@johnpoz said Can not and does not work that way!!! The client either sends the traffic out its local interface, or it sends it down the ENCRYPTED tunnel... The router, can not see traffic in the tunnel... So how would it do anything with it?? Yeah, stupid me, it seems like I was trying to connect to local wired NAS from wifi laptop, that were on different local subnets. VPN client still allows me to connect local IPs but it knows nothing about separate subnet obviously :) Thank you @johnpoz, now I know a tiny bit more about routing and VPNs!

@jimp "It's a common misconception that NAT has any influence here, getting over that hurdle early is best." I'm glad you brought it up, I've got the answer to my original question and I've learned how NAT actually works which was something I thought I already knew. Thanks @jimp

Sounds like your WAN interface doesn't have a gateway chosen on Interfaces > WAN

@simplerandom It's not really a "workaround"... the ending result here was you adding 2 additional WAN interfaces... which automatically created gateways that can be used for policy-based routing and also a NAT entry for each interface. You basically went the physical route vs. a virtual one. However, a more streamlined solution (IMO) could've been configured with a single WAN interface using IP Alias VIP's and additional NAT entries.

You should be able to emulate the connectivity that PFsense provides by configuring a router with NAT enabled on the external interface (e0). However, you will need to change the subnet on the internal interface (e1).

@techvic I don't know if you eventually got everything worked out, but at a high level, what needs to happen is the mobile clients @ site A have to know that site B's LAN is accessible thru the tunnel and site B needs to know that site A's remote access tunnel network is accessible thru the tunnel. Also, assigned interfaces are not required to get this working. The routing is generated by OpenVPN behind the scenes based on the options provided in the GUI. If your issue is resolved at this point, great. If not, I would start a new thread.

Thanks that make sense. I'd forgot I'd added the Outbound rule for OPT1 devices using OPT3PIA. I'll set this up and see how I get on. Cheers

We need more info. For example: Give us some insight into the network design... provide a network map. Post the firewall rules for all relevant VLANs. Are your AP's trunked to the switch? If so, what VLANs are allowed on the trunk? Are the AP's connected to a controller? If so, is traffic dumped on the wire or does it flow thru the controller? What are you using for DNS/DHCP? PFsense or something else? If it's something else, what VLAN are the servers on, what are the IPs and are your clients receiving the correct IP's? Are all the appropriate VLANs allowed on the trunk from PFsense to the switch?

Dear, I have followed the above mentioned guide lines but no luck.

@viragomann any tips on troubleshooting?

My ISP is DNA I'm from Finland and the modem is the Inteno EG300AC. There is a small amount of info about the router because in Finland ISP have their "own" modems. So the manual is only in Finnish. A direct quote from the manual (with my own translation) "In Bridge mode, the IP addresses of the home network are shared directly from DNA and each one of the modem-connected devices (max. 5) communicates with the Internet with its own public IP address" and the manual is strictly talking about consumer models. My wan IP is something like 85.23.5*.***. Oh and also for clarification I don't have a pfSense box right now, planning to build one.

What kind of service is this?? What brand and model modem? You need to find out if you truly have a bottleneck or if the ISP does.. (Maybe they have you provisioned wrong.. ect.) Not knowing what your hardware is I still would guess is that you should get better speeds than that.

Have you restarted the browser session or reset the states on pfSense? tracert is not representative here, cause it uses ICMP and you have allowed this traffic in your first rule on this interface. You may move your policy routing rule up to the top of the rule set, so that it is applied for ICMP packets as well. Since you have enabled logging in all of the rules, check the filter log to get an idea which rule allows the traffic. Maybe a floating rule?

Well, we have manage to solve the issue. But the real problem behind is still certanly unknown for me. We had install a router between ISP cable and pfSense. The Router's WAN access was configured with the IP address that used to had pfSense WAN network and pfSense WAN now is configured as DHCP mode (using private address like 192.168.x.x) After that the IP address that the router gaves to pfSense is configured at DMZ in router. That's all.

@mabebi said in New pfsense user - cant get routing to run: I have also changed the WAN pfsense interface to 10.0.1.1 and the cable modem to 10.0.1.83 Also.. what are your subnet sizes.. /24? /8? /32??