@simplerandom It's not really a "workaround"... the ending result here was you adding 2 additional WAN interfaces... which automatically created gateways that can be used for policy-based routing and also a NAT entry for each interface. You basically went the physical route vs. a virtual one. However, a more streamlined solution (IMO) could've been configured with a single WAN interface using IP Alias VIP's and additional NAT entries.

You should be able to emulate the connectivity that PFsense provides by configuring a router with NAT enabled on the external interface (e0). However, you will need to change the subnet on the internal interface (e1).

@techvic I don't know if you eventually got everything worked out, but at a high level, what needs to happen is the mobile clients @ site A have to know that site B's LAN is accessible thru the tunnel and site B needs to know that site A's remote access tunnel network is accessible thru the tunnel. Also, assigned interfaces are not required to get this working. The routing is generated by OpenVPN behind the scenes based on the options provided in the GUI. If your issue is resolved at this point, great. If not, I would start a new thread.

Thanks that make sense. I'd forgot I'd added the Outbound rule for OPT1 devices using OPT3PIA. I'll set this up and see how I get on. Cheers

We need more info. For example: Give us some insight into the network design... provide a network map. Post the firewall rules for all relevant VLANs. Are your AP's trunked to the switch? If so, what VLANs are allowed on the trunk? Are the AP's connected to a controller? If so, is traffic dumped on the wire or does it flow thru the controller? What are you using for DNS/DHCP? PFsense or something else? If it's something else, what VLAN are the servers on, what are the IPs and are your clients receiving the correct IP's? Are all the appropriate VLANs allowed on the trunk from PFsense to the switch?

Dear, I have followed the above mentioned guide lines but no luck.

@viragomann any tips on troubleshooting?

My ISP is DNA I'm from Finland and the modem is the Inteno EG300AC. There is a small amount of info about the router because in Finland ISP have their "own" modems. So the manual is only in Finnish. A direct quote from the manual (with my own translation) "In Bridge mode, the IP addresses of the home network are shared directly from DNA and each one of the modem-connected devices (max. 5) communicates with the Internet with its own public IP address" and the manual is strictly talking about consumer models. My wan IP is something like 85.23.5*.***. Oh and also for clarification I don't have a pfSense box right now, planning to build one.

What kind of service is this?? What brand and model modem? You need to find out if you truly have a bottleneck or if the ISP does.. (Maybe they have you provisioned wrong.. ect.) Not knowing what your hardware is I still would guess is that you should get better speeds than that.

Have you restarted the browser session or reset the states on pfSense? tracert is not representative here, cause it uses ICMP and you have allowed this traffic in your first rule on this interface. You may move your policy routing rule up to the top of the rule set, so that it is applied for ICMP packets as well. Since you have enabled logging in all of the rules, check the filter log to get an idea which rule allows the traffic. Maybe a floating rule?

Well, we have manage to solve the issue. But the real problem behind is still certanly unknown for me. We had install a router between ISP cable and pfSense. The Router's WAN access was configured with the IP address that used to had pfSense WAN network and pfSense WAN now is configured as DHCP mode (using private address like 192.168.x.x) After that the IP address that the router gaves to pfSense is configured at DMZ in router. That's all.

@mabebi said in New pfsense user - cant get routing to run: I have also changed the WAN pfsense interface to 10.0.1.1 and the cable modem to 10.0.1.83 Also.. what are your subnet sizes.. /24? /8? /32??

@Derelict Well done and thanks.

I had a similar issue. My advice is to make sure that the routes defined on PFSENSE2 include a route to your IPSEC subnet with PFSENSE1 as the gateway for that route. Ultimately, for me, what was happening is that PF1 correctly routed the traffic from the external VPN through to PF2, but PF2 didn't have a route back to the IPSEC subnet, so it didn't know where to send the response. See topic "Routing OpenVPN Clients to Tinc VPN" in this forum for more details.

I was asked to accomplish this exact task for my company. After playing around with it, I came up with the following details: "Subnet = 172.16.2.0/24" goes into the "Extra Host Parameters" advanced area of the tinc configuration in the main site's pfsense "route add -net 172.16.2.0/24 192.168.0.1" goes into the "Host Up Script" area of the tinc host configuration for the main site in the branch site's pfsense The actual subnets and IPs above should be changed to the appropriate ones for your environment. I hope this helps anyone who needs to accomplish the same kind of thing.

@SR190 You seem to be way more knowledgeable about this stuff than I, so maybe you can help me. I don't have a pfSense. I have Arris surfboard (optimum) -> LB2120 -> Netgear AC series WiFi access point. I have a lot of static IPs and since the LB2120 doesn't support this, I don't want to use the DHCP service on that. Optimum provided IP address is dynamic. My first setup was to have LB2120 in bridge mode with IP as default with 192.168.5.1. My current LAN range (DHCP from Wifi AP) is 192.168.1.x. In bridge mode, I'm fine with the wired connection to optimum and can open the LB's browser at 192.168.5.1. When I disconnect the Optimum connection, it doesn't seem to failover and I can't get to the LB address. I know I'm getting LTE data because FreedomPop shows my data usage ticking up (presumably modem pings). I also tried putting it in router mode and disabling the DHCP service, but no go. I managed to screw it up so badly by enabling VPN that I had to do a factory reset because I couldn't get to the LB. So I'm wondering if changing the LB address to within my LAN range of 192.168.1.x is necessary or if you had any other thoughts. Appreciate any help.