@viragomann RESOLVED, thank you I followed your recommendations and found this issue in the logs: Mar 23 12:50:30 WAN1 Default deny rule IPv4 (1000000103) I added a new rule (separate from my alias based port allow rule) and boom, I'm working. I also found that my WG port allow alias rule was set to TCP (the other 2 6100 are UDP), I wonder how long that has been like that and why my tunnels were working so well all this time lol

It turned out the traffic is reaching the rev proxy, but for some reason the packet is broken (maybe?) Attaching a pcap from the proxy cap.pcap

@dimsum said in cannot reached to local network from another site when enabled failover: I have checked the system log and the policy was passed For sure, the traffic was passed, since your rule allow any to any. But the packets are directed to the gateway you've stated in the rule. Hence it can never reach the remote site.

@charneval As far as user access goes, [image: 1710753465629-8d03fff1-5a86-4a27-81f3-426dc83f8837-image.png] or... [image: 1710753732482-ef108509-04ea-449a-8c89-d57fd2589544-image.png] [image: 1710753778248-730f3484-0060-4877-94bf-7dbce9cbe34b-image.png] Univention Directory Server is an AD replacement, Windows client-ready LDAP server (pretty amazing).

@droidus Please provide more information. Your problem is DNS related, though.

@tibere86 When your coming through a vpn and wanting to talk to something on a network attached to pfsense you can run into a few different problems. Prob the most common is just firewall on the host doesn't like whatever the vpn clients IP is, in your case some 172.16 address.. Since its not local network to who your talking to.. Another issue is what your trying to talk to from the vpn is not using pfsense as their gateway.. So if they allow X to talk to them, they send it to some other gateway other than pfsense. Another is the device your talking to has no gateway at all.. Doing an outbound nat is sure a way to work around those issues. I would validate that pfsense is sending on the traffic.. Do a sniff on your lan interface while