@netblues WeChat Screenshot_20210123143847.png

i reach to all those CPEs using Fiber network.

@gertjan On different machines...linux and windows.

If you need help setting that up - just ask..

But if your goal is isolation - which I assume it is because your asking how to only allow 1 IP, and block others. Then you really need to create two different L2 networks (vlans or completely different physical networks - 2 interfaces on pfsense with 2 different dumb switches).

Another option would be to just put them all on the same L2 (same L3 as well), but make it a private vlan... And then you can let X talk to Y, and A talk to D, but block Z from talking to A, etc. Via setting on your switch that support private vlans. But you need a switch that supports that.

Simple solution to keeping A from talking to B, is put them on different actually isolated networks. And then filtering whatever traffic you want to allow/block on pfsense.

@bn1980 said in Config for LAN devices to see a virtual network on a DMZ device:

172.17.0.1/16

add a static route to pfsense
configure 10.10.10.111 as a new gateway, go to static route and add a destination for 172.17.0.1/16 via 10.10.10.111
try to ping the docker

@streamholder i have the same problem did you find any solution.

@edmond said in multiwan not switching back to primary:

my primary wan (OPTIC_PPPOE) failed but after it got available it does not switch automatically from backup to primary.

Hi,

this has been fixed a long time ago:
https://redmine.pfsense.org/issues/9054

and can help

https://forum.netgate.com/topic/84269/multi-wan-gateway-failover-not-switching-back-to-tier-1-gw-after-back-online/19

+1 for this.

Seems like an odd thing to do - overlapping networks in the same network.. Good luck. Thanks for entertaining my curiosity cat..

I thought it could be a remote site via a vpn, having overlap of some vlan in your internal network.. Which you could just use say the tunnel IP to allow them to ssh/gui to pfsense. Where the tunnel network should be be overlapping any network either remote or local..

But sure a vip would allow you to put a non overlapping IP on pfsense to be able to access.

@johnpoz Yeah I guess I figured with having the LAN Allow all rule as is and then just change the gateway on the ones I want going through the vpn would work fine. Thats actually the way I had it when trying protonVPN.

@viragomann said in Source based Routing with pfSense:

@birtalevente said in Source based Routing with pfSense:

From this another location, other company the connection is initiated to the WAN1 and WAN2 IPs, but the responses are routed out through the WAN3 ... which is somehow logic because I have in the routing table a.b.c.0/24 on WAN3

No, this is logic, because the destination IP lies within the subnet of WAN3 if I did undersand right your alphabetic variables:

@birtalevente said in Source based Routing with pfSense:

So, the WAN3 network let's say is a.b.c.0/24, WAN3 IP is a.b.c.62
There is another location, other company where the ISP assigned the a.b.c.192 IP address

So if here a.b.c are the same in both variables, your WAN3 IP and that one of the other company are in the same subnet.
If so, the other company should access your router at WAN3 and nothing other.

This is not possible...WAN3 is low speed and dedicatet to other services.

If they come in on an other WAN, they may have set a wrong mask in the WAN configuration (not /24).

They come in on the right WAN because thats how is set up on they side!

Your router cannot response to an address on another interface if the destionation is in the subnet of WAN3 in the end.

That sucks ... 😊

So I need to reconfigure a little bit

Thanks anyway !

Levi

@golserma I didnt even ever heard about it

Is there a specific reason for using 2 separate PfSense instances?

A single instance with 2 WAN interfaces would have no problem routing the way you want it to.

You may be able to do what you are seeking with a static route, but I have never tried what you are planning myself.

Matthew

If I understand you correctly, we are doing this at one of our sites now by using OpenVPN in tap mode

Our PfSense has 2 WAN links, 2 LAN interfaces and about a dozen VLANS.

In the OpenVPN config, we have specified a Server Bridge DHCP start and end range, which is outside our Windows server DHCP scope on the same LAN [this may not be required, we wanted to be able to see which clients were local and which were remote by looking at the IPs]

No tunnel network is specified.

When the client logs in, they get an IP in the same subnet as the LAN interface, and they can access all services within the LAN. They can also route traffic back to the internet as if they were connected via the office network.

I do not have a how to for this, but I recall it was not overly difficult to setup.

Matthew

@abidkhanhk said in Metro Ethernet WAN and routing setting:

Hello,
I am trying to setup a metro ethernet network between 3 sites,
as previous on these sites we have juniper ssg5, and i didnt have any access to their routing configuration or gw information, i was only able to gather limited informaiton by using tracert -d commands from windows, so far i have found that the site have below IPs as their Wan

Site A. WAN192.168.100.1 LAN192.168.1.1
Site B. WAN192.168.100.2 LAN192.168.2.1
Site C. WAN192.168.100.3 LAN192.168.3.1

so in order to make it work, I created the WAN IPs and gave them their opposite firewall's WAN IP as GW.
e.g Site A WAN 192.168.100.1 GW192.168.100.2 and GW 192.168.100.3
and defined static route as 192.168.2.1 over GW 192.168.100.2 and 192.168.3.1 over GW192.168.100.3
However, it is not working so well.. i am not sure what am i doing wrong,
How i can define the GW on these wans, and what kind of static routes to give then.
Can someone please guide me . thanks.
36cc7cc8-d096-4a02-8782-d39344170ea9-image.png

anyone can help?

@johnpoz

LOL-Right you are, both my sons are programmers and one is experimenting with hacking right now, so I guess he COULD be sniffing out traffic on my internal network, but I trust him and don't need to hide anything from my own son.

I feel a bit ridiculous and thank you for the reminder that there is such a thing as to much (and in my case useless)security.

I just deleted to two DNS rules and left the one blocking traffic from LAN2 to LAN and allowed LAN2 to everything else, meaning the internet.

I think I am good.

Cheers

@bldnightowl said in Filtering out TCP:A, TCP:FPA, etc. packets (again):

it would be nice if the UI prevented the flag settings from even being available.

You could put that in as a feature request I would think.