Ok so what do you see on the packet captures from each interface?

Do you see anything in the firewall logs?

What firewall rules do you have in place? I suggest adding allow all rules on both interfaces until you get it working.

Steve

@stephenw10:

If all three were getting IPs, gateways, subnets etc from the same DHCP server then they should have at least had the same settings.

If the dd-wrt device was still in router mode with NAT all three clients would appear identically to pfSense. There's no way it could distinguish them and block only one.
It looks like whatever was blocking that was in the dd-wrt device or in the client itself.

It would be better to setup the dd-wrt router as an access point only. It may have a mode for that where the the WAN port is added to the LAN as a bridge. If not just disable DHCP and connect the link to pfSense to one of the LAN/switch ports.
https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense

Steve

That did it! Silly me, I had the cable plugged in the "internet" port on the router. When I switched it, dd-wrt automatically let pf take over dhcp, so now everything works. If only I could find out why I cannot install 3.4 now.  :o

@shoggy:

I was able to resolve this by recreating the firewall rule to pass traffic for the openvpn, beats me why it didnt work before.

When you use the OPENVPN Wizard, it ends up setting an automatically generated  firewall rule on your WAN interface that lets VPN traffic in. See image.
It's a simple rule that lets UDP (I choosed UDP) traffic in on port 1194 (because that's my VPN port) on my WAN.

@shoggy:

I am not able to connect to the VPN and traffic flows both ways. I appreciate the effort Gertjan

You said it was resolved.
You are not able to connect, … and traffic flows both ways, which means you are connected.
I don't understand.

edit : what are your firewall rules on the Firewall => Rules => OpenVPN tab ?

edit again : I 'checked' https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-pfsense-and-viscosity/
It will work, but why including "8.8.8.8" as a DNS still puzzles me.
You saw this part :

19. Now accept the default firewall rules by checking both the Firewall Rule and OpenVPN rule boxes and clicking Next. These rules will allow your client to connect to the OpenVPN server and allow VPN traffic between the client and server.

and

Firewall

Firewall settings are generated automatically by the wizard. However, depending on your firewall setup and version, you may have to check the setting the wizard has created. First, navigate to Firewall -> Rules and select WAN. You should see a firewall rule permitting IPv4 traffic incoming through the WAN via the OpenVPN port. This will allow clients to connect to the VPN via the external WAN interface.

If you are having issues routing traffic through the VPN, navigate to Firewall -> Nat, select Outbound and ensure the Mode is set to "Automatic outbound NAT rule generation. (IPsec passthrough included)".

openvpndefault.PNG
openvpndefault.PNG_thumb

What does the browser says when it doesn't work?  Amazingly return/un-returned message has meaning…

SITE UNREACHABLE = routing issue/missing gateway.
SITE NOT FOUND = no DNS resolution.
SITS FOR A WHILE BEFORE RETURNING ERROR = TTL timeout, packet dropped by somebody in transit. Sometimes congestion.

Odd.

Hi thanks, was not the problem. I had added the openvpn using the wizard and the bugged rule made it so all traffic was going to the pfsense ip. Still need to do the openvpn but that's for an other question :)

Hmm, never tried it but I'm wondering of one of the usb device quirks could work directly here.
https://www.freebsd.org/cgi/man.cgi?query=usb_quirk&sektion=4&n=1

It looks like you're using the standard Huawei mode switch message currently so one of those might.

If that does work you can just add it in loader.conf.local.

Steve

What pfSensse version are you running?

What branch do you have selected in System > Update > Update Settings?

Steve

Install the shellcmd package, add whatever commands you need.

https://doc.pfsense.org/index.php/Executing_commands_at_boot_time

Really though you'd be much better off using a different modem. Either an external device that provides a real Ethernet interface or something that you can connect with over ppp, if the speed is not an issue.

Steve

@ThatotherGuy:

I do appreciate your reply, however I have tried unplugging cables, numerous times.

Let me guess : the device you hooked up to the LAN to visit the GUI also uses a static IP - or, using other words : you changed default network settings on that device.
In that case, ripping out the RJ45 and putting it back in won't do - neither running ipconfig /renew. You have t change your IP/DNS/Gateway manually.

Btw : an advice : when you buy a PC/Printer/whatever : Never ever deactivate the DHCP client. Leave it on. Don't touch any network settings except maybe the network group name.
You just gave one of the many reasons why …

Setup in your router (pfSense here) all IP's with their MAC addresses. All your devices will also have the IP(s you assigned on a central place.
Do not use static addresses.

@joltman:

Have you rebooted?

Yes, in addition I have found that If I go to    "System/General Setup" and click save without changing anyting it appears again.
Does it make any sense?

Ops it looks like there was an empty space after the 400000

That setting actually applies immediately. You might have to trigger a refresh though by reloading the System Update tab  or refreshing the firmware check on the dashboard or running 'pkg update' at the CLI.

Steve

@KOM:

Can someone help to understand this error and how to fix it?  Are those because I have suricata installed?

This looks like console output from suricata.  Are you actually having any problems or are you just concerned about this text?

"Default deny rule IPv4 (1000104533) " which don't even exist in my rule list? what is going on?

The default deny rule is a hidden rule at the bottom of every interface's ruleset.  If something isn't explicitly allowed by a rule above it, the default deny rule will catch it and block it.

I'm not having problems, apparently.

I though the default deny rule had a different code  Default deny rule IPv4 (1000000103)

Which part does it actually show as full?

I assume you installed with no swap slice?

If you have RAM to spare you might try moving /var and /tmp to RAM drives in System > Adv. > Misc.

Steve

The default console speed has been 115200 for a while now. Since 2.2 at least. But if you updated from an older version it might have been 9600 and it keeps that setting.
Some people set it to that to match the BIOS output so they can see the full boot sequence.
The ALIX board had a default BIOS speed of 38400 and pfSense shipped with it set to match on that hardware.

Steve

So while double NAT'ed configurations are generally undesirable, I am not seeing any problems with my setup.  I guess time will tell.

If the USG is just a router / controller why not just disable NAT there?