@heiko-ecm4u said in DNS problems vor connected clients having dual stack ipv4/v6: office has only a ipv4 had no need until now ... Prob be that way for 10+ more years at least if not longer.. Until such time that major players go IPv6 only - offices have little need of IPv6 to be honest.

@gertjan Yes. The reason is to use the always-on vpn-feature in android and not manually have to to anything for a vpn connection at anytime. Also OpenVPN for Android works as an app firewall, so I can block apps to access the internet at anytime.

@fuxxik pfSense cannot control the traffic between OpenVPN clients, this happens within OpenVPN and here you only can allow all inter-client communication or not. To achieve what you want, you will have to set up an additional OpenVPN server on pfSense for that specific client. This way the traffic to this client has to pass pfSense and you can control it by filter rules.

Is there any information available on adding Okta 2FA? This could be a deal breaker for out continued purchase of pfsense licenses.

Is there any information available on remote pulling CRLs? This could be a deal breaker for out continued purchase of pfsense licenses.

I've run into a similar issue, also having many other instances working in the field. The problem that I can see is that the iroute works, within the openvpn space, but the OS underlay is not adding the route, so traffic doesn't go back. If you raise the log level to 6 and grab the logs, you'll see if your iroute gets installed, then ssh into the pfsense os and perform netstat -rn, you'll se if the OS has the route. Still haven't found a solution myself.

Split tunnel maybe ?

@marvosa hi dear friend. I have different services like monitoring and others that needs to be in two different VM, so I need my users traffic to pass from two nodes With full tunnel remote access server I can only pass my traffic through one node. I also need my connection to be layer two connection. I uploaded full config of my pfsense-1 and pfSense-2.please see them and help me. I want to connect pfSense-1 with layer 2 tap mode and then because pfsense-1 and pfsense-2 conncted with layer 2 tap mode site to site therefore i will using pfsense-2 ip address that for example when i checking my ip address on https://myip.ms website, i pfsense-2 ip address. [image: 1630303599204-5.png] [image: 1630303653308-7.png] [image: 1630303653246-6.png] [image: 1630303653195-5.png] [image: 1630303653147-4.png] [image: 1630303653088-3.png] [image: 1630303653037-2.png] [image: 1630303652965-1.png] [image: 1630303652901-9.png] [image: 1630303652850-8.png] [image: 1630304348441-5.png] [image: 1630304348387-4.png] [image: 1630304348335-3.png] [image: 1630304348280-2.png] [image: 1630304348226-1.png]

@ipguy That's a openvpn thing, and thus a openvpn question. You can find these on the openvpn forum. I found one for you. Also have a look at the openvpn "manual".

@valk said in All traffic behind pfsense is being routed through VPN. How can a client opt out?: So I want to be able to do it from the client side Then run your vpn on your client..

So, installing a static route manually in the OS makes the thing work. A bit stuck now, feels like the knobs are not doing what they should.

Thanks for the reply. True, it is M-files we are running. I will do another attempt with them but so far it has been quite useless replies in any type of support request we have sent them. We will try the in-house web solution that is an option and see if it has the features we need or if we are forced to continue to run RDP from the locations that has too high RTT.

@gpeting Bump, just trying to get a response on with a sense of urgency. We have a Hurrican heading our way need to the the remote phones programed ASAP. Thanks in advance.

@ipguy said in Why can't I use a /8 ?: the next remote network, 10.3.0.0/28 the next remote network, 10.4.0.0/28 I am with @JKnott here - this doesn't make a lot of sense.. So you have a remote device.. And it has a /28 or even multiple /28s on the other end of it.. Ok what does that have to do with your tunnel network? How many devices are going to connect to the openvpn server? 8000? So your tunnel network would only need to support 8000 IPs.. So a /19 would allow for 8190 address - so if using subnet vs net 30, each modem would only being getting 1 IP for the tunnel.. So 8190 modems. What networks are on the other end of the tunnel has nothing to do with the tunnel network.. The tunnel network allows for how many clients can connect to that server.. Using a /16 tunnel would allow for 65k devices to connect.. Even using net30 addressing you would still have way more than enough for 8000 connections. Also with the next remote network, 10.3.0.0/28 the next remote network, 10.4.0.0/28 Your wasting a lot of space between those networks as mentioned.. Your using a whole /16 just to assign a /28... Think we are missing some info here. But you could route multiple network across your 1 IP used to connect for the tunnel.. I think a better understanding of what your doing or wanting to do exactly.. How are these modems connecting to you now?

Modified the pivpn install script and set the CN for one location to be different. It seems pfsense computes identical hashes otherwise and gets confused which is which.

@nortel Does your device have the correct date & time set ? If so ... I would check if the message : error=certificate has expired , is valid From the pict , it seems like the client is a Windows pc w. OpenVPN client installed. What is the other (Server) end ? A pfSense you control ?

I'll try updating the OpenVPN client. I saw the new v3. It looks like a Windows version of the iOS client and seems feature limited. Not sure if anyone here has used it before. Maybe it's just the GUI is nicer looking and the "innerds" are still high-tech. :)