Are you just pulling those IPs out of thin air?

That first one is a peering network.. And the other one is securebit de company.

If you don't have valid IPv6 to use - then use ULA.. .Or get a /48 from HE for free to use..

@Rico Thanks

Hi there,
Yes, I did resolve this in the end. The key for me was Static Routes on the Wireguard Gateway VM on my local network, I also set a static route on the Endpoint to send any traffic with my LAN IP addresses back over the wg interface.

I didn't realise that if you set your wgx.conf to use AllowedIPs= 0.0.0.0/0 it forces ALL traffic over the wireguard interface, so returning traffic never gets back to the client that initiates the connection.

Anyway, a picture is worth a thousand words, and see my updated diagram here. Apologies to the Network Engineers out there. I'm not a pro, so I guess my diagram is pretty amateur! It serves it's purpose for me as documentation though :)

In the pic, you can see the routing table on the WG Gateway VM and the WG endpoint. The routes in Green are the ones I added manually, and it all works like a charm now. Also, note the MTU thing, that caused me no end of grief, so if you have issues with SSL handshakes failing and other random stuff....check your MTU.

WireguardPublic3.jpg

@ihrewerbung said in How to Multi-WAN setup as Loadbalancing and route all traffic over VPN-Provider like mullvad?:

Maybe a Floating rule would be another workaround?

worth a try 😉

@viragomann

group of internal networks no problem
directing traffic to a different gateway than default
brNP

Hi All!

Just to give an update to this, I moved my setup to a newer beefy server and I am now able to download upto 170Megabytes per seconds.

I did not do anything special, I just migrated PFSense to our new beefy server as a virtual machine and now I'm very happy as ever.

e983830f-0577-4b29-9620-020beb55b683-image.png

Thank you all for responses!

Consider this solved until 10Gbps is available in our location, that is to another milestone.

@Lanna Lanna thanks for the advice I tried that but it wasn't it.

After digging around for almost a month here.

I found the issue!
VPN Server from Private Internet Access (PIA) created a route 0.0.0.0/1 when the interface is created.

In OpenVPN client I had to select "Don't pull routes" and it no longer makes that route. pfSense 127.0.0.1 now properly goes through the default Gateway.

@maartenv said in Can pfSense receive LACP over incoming dual WAN connections. Is that possible?:

Or are there other solutions possible?

Probably, depends on wether you have the possibility or want to put a device in another location and probably add some latency to the connection. But you could host another e.g. pfsense instance in another location or in the cloud, point your webserver DNS name to that and there use HAproxy to add both IPs of the external webserver IPs as loadbalancer/failover configuration so that would utilize the redundant internet connection. A bit like CDN services.

That would also be another possibililty: put a CDN service (or sth alike) in front of the webservers, add your rendundant IPs to your webserver to them and have them utilize it.

But this means that pfSense must also be able to receive LACP over the incoming WAN connections but I can not find a way to do this in the webgui. Is there a way to do this as in the Interfaces/LAGGs configuration screen the WAN interfaces are not shown.

Should be pretty straighforward if a bit unusual: just add both physical interfaces that are pairs of the LACP bond to a LACP-type LAGG (interfaces/assignment -> Link aggregation / LAGG) and instead of configuring your WAN on the phys interface, use the newly created lagg0 interface.

UPDATE: Solved

Problem was solved, main issue was OpenVPN Main interface catch-all rule

If anyone is interested in this thread let me know to provide a tutorial

Thank you
Regards
Mike

Thank you very, very much.

I did not know some of the Netgate documentation was outdated, so in order to prevent this kind of misinformation, I immediately downloaded the latest pfSense Documentation dated Sep 28, 2020 from here https://docs.netgate.com/pfsense/en/latest/index.html

@viragomann Awesome, thanks again !

No problem, come back if you have further issues 😉

@Rico - As far as I can see PFsense built in features as presented handle failover reasonably well. But failback on an expensive and data capped service like CELL is not well supported. The script I am using is a necessary hack because of this.

problem was on the provider side. I called back again and they were able to see the issue. Everything is functioning like we expect now.

@Raffi_ said in Failover does not work:

Let's just call it the poor man's monitoring solution :)

I understand

I am lucky, -enough to work as a freelance "IT guy" for companies that entrust me with their supervision, of course then I also "run" my own things as these things are entrusted to me

so at their expense, I also get private resources...
I think this is called "symbiosis" in biology, hihihihi - I hope so

in my reading this is the monitoring solution 😉

probably something is triggering a restart of dpinger