@bldnightowl said in Filtering out TCP:A, TCP:FPA, etc. packets (again):

it would be nice if the UI prevented the flag settings from even being available.

You could put that in as a feature request I would think.

@bingo600 said in How to only send specific route through OpenVPN client connection:

@soupdiver

Netflix is a totally different beast , that does a lot to detect if you are "cheating"
There are other posts on this forum that explains about that.

Yea but what I don't understand is why it's affected at all. I add a filter rule for my machine on ipv4 and something on ipv6 breaks everywhere else.

What I can think of is that they probe not only my v6 but also v4 addresses and maybe shutdown everything if it looks suspicious. Who knows. Guess I have to finder another exit 😁

If your behind a nat, ie pfsense wan has a rfc1918 address, or even a cgnat IP 100.64/10 then no you would not be able to get to it from the internet - without the nat going on in front of pfsense forwarding the traffic to pfsense wan IP.

@viragomann
All of the additional switch interfaces are available on the front of the NG except 1 and 2. I was reading through old forum posts and found where someone was able to resolve their routing issue by using a VIP in the netgate, figured it wouldnt hurt for me to try the same thing.

I'll go back to the separate interfaces approach and try to config again, but I feel like I'm missing something. I have a 3750 behind the Netgate, so I could VLAN it that way as well, but I would prefer not to, since the NG will be doing the routing anyway.

I tried some other tests but no luck. I am officially unable to apply that gateway

😧

@kiokoman Foudn the mistake. The VLAN whcih I assigned to the Interface was not giving out IPs via DHCP to the Clients. I had tha DHCP Server up and running, but it did not work properly. So I switched configuration and set the public IPS to the Interface and seperated the nextcloud network through a separate LAN out on the NIC and all hardware behind that is not connected to the rest of the main Network. So basically a real DMZ. Now it is working

I Have a equal problem with pfSense in AZURE. Hobe someone can give a hint.

@bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

To my understanding, port forwarding should work without any settings, as long as reply-to functionality is enabled by default. (under system->advanced->Firewall & NAT)

That's correct. That feature makes sure that responses are send out on the same interface where the request was coming in before, no matter which if it's the default gateway or not.

@bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

Is there any way to handle devices on LAN, using gateway on WAN1, and other devices on LAN using gateway on WAN2 ? (For normal traffic / not port forwarding).

This can be done by policy routing rules: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

Group IPs which you want go out on the same interface in an alias and use this one in a pass rule as source. Expand the advanced options in the rule, go down and find the gateway drop-town. Select the proper gateway.
It's a good advice to have an alias with all RFC1918 networks defined. So you can add this at the destination together with "invert" checked. This avoids this rule to match for local destinations.
Now you can put this rule to the top of the rule set to ensure it is applied before rules which have any.

If you want to use both gateways but use one as default, create a gateway group. You can create multiple gateway groups including the same gateway, e.g. one with WAN1 as tier 1 and WAN2 as tier2, and a second group the other way around.

@bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

If i set there default gateway, what does this mean ?

The default gateway is use if no gateway or -group is stated, either in policy routing rule or in a static route.

Ensure that you have outbound NAT rules in place for both WANs.

@jonnydy try to use open VPN site to site with shared key (the easiest and error proof configuration).

@th

OpenWRT on a UBI AP , i didn't know you could do that.

Well to me it seems like you should use multi vlans between the pfSense & the AP.

If your AP doesn't support that, you really don't want to try two different ip ranges on the AP.

/Bingo

I do. I needed to add an early rule that passes traffic destined for This Firewall. With that, all is good.

Thank you.

@ibeadam To answer my own query as it may just help others.

Found an old Microserver. Installed pfsense. Put Huawei in to bridge mode. Internet just worked. Set up L2TP client on pfsense. Set routing default to use it. External IP address as if by magic.

Thanks. The interesting thing here is that I can remote into the network using the IP reported by the cellular modem on its internal status page. But, on failover, the IP being reported by the Dynamic DNS service and "What's my IP" is different than the IP being reported by the cellular modem. On failover, the IP address does change from my WAN address to another IP, this new IP address does get reported by the Dynamic DNS service, its just not the same IP as the modem displays on its internal status page.

In other words, if the cellular modem was being reported to my Dynamic DNS service then I'd be able to remote into the network on failover. But, as its now stands, I have no way (that I know of) of determining the actual IP address of the cellular modem on failover. So, there something odd going on with how the IP is being determined.

@viragomann
still requires that I remotely access the server, authenticate and then run the command which is a bit of a hassle. I also wanted to figure out a low-touch solution because we've had occasional WoL related issues at work.

I was able to figure out a solution though.

I created a DHCP reservation and static ARP entry on my client device network for an unused IP, 192.168.3.254 and MAC of FF:FF:FF:FF:FF:FF
I then created a port forwarding rule on my server device subnet that redirects any UDP port 9 traffic destined for a device on the client device network to 192.168.3.254:9 . This causes the packet to be sent as broadcast.

@mw2u said in Access OpenVPN Client LAN from PFSense LAN:

I installed openvpn client on windows and i checked if server push route and if i can access all devices behind that router and everything its good.

So it's exactly the same as from the point of pfSense in B. pfSense can access all clients in A as well.

Configure the Windows computer as a router, set it as default gateway and try to access A from the network behind it, if you want a true comparison.

@rod-it okay, got it, thanks.

@stijnrosaer said in Two WAN on one physical interface:

I create a new vlan interface in PfSense whith DHCP I only get 0.0.0.0 as IP.

Your second WAN connection must also be on a VLAN with the same ID as the one you set on pfSense.

@stijnrosaer "One cable is connected between my modem and PfSense router (no extra are possible)"

so do you have only ONE ISP CPE? (modem)???

from this, that you get a second WAN option, then there is no redundancy, so what do you need a second WAN for?