - VM 10.0.0.1/24
vmx1 - vlan 40 : fib 2 - connected to LAN
vmx1 - vlan 50 : fib 3 - all traffic is handled on fib 3 - VM 10.0.0.1/24
vmx1 - vlan 60 : fib 3 - connected to LAN
etc, etc

NOTE: on Cisco I would create a new VRF and associate that interface to an VRF. Want to achieve similar on PFsense.

Any help very much appreciated!

Wasn't able to edit my post.
What I actually try to achieve>

I have 3 networks, all same LAN Subnets and each uses for NAT a different WAN address:

Example for what i want to build:

LAN-1: vmx1 - vlan 10 : fib 1 - all traffic is handled on fib 1 - VM 10.0.0.1/24
WAN-1: vmx1 - vlan 20 : fib 1 - WAN: 192.168.0**.11**

LAN-2:vmx1 - vlan 30 : fib 2 - all traffic is handled on fib 2 - VM 10.0.0.1/24
WAN-1vmx1 - vlan 40 : fib 2 - WAN: 192.168.0**.12**

LAN-3:vmx1 - vlan 50 : fib 3 - all traffic is handled on fib 3 - VM 10.0.0.1/24
WAN-1vmx1 - vlan 60 : fib 3 - WAN: 192.168.0**.13**

@shpokas
I found my old post and the fix was to find and remove "ghost" DNS servers in configuration export then reimport exported configuration.
https://redmine.pfsense.org/issues/8390

fd0d13e9-1456-4a43-9261-b77d3a0c1cce-afbeelding.png

uncheck this apparently I had this turned on.