@jimp Deploying the patch, I have encounter an issue when ipsec rules generation is not disabled, since the rules are taking all pfsense traffic (self) for the same destination. I will add into the patch a test in filter.inc to disable the ipsec rules generation just for those phases 1. The option would be, in summary, "allows you to use duplicate gateways but you are responsible for the routing settings".

If you prefer, I can also change the from clause from the generated rules to use the phase 1 interface address instead of (self) when this option is enabled.

@johnpoz
A much appreciated thanks! I have consumed more than enough of your time this evening and have no more questions for you regarding this topic. Definitely do not ignore the wife!! Perhaps I can trouble you again sometime in the future?

@johnpoz said

Can not and does not work that way!!! The client either sends the traffic out its local interface, or it sends it down the ENCRYPTED tunnel... The router, can not see traffic in the tunnel... So how would it do anything with it??

Yeah, stupid me, it seems like I was trying to connect to local wired NAS from wifi laptop, that were on different local subnets. VPN client still allows me to connect local IPs but it knows nothing about separate subnet obviously :)

Thank you @johnpoz, now I know a tiny bit more about routing and VPNs!

@jimp "It's a common misconception that NAT has any influence here, getting over that hurdle early is best." I'm glad you brought it up, I've got the answer to my original question and I've learned how NAT actually works which was something I thought I already knew. Thanks @jimp

Sounds like your WAN interface doesn't have a gateway chosen on Interfaces > WAN

@simplerandom It's not really a "workaround"... the ending result here was you adding 2 additional WAN interfaces... which automatically created gateways that can be used for policy-based routing and also a NAT entry for each interface. You basically went the physical route vs. a virtual one.

However, a more streamlined solution (IMO) could've been configured with a single WAN interface using IP Alias VIP's and additional NAT entries.

You should be able to emulate the connectivity that PFsense provides by configuring a router with NAT enabled on the external interface (e0).

However, you will need to change the subnet on the internal interface (e1).

@techvic I don't know if you eventually got everything worked out, but at a high level, what needs to happen is the mobile clients @ site A have to know that site B's LAN is accessible thru the tunnel and site B needs to know that site A's remote access tunnel network is accessible thru the tunnel.

Also, assigned interfaces are not required to get this working. The routing is generated by OpenVPN behind the scenes based on the options provided in the GUI.

If your issue is resolved at this point, great. If not, I would start a new thread.

Thanks that make sense.
I'd forgot I'd added the Outbound rule for OPT1 devices using OPT3PIA.

I'll set this up and see how I get on.

Cheers

We need more info. For example:

Give us some insight into the network design... provide a network map.

Post the firewall rules for all relevant VLANs.

Are your AP's trunked to the switch? If so, what VLANs are allowed on the trunk?

Are the AP's connected to a controller? If so, is traffic dumped on the wire or does it flow thru the controller?

What are you using for DNS/DHCP? PFsense or something else? If it's something else, what VLAN are the servers on, what are the IPs and are your clients receiving the correct IP's?

Are all the appropriate VLANs allowed on the trunk from PFsense to the switch?

Dear,
I have followed the above mentioned guide lines but no luck.

@viragomann any tips on troubleshooting?

My ISP is DNA I'm from Finland and the modem is the Inteno EG300AC. There is a small amount of info about the router because in Finland ISP have their "own" modems. So the manual is only in Finnish. A direct quote from the manual (with my own translation) "In Bridge mode, the IP addresses of the home network are shared directly from DNA and each one
of the modem-connected devices (max. 5) communicates with the Internet with its own public IP address" and the manual is strictly talking about consumer models. My wan IP is something like 85.23.5*.***. Oh and also for clarification I don't have a pfSense box right now, planning to build one.

What kind of service is this?? What brand and model modem?

You need to find out if you truly have a bottleneck or if the ISP does.. (Maybe they have you provisioned wrong.. ect.)

Not knowing what your hardware is I still would guess is that you should get better speeds than that.