Thank you

@PJHaan might be good to add this info to the docs if not there?? Back in the day use to be able to edit the docs, but not any more. Could be a feature request to have like a way to manipulate the pool in the gui? vs having it set the whole tunnel network as the pool and then having to do the advanced options.. But not really sure how often this sort of thing is used? Glad I could be of help and you got it sorted.

I haven't solved this, however quick update. I disabled the “Dont Pull Routes” option and instead in my OpenVPN config entered in the custom option field "pull-filter ignore redirect-gateway" This again corrects the issue and stops the VPN from forcing itself as the default gateway in the routing table. However, while Plex now connects to the internet over VPN as it should (based on my firewall rules), when I try to access it from outside the network, I cannot get a connection to the server. Below shows plex getting out to the internet now. [image: 1767985326314-57843f9c-c339-44f8-819f-052e8ca75b2c-411c20d8-5be3-45fb-9377-9d323d8fa95c.png] If I remove the option "pull-filter ignore redirect-gateway" allowing the VPN to assert itself as the default gateway, Plex works fine and I can connect to it from outside the network Evidently I am missing something regarding the routing to allow Plex to work when using the "pull-filter ignore redirect-gateway" option , any ideas?

@KOM I know, I’ve come across this before and I was seeing if there was a solution. Maybe installing WireGuard and configuring it will work… I know Realtek is crap with pfSense, I also have dozens of appliances all with i226/i225 and they work perfectly.

@ddbnj Where is that setting? I don't see it here. I'm running the CE version of pfSense. Also, I don't think 4000::/3 is a valid unicast address range. Only 2000::/3 is valid.

@KOM thank you for your thoughts. Much appreciate it!

@ITFlyer ...or subscribe to the Messages from the pfSense Team forum section (set to "Watching") [image: 1767709136805-63306822-7af9-4124-b26a-32abaf7f3499-image-resized.png] ...or at least, subscribe to email updates (at the bottom of https://www.netgate.com/blog) [image: 1767709011312-a65d700b-376d-4f1e-bc8f-4284cb7f1f3f-image.png]

@Gertjan It was an 80% good manual, and I got it working when the username is created manually in the FreeRadius service. But when using ldap and freeradius, the 2FA stops working. Then you need NPS or DuoSecurity... and it is a whole different ballgame.

so i am not trying to use ssl/tls with user auth and now i get failed to connect even when i stop the srvice...delete the profile, and install the new config file. it barfs on the tls key....

@andy58 said in upgrading 2100 to 25.11 breaks openvpn - service not running: I am in Massachusetts and the installations are in Oregon. So not easy to go onsite. Argh! Yeah.. thats a drive for sure! I am north of Oregon myself a touch. That said.. Id be happy to share more of my working setup if it gets you going even temporarily while you fight this one out.. Let me know. Back when I did this more for my own company I had ten to twelve site to sites setups all pointed back to my primary box here. Yes moving over to WG made file transfers a bit faster.

@testing123 said in Routing over VPN not working: nstead, packet captures show those ICMP packets only on the IoT interface and never on WireGuard or WAN interfaces. What side - have no clue why rules on the udm would have anything to do with pfsense sending the traffic down the tunnel? What is the point of showing the udm side rules if your saying icmp is not going down the tunnel on pfsense?

@godwinc.agada there are examples at https://docs.netgate.com/pfsense/en/latest/recipes/index.html#openvpn

@ivica.glavocic said in OpenVPN split / full tunnel with Client Specific Overrides: net30 is the default option, that was misleading for me. Agreed there. @ivica.glavocic said in OpenVPN split / full tunnel with Client Specific Overrides: what would be a good place to document it? If you post it to the subforum we're in here, I'd be personally interested in giving it a read myself.

