It works!! I think the error was the public IP, thank you !!!!

There is no limit for mesh or star. With lots of sites and traffic you just need beefy hardware. -Rico

Thank you very much for your help. I had to leave the office now...I will retry it on Monday and let you know. Thank you very, very much!

@johnpoz 1 - When I've tried in my LAN the latency is 1ms. In my land (switzerland) you have never ever more that 20ms. (if you have a fiber connection it's about 1 - 8ms). Now the thing is ... even if SMB is designed for LAN, I've a throughput of 8Mb... even when I'm streaming films from my server. So when I and a couple of friends are looking a stream at the very same moment.. that's fullfilled. I don't expect to have 1Gbps over VPN... but from 1Gbps to 8mb/s... it's a lot.

SOLVED thanks to another thread on this forum ..it was actually the VPN client configuration in that I had to check "Dont Pull Routes" which did the trick. Thank you!!

Ok, yeah. So if you add a pass all rule on the OpenVPN tab it will break traffic coming from location two across the load-balanced OpenVPN pair. You need to either assign the remote access OpenVPN server and add the rules on the new interface tab created. Or add rules on the OpenVPN tab that catch only the remote access users by specifying the source subnet. Steve

https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html -Rico

Assuming you have rules to allow it, login to the sever gui and check the OpenVPN tab in the firewall rules. Or the assigned interface tab if you have assigned the OpenVPN server as an interface. Steve

@trazom ???? The same way as you configured it. Fire up a browser and connect to pfSense. They're under Firewall > Rules.

@gertjan yes your onto it ;) yes its tun, "IPv4 Tunnel Network" ---> 10.10.77.0/24 Do you policy-route this 'call-in' network also ? ive tried to set it as follows.. Firewall / Aliases /IP Network or FQDN --->> 10.10.77.0/24 (OpenVPN) Firewall / Rules / LAN Interface (LAN) "also tried the openvpn here too" Source > Single host or alias "OpenVPN" Gateway is set the expresssvpn with that set like this, when the phone is connected, its works, but the internet connection is still show as my wan ip, and not the expressvpn ip

Yep, LAN net is double NAT'd - I'm now working with ISP for switching router to bridge. My net is: [image: 1551583408831-c15a2547-b459-4c5e-8722-b83f9f7cff6f-image.png] On VPS I have OpenVPN server + Zabbix (10.8.0.1). On pfSense I have Zabbix agent + proxy (10.8.0.2). Pfsense self-monitoring works fine (without proxy). I want to monitor some devices in LAN - 192.168.1.101. Now i've been stuck in settings - pinging LAN devices from OVPN interface is not work, but pinging pfsense LAN address works fine. UPD dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.10.10.4 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote <ip> 31194 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 ncp-disable resolv-retry infinite route-nopull link-mtu 1601 remote-cert-tls server My goal is to set up Zabbix monitoring from VPS (IP 10.8.0.1) of devices on the LAN network (IP 192.168.1.101) through a proxy installed on pfSense router (IP 10.8.0.2). Now zabbix says "Timeout while connecting to "192.168.1.101:161"." In the diagnostics tab of the pfsense router in the ping section i can successfully ping pfsense itself: 192.168.1.1 from 10.8.0.2, but 192.168.1.101 from 10.8.0.2 fail: packages are lost somewhere

@eric-marshall I guess that was just way TL/DR. Sorry Guys.

Thanks for the info guys

@artware said in Only first IP connected have acces to network: Certificate are different In that case, you could switch to : [image: 1551452935790-3f385396-4483-40f0-a99b-7a9e484c020a-image.png] De-select Duplicate Connection. Firewall rules ?

Which version of pfSense is this on? If it's not current, upgrade. Otherwise you might want to report this specific error condition upstream to OpenVPN: Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Assertion failed at ssl.c:1929 (ks->authenticated) Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Exiting due to fatal error

@uwscia said in ACL with HAProxy through OpenVPN: HAProxy is not seeing the OpenVPN client with the assigned subnet IP. Seems like the wrong chicken created a egg explanation cause/result.. :) I think you mean.: The openvpn client is not using the VPN to connect to the IP the domain name resolves to. To solve that, make dns resolve a different ip that is part of the vpn network routes that could perhaps be done with a hostname override in the dnsresolver settings, or make the vpn the default gateway for all traffic? or perhaps push routes for the public ip that needs to be directed over the vpn?