@johnpoz said in Add route to host:

Under system routing, when you add a gateway - bottom of page advanced. You can set that the gateway is not local to your wan subnet

Thank you, @johnpoz ! This was too simple. 🙄

OK, I finally found some time to dig into this. Writing this followup in case anyone runs into a similar issue in the future.

Some investigation with tcpdump showed that the remote host was seeing checksum errors on the TCP packets (yet ICMP was working fine).

Disabling hardware checksum offloading in pfSense resolved my issue (System -> Advanced -> Networking -> Hardware Checksum Offloading).

pfSense is running under XCPng 8.1.0 on an unknown motherboard using onboard Intel 82576 Gigabit NIC.
Not sure if the checksum error is creeping in due to XCP or NIC drivers, but in my case the network traffic is quite low, so I'll run with the hardware checksum disabled.

For my wireless setup, I altered the wifi access points to allow broadcast traffic from the pfsense box. In most cases, the wiresless drops broadcast packets from the LAN side.

I also increased the time for the ARP expiration.

Since doing the above my network seems a bit more stable, but I still don't feel like we've gotten to "root" cause.

i have this problem to
:(

@whosmatt Interesting, I did not know that gateway groups could span multiple devices. How do I do add a gateway from another Firewall to the group? Or do I just create a group with one Gateway on each firewall?

Yes, I selected the second wan at the send from and at the interface to monitor, added a static route, and the cached ip is the first wans ip, but the ddns has the right ip, because the request was sent from the second wan. So it works, but it won't update when the ip changes, because te pfsense monitors the primary wan.

Create a Alias for your "some devices" and use this Alias as Source in a Firewall Rule to Policy Route them out WAN1.

-Rico

@M0L50N said in Block Mobile OpenVPN client connexion from target local network site!:

@bingo600 That’s the first thing I though, but maybe that can cause another problem on my network? Maybe if I just block about OVPN port used for the connection?!?

Yes you could do that too
On "Inside Lan" - Block <OpenVPN Server Public IP> - UDP port <OpenVPN Server Port>

@Derelict thank you, its likely something in the docker / macvlan configuration I've not wrapped my head round yet then.

I really Thank you! I didn't think about that! That's why I post that question and I was sur someone like you had the answer!

Thanks again, that works perfectly like that!