After extensive testing. I have deleted the tunnels/peers/gateways and recreated. switched NAT from Hybrid to Manual and back to Hybrid (although none of these had changed) deleted the interfaces / gateways and recreated So: it is not a corrupted config file. the config was working prior to 25.07.01 upgrade Noticeable behavior that is different saving a change to an interface, causes wireguard to stop reaching the monitoring 1.1.1.1 address (never used to have this problem) switching the default gateway from WAN1 to 2, or 2 to 1 restores connection to the monitoring address client on bridge1 (vlan40) network can ping the gateway 10.2.0.1 client on bridge1 can NOT ping 1.1.1.1 or any internet address via WG gateway (but WAN / OPNVPN gateways no problem) curl to any internet address returns error 0A000126:SSL unexpected EOF while reading via WG ( but WAN/OPNVPN gateways work) if you edit the wg gateway and try to save, it also gives the error "The gateway address 10.2.0.1 does not lie within one of the chosen interface's subnets." when the tunnel end is 10.2.0.2/32 - this is new behaviour as well scrub from any to <vpn_networks> no-df max-mss 1372 fragment reassemble scrub from <vpn_networks> to any no-df max-mss 1372 fragment reassemble scrub on pppoe0 inet all no-df max-mss 1372 fragment reassemble scrub on igb1 inet all no-df max-mss 1372 fragment reassemble scrub on bridge1 inet all no-df max-mss 1372 fragment reassemble scrub on lagg0.40 inet all no-df fragment reassemble scrub on igb6.40 inet all no-df fragment reassemble Do I need to set the mss max on the individual interfaces even though i have the below settings net.link.bridge.pfil_member Packet filter on the member interface 0 net.link.bridge.pfil_bridge Packet filter on the bridge interface 1 net.inet.ip.forwarding Enable packet forwarding between interfaces (required for NAT reflection) 1 net.link.bridge.vlan_filter Enable VLAN filtering on the bridge (required if you use VLAN‑aware bridges). 1 tcpdump -i bridge1 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on bridge1, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:35:50.896835 IP v110.lan > one.one.one.one: ICMP echo request, id 51, seq 1, length 64 12:35:51.897180 IP 110.lan > one.one.one.one: ICMP echo request, id 51, seq 2, length 64 12:35:52.921189 IP v110.lan > one.one.one.one: ICMP echo request, id 51, seq 3, length 64 12:35:53.945298 IP v110.lan > one.one.one.one: ICMP echo request, id 51, seq 4, length 64 12:35:54.969258 IP v110.lan > one.one.one.one: ICMP echo request, id 51, seq 5, length 64 tcpdump -i tun_wg0 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun_wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes ---- nothing going through the tunnel tcpdump -i igb1 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on igb1, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:38:11.325166 IP ip-xxx-xxx-xxx-xxx.um05.pools.vodafone-ip.de > one.one.one.one: ICMP echo request, id 39605, seq 8620, length 9 12:38:11.325207 IP ip-xxx-xxx-xxx-xxx.um05.pools.vodafone-ip.de > 145.253.xx.xx: ICMP echo request, id 42609, seq 8620, length 9 12:38:11.333470 IP one.one.one.one > ip-xxx-xxx-xxx-xxx.um05.pools.vodafone-ip.de: ICMP echo reply, id 39605, seq 8620, length 9 12:38:11.334976 IP 145.253.xx.xx > ip-xxx-xxx-xxx-xxx.um05.pools.vodafone-ip.de: ICMP echo reply, id 42609, seq 8620, length 9 12:38:11.825337 IP ip-xxx-xxx-xxx-xxx.um05.pools.vodafone-ip.de > 145.253.xx.xx: ICMP echo request, id 42609, seq 8621, length 9 So it seems, even though the rules are on the bridge per below, policy routing is not working [image: 1765885335518-201e6b7b-61ae-4828-a9c5-ee7ce5638676-image.png] I have made work off those !LOCAL rules to allow any protocol and disabled the other. No difference NAT is being used in Hybrid and worked previously [image: 1765885441881-3c9eb8a4-78e1-4511-8e74-238cc1e67a72-image.png] Also, switching the gateway from wg to opnvpn and everything is working. This looks like a defect introduced from 25.07.01 onwards, or, am I missing something? some compatibility issue between wireguard and bridge?

Ps: Visit ESXi Download page directly to save some time and from any errors.

@netblues said in OpenVpn oneway slow performance: ut of options). Another option that eliminates a lot of 'suspects' : ditch VM, go bare bone (for a moment).

What is up with OpenVPN on 2.8.1 CE? Symptom: Remote access does not work as previously after upgrading the client from: OpenVPN-2.5.10-I601-amd64 (This is latest stable version what works pretty.) Server: Mode: Remote Access ( SSL/TLS + User Auth ) Data Ciphers: AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, AES-256-CBC Digest: SHA256 D-H Params: 2048 bits Client: Mode: Peer to Peer ( SSL/TLS ) Data Ciphers: AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, AES-256-CBC Digest: SHA256 At the client export the latest version is: OpenVPN-2.6.17-I001-amd64 Everything has the same setting than previously, connecting smoothly, but SMB does not work, first of all. I do not think it should be rebuilt every setting because of a new client version. Data Channel Offload is working on the Plus version I have read.