Have you restarted the browser session or reset the states on pfSense?

tracert is not representative here, cause it uses ICMP and you have allowed this traffic in your first rule on this interface.
You may move your policy routing rule up to the top of the rule set, so that it is applied for ICMP packets as well.

Since you have enabled logging in all of the rules, check the filter log to get an idea which rule allows the traffic. Maybe a floating rule?

Well, we have manage to solve the issue.
But the real problem behind is still certanly unknown for me.

We had install a router between ISP cable and pfSense.
The Router's WAN access was configured with the IP address that used to had pfSense WAN network and pfSense WAN now is configured as DHCP mode (using private address like 192.168.x.x)

After that the IP address that the router gaves to pfSense is configured at DMZ in router.

That's all.

@mabebi said in New pfsense user - cant get routing to run:

I have also changed the WAN pfsense interface to 10.0.1.1 and the cable modem to 10.0.1.83

Also.. what are your subnet sizes.. /24? /8? /32??

@Derelict

Well done and thanks.

I had a similar issue. My advice is to make sure that the routes defined on PFSENSE2 include a route to your IPSEC subnet with PFSENSE1 as the gateway for that route.

Ultimately, for me, what was happening is that PF1 correctly routed the traffic from the external VPN through to PF2, but PF2 didn't have a route back to the IPSEC subnet, so it didn't know where to send the response.

See topic "Routing OpenVPN Clients to Tinc VPN" in this forum for more details.

I was asked to accomplish this exact task for my company. After playing around with it, I came up with the following details:

"Subnet = 172.16.2.0/24" goes into the "Extra Host Parameters" advanced area of the tinc configuration in the main site's pfsense "route add -net 172.16.2.0/24 192.168.0.1" goes into the "Host Up Script" area of the tinc host configuration for the main site in the branch site's pfsense

The actual subnets and IPs above should be changed to the appropriate ones for your environment.

I hope this helps anyone who needs to accomplish the same kind of thing.

@SR190 You seem to be way more knowledgeable about this stuff than I, so maybe you can help me. I don't have a pfSense. I have Arris surfboard (optimum) -> LB2120 -> Netgear AC series WiFi access point. I have a lot of static IPs and since the LB2120 doesn't support this, I don't want to use the DHCP service on that. Optimum provided IP address is dynamic. My first setup was to have LB2120 in bridge mode with IP as default with 192.168.5.1. My current LAN range (DHCP from Wifi AP) is 192.168.1.x. In bridge mode, I'm fine with the wired connection to optimum and can open the LB's browser at 192.168.5.1. When I disconnect the Optimum connection, it doesn't seem to failover and I can't get to the LB address. I know I'm getting LTE data because FreedomPop shows my data usage ticking up (presumably modem pings). I also tried putting it in router mode and disabling the DHCP service, but no go. I managed to screw it up so badly by enabling VPN that I had to do a factory reset because I couldn't get to the LB. So I'm wondering if changing the LB address to within my LAN range of 192.168.1.x is necessary or if you had any other thoughts. Appreciate any help.

This got resolved by having the ISP configure /25 at their end and we advertising /25.

@marcus_1302

btw. just saw that even when you set the upstream gateway on the WAN interface, you can prevent pfSense from adding a reply-to userrule.

Under System - Advanced - Firewall & Nat there is a checkbox

Disable reply-to on WAN rules

With Multi-WAN it is generally desired to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. When using bridging, this behavior must be disabled if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.

In hq are you sure you have two lans? They overlapp. (/16) and are rather big.
Yes, you can send specific traffic to specific gw with policy routing.
As for the return packets, at remote site lan you also need to have some policy routing so packets return the same way.
You can do it at the ospf level, but it is starting to get complicated.

I would eliminate ospf altogheter, direct connect two pf at sites and do assymetric load balance for the two links.

Sorry, but I don't get it An sd wan, a cloud in the middle and suddenly a vpn tunnel across the cloud???
It might work, but it doesn't feel right as a concept.
If you need firewalling, why the sdwan is not doing it?

It seems you have an authority issue to solve, not a technical one.

Or:
https://administrator.de/wissen/openvpn-server-installieren-pfsense-firewall-mikrotik-dd-wrt-gl-inet-router-123285.html#toc-7
Google Translator maybe your friend here... ;-)

@viragomann
Thank you for your answer.
My bad: I meant the 172.30.192.0 network.
My problem is I can't connect the LAN to the internet from Firewall B.
Thanks.

@jimp Ah yes, I do remember reading about binding to localhost for dual WAN OpenVPN setups. Thanks for the info, it's great to have such a knowledgeable and helpfull community.