@depam said in Utilizing single tunnel to be routed to different gateway: Anyway, the latency between Site B and C is quite high hence I want to route it via Site A which is faster since its already in the hosted in AWS cloud. I don't get it. If there is high latency from B to C I'd assume, it's either on the B's upstream connection or on C's. So if you go from C > A > B > internet, I'd expect that you have at least the same high latency, since the problematic path is inevitably part of this new path. Preferrably, go to Site A but can have the slower connection as backup via Gateway Group. I have tunnels across all sites A, B and C configured with /30 (Peer to Peer TLS) approach similar to the depracated Shared key. In addition, Site B have openvpn client connecting to an external site. The problem you're facing with this is, if set the routes in the VPN connections with the "Remote Networks" and both VPNs are connected (A <=> B / A <=> C and B <=> C) you would have two routes between B and C. I don't know, which one is taken in this case. I guess, that one which is established at last, but not sure. So I cannot say, that this will work as intended. However, it should work if you desable B <=> C though. How did you configure the gateway groups?

@viragomann That Worked! Thanks a lot

Also make sure you are not blocking multicast traffic if you are UPNP will not work.

@viragomann Thanks, I'll check the link.

@johnpoz i already enable the non-local gateway still the gateway is offline 100% Packetloss.

@johnpoz Yep! I've got a headache!! But I am understanding a LOT more. Again, thank-you!! You sir are awesome! John

@asiawatcher Just obey my suggestions and it should work.

@kiokoman sorry outbound rules are for all the lan yes so nas itself also

this fixed my issue for anyone else finding there way to this same issue [image: image.png] https://www.reddit.com/r/PleX/comments/77b151/can_access_server_via_browser_but_not_apps/

@AkkerKid-0 pfSense applies only one single filter rule on incoming packets. But there is a strict order and the first which matches gets applied. See Rule Processing Order for details.

hi @johnpoz so i ended up rebooting and started to work, very odd cant seem to find out the issue

@dmayle Self-replying here. It looks like I should be using a VIP (Virtual IP Address) of type "Other": Other type VIPs define additional IP addresses for use when ARP replies for the IP address are not required. The only function of adding an Other type VIP is making that address available in the NAT configuration drop-down selectors. This is convenient when the firewall has a public IP block routed to its WAN IP address, IP Alias, or a CARP VIP.

@SteveITS Correct, but this is in relation to NAT reflection, so the IP is being accessed externally. I just didn't understand this setting until now. All it's doing is NATing the source IP to the routers IP on that interface, this way if the client tries to connect to the web server's public IP, but the web server is on the same subnet as the client, the web server itself sees the connection coming from the routers default gateway IP, this way it responds back to the router instead of trying to direct connect to the client (since they're on the same layer 2), so that the NAT reflection can NAT things back like it should. I was trying to figure out why NOT having this setting enabled under Advanced > Firewall & NAT was still working, but that was simply because the NATing of the source was not necessary since the web server is on it's own subnet, so the web server is going to reply to the default gateway on it's subnet regardless. As for split DNS that is exactly what I would normally do, but this is a bit more complex of an environment, but NAT reflection works perfectly in the meantime, I was just trying to be sure I fully understood the settings I was looking at. All makes sense now though! Appreciate the replies here.

Hi Derelict! I am in the exact same situation as NekoSema and tried to solve it the same way, before stumbling upon this thread. I already did what you said, except for: "X.X.28.3 needs to know to route traffic for X.X.96.0/24 back to pfSense. (Guessing on the subnet since it was unspecified.)" I don't know how to accomplish that. I thought it might be a static route, but I don't know how to define it. I know this thread is old, but it is the exact description of the situation that I am facing.

@eiger3970-0 said in I port forwarded, but why is port still closed?: run VM OPNsense I think your lost.. vm router pfSense 23.1.11_1-amd64 There is no such version of "pfsense" - again your on the wrong forums.. Ask over on the software your using forums. But common issues with port forwarding, is the port never actually gets to your edge, sniff on your wan to validate traffic is actually getting to your router that is going to forward traffic. Where your forwarding has its own firewall, that is not allowing the traffic, your using the wrong port, or the port your app is listening on is different than you think, or its not even running. Or you device your forwarding to isn't using the device your forwarding from as its gateway.

That is an odd place for it to throw an error. It suggests it had a problem writing that file out. Gut feeling says it may be hardware (e.g. disk/ssd) but it could just be the filesystem if it's UFS. Running a filesystem check a few times might help. If the disk is using ZFS then it's more likely to be hardware.