Hi guys, I'm a new pfsense user and I've tried to use the steps on post 2, however I couldn't get the VPN running for some websites that want to go through the VPN. After I restart the VPN I loose WAN and VPN connection, it shows VPN down in Status! Is there something else it needs to be done?

"There is no such thing as caching records that have their TTLs expired in DNS, it is stricly against the spec." While I agree with you its not good practice.. there is such a thing ;) Unbound advanced Minimum TTL for RRsets and Messages The Minimum Time to Live for RRsets and messages in the cache. The default is 0 seconds. If the minimum value kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. The 0 value ensures the data in the cache is as the domain owner intended. High values can lead to trouble as the data in the cache might not match up with the actual data anymore. dnsmasq support the same sort of thing where you can overwrite a min ttl value with something long.. Say dns says TTL is 600, you could make your min TTL 3600, etc. But seems like what the OP is asking is how to use a smaller TTL than what is provided.  So the DNS server they are using "godday" has a min TTL of 10 min they can set.. They would like to set it to something shorter, say 60 seconds.. Just host their public dns somewhere else is what I would suggest if you want a shorter ttl.  Or look to see what the min TTL value they can set in the godaddy dns manager.  It might just default to 10 min.. Possible they allow for shorter TTL.. But you can always flush cache entries in unbound.. See all the flush command here https://unbound.net/documentation/unbound-control.html dnsmaq can do the same thing with just a simple restart.. I don't know if you can just send it a command to clear out specific records like you can with unbound..

@Derelict: Do this: B: 192.168.2.x - Openvpn servers Server settings to (A) Server mode: p2p (Shared Key) Device mode: tun Interface: WAN Local port: blank Tunnel Settings IPv4 Tunnel Network: 10.1.200.0/24 IPv6 Tunnel Network: blank IPv4 Remote network(s): 192.168.3.0/24~~,192.168.1.0/24~~ Disable IPv6: yes Server setting to(C) General Information Server to other (C) Server mode: p2p (Shared Key) Device mode: tun Interface: WAN Local port: blank Tunnel Settings IPv4 Tunnel Network: 10.0.100.0/24 IPv6 Tunnel Network: blank IPv4 Remote network(s): 192.168.1.0/24~~,192.168.3.0/24~~ Disable IPv6: yes You are attempting to create an OpenVPN route for both remote sites on both openvpn tunnels. You only need to define the remote networks that are actually remote on that connection. You are probably seeing all kinds of strangeness because the OpenVPN process that starts first gets both routes and the other one fails to add the routes because they already exist. Hey thinks that worked, after removing ,192.168.3.0/24 & ,192.168.1.0/24 from C on the two servers ping and tracert is now working and not looping. So I see what I was doing wrong after you pointed it out, think you for this Derelict.

What exactly are you testing?  Are you connecting a remote site through the VPN, perhaps as a "road warrior"?  If so, the upload bandwidth will limit the download bandwidth of the remote site.  Is your fibre connection symetric or asymetric?  If asymentric, you will have different upload and download bandwidths.  My cell connections are symetric, but my cable connection is not.  What do you get if you run speedtest through your fibre connection?

I got this working.  I'm posting my setup for posterity, since there's a shortage of docs for this stuff.  The goal is to set up a TAP VPN in a hub-and-spoke-format: @jimp: Never, ever, ever make static routes that point to OpenVPN. It fails in exactly this way. OpenVPN manages routes internally. Depending on your setup, you need to set them in the local/remote networks on the clients and servers and possibly in client-specific override entries on the server. If you can describe the setup of your VPN more in-depth that would help. For example, which VPN mode you're using (static key or SSL/TLS), the tunnel network you have set, etc. I saw what you meant.  I should just be able to push the routes I need from the server. So I ripped everything out, except for the certs and my client specific overrides (which is just used to specify the bridge iface IP).  I deleted every route and gateway that I had manually made, and removed every reference to remote or local LANs in both the client and server setting.  I added just two directives to the advanced section of the client specific settings. To set the bridge interface ip address for the client on SITE A: ifconfig-push 10.0.0.100 255.255.255.0; I always had that, but to properly set the route, mask, and gw for client on SITE B's subnet, all I needed to do was: push "route 10.10.0.0 255.255.255.0 10.0.0.101"; Therefore the client on SITE B must have it's address assigned as follows: ifconfig-push 10.0.0.101 255.255.255.0; … and it can resolve SITE A through SITE A's client's bridge interface address which we just set above ... push "route 10.5.0.0 255.255.255.0 10.0.0.100"; The last thing you need to do is allow/block traffic on the bridge interface (Firewall -> Rules -> OpenVPN.) Block 67-68 (DHCP) from any source to any destination Allow from * to * (or on on a per subnet basis) That's it.  No need for anything else. Thanks everyone for all the help..

Nothing? No one is wanting to be paid for work either. Is it even possible?

Many thanks! I have already noticed that pfSense and FreePBX (Asterisk) don't go together too well. Somehow, certain states are not handled correctly, especially when starting the internet connection through PPPoE from within pfSense. Also, the NAT settings are a nightmare - I finally got best results by switching everything off (in Asterisk). As for the Grandstream: yes - I wanted to avoid hat effort. But I somehow got it to work - also, with a configuration I thought I had tried before already. Looks like both DH 1024 and 2048 are supported (did not try any more) as well as Blowfish (BF-CBC) and AED-256 (AES-256-CBC). After first managing with certificates of only 1024 bits, it now also works with 2048 bits, so security should be ok. Only the SHA1 (did not try any others) seems a little bit weak. Also, OpenVPN is configured for "Remote Access (SSL/TLS)" and when enabling access to just the one IP of the Asterisk, everything is working fine, to reduce the security risk a little. No username/password is needed. Also.. in case someone else has similar problems: I had to enable symmetrical RTP in both the phone and Asterisk, otherwise I often had the problem of audio being one-way and that one person thus could not be hear. I am hoping that the real use will prove stable.. setup certainly was a challenge. Also, my next task is to enable the redundant internet connection.. so now I wonder if that is goin to introduce any more issues..

So I take it 10.0.8 is your tunnel network. But you say you force this machine out some vpn (on it) to go to remote networks, which 10.0.8 would be.. Just create a route so that it knows 10.0.8 is local and to not go out its vpn to get to it.. Ie point a route on it to your pfsense IP on its network. Or you could source nat the traffic on pfsense so this box thinks the traffic from your vpn is on its local network.

If you have a rule that sends traffic down your vpn connection, and that vpn connection is down and you did not checkmark do not create rule when gateway down in the gateway monitoring section of advanced misc.  Then the rule when gateway is down will be same rule just without gateway set so yeah traffic can route out the normal gateway. Another way to do it set it so the rule is not created.  Then if your vpn is down the rest of your rules are evaluated, so if you have a rule below that allows the traffic they could get it out your normal wan.  If you don't have a rule that allows them then they wouldn't All comes down to how you want to do it.  Depending on on how many networks you have, how many wan interfaces this way might be simpler to cover all the bases with.. There are multiple threads about this all over the forum.  What you do exactly depends on many factors of how you want to skin the cat, and what sort of cat it is - is it a Bobtail or a Siamese or maybe Chartreux, etc. etc.

pfSense is in transparent bridge mode. I think the reason why this works today (through windows-server) is that I have a management computer inside the network more or less directly connected to the RV325 on eth2 of the server. On this management-computer, one port has the RV325 as gw. When I use VPN client in Windows against this computer, it fill find the path all ways. That explains why it works? So I would need to do something similar with pfSense basically.

so, you are actually wanting to use tap mode? Why do you need that if I may ask?  It is fairly uncommon and a bit trickier to make work, will not work for mobile devices and has several other caveats etc. Much better to stick with tun unless you really need broadcast traffic to traverse the tunnel for some reason…

@viragomann: Check the outbound NAT. Firewall > NAT > Outbound. There has to be a mapping for the WAN interface and the VPN tunnel as source. If you change the tunnel, you have also to change that NAT rule. THANKS, THAT DID IT!  I changed the: "Source network for the outbound NAT mapping." address to match my OpenVPN in Firewall > NAT > Outbound and it still was not working so I rebooted pfSense and it worked!  I guess I was under the assumption that pfSense updated everything kind of like when you disable a NAT Port Forward and it will disable the Firewall rule as well.  Now, in the Outbound NAT it says: "Auto created rule" next to the OpenVPN rule I just changed but at the top I have marked: "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)" which I believe I marked sometime after setting up my OpenVPN, is that why the rule did not update?

I have no idea what VPN you have. The one on OPT1.

Welcome Steve & congats on your first post. What DNS servers are you pushing to clients (on your server config)? There are 4 fields (at least on mine) that you can specify.  I haven't tried it as I don't have a need for this but, I expect that if you filled out the 2nd field, the DNS server will be pushed to your client.  It's still up to the client device (Mac, PC, whatever) how it uses that info. Some may react differently than others. I know Macs are particularly beastly when it comes to DNS as they have abstracted away many of the standard mechanisms in favor of proprietary mDNSResponder-type sorcery. Maybe if you describe your issue in more detail we can help.

Thank for the reply. In short, it won't work for me  ;D

OK thank you.