@Pagi So I guss, the NAT address changed to the WAN address. Set it to LAN3 address and it should do, what you want.

UPDATE: I now recommend absolutely to avoid ULAs (fd:: and fc:: due to RFC 6724) it seems that those specific subnets will usually prioritise IPv4 traffic and other oddities so you can absolutely use them for special use cases but for a LAN or a dual stack setup I recommend the other f000::/4 subnets which work because they're not official ULAs (so I guess I want them to be that way now).

@alexanderjh said in Issue with local Ubuntu VPN behind PFsense: this is really tricky with UDP. The thing is, I use the pfSense Openvn server, that uses the default UDP and default 1194 port. I don't know anything about "IPSEC" and "strongwan". What protocol number it is, if it uses ports, etc Keep mind that your issue isn't pfSense related right now. Here : proof : [image: 1758006997553-20acf017-6cdd-4194-925f-e19a72353f95-image.png] your VPN traffic never even reaches the pfSense WAN port. It can't redirect what it didn't receive ^^ That said (example) : if IPSEC is using IPv4 and UDP, and port '45000' as a destination. Your rules do work fine for traffic with destination port 80 and 443, TCP, IPv4 - the web server traffic.

@jimp Ok , thanks)))

@netblues Can you Post you Setup?

@sho1sho1sho1 nothing in the resolver would or could do that.. You running pfblocker? Show the rule in your ruleset. There is this feed in pfblocker [image: 1755628936429-pfblocker.jpg] That sure doesn't even look like a NS ;; QUESTION SECTION: ;4.64.4.64.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.64.4.64.in-addr.arpa. 28800 IN PTR wnpgmb0273w-dr09-v924.mts.net. And it doesn't even answer dns, atleast not from me. That is a bell canada IP.. Is that who you use for ISP?

@johnpoz -Yep-that worked just fine Jonpoz. TYVM.

@BlueSun ok, I'm generally out of my depth in regards to BGP. All I can say if you set a gateway in the interface settings (see screenshot) then pfSense creates NAT rules automatically, if outbound NAT is set to automatic or hybrid. [image: 1755188790365-screenshot-2025-08-14-at-18.25.56.png] But since you have disable outbound NAT I can't see your traffic being NAT-ted at all. Are you using the FRR packages and if yes did you have a look at pfSense Docu: BGP Example Configuraton for a start?

@IonutIT localhost is always going to be up to bind to.. but possible that my wan or say a vpn interface is not up when unbound restarts. If interface is not up can not bind to it.. So helps to make sure unbound starts and binds on interface to use to do outgoing queries.

Thanks for sharing the configuration details! I encountered a similar situation when opening ports for Minecraft on pfSense. In addition to the steps you did, you can try checking: Firewall Rule: Make sure the rules for WAN are applied correctly. NAT Reflection: Sometimes enabling NAT Reflection can help in internal testing. Check ISP: Some carriers block port 25565, you may need to change the port to test. pfSense Log: Check the log to determine if the request has reached the router. Does anyone in the community have any tips to help make the configuration more stable?

@johnpoz I see, thanks for explaining and the help!

@iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself! Hopefully your setup will remain stable going forward.

@ahole4sure Maybe the routing table brings dissociation. However, I'm not familiar with Tailscale. Don't know, what it does.

@Gertjan said in pfSense 2.8.0 - Routing stops intermittently after update from 2.7.2: [...]matches your usage case ? You have Static routes, multiple sub nets ? Yes, the remote location has its own subnet and connects via a static route to the network in the main office. The default route of the remote location is set to the router that provides internet access in the remote location.

@carrzkiss why is that? HA proxy can listen can send stuff based on the uri to different machines. something.domainX.tld goes to your IIS IP otherthing.domainX.tld goes to your linux box. etc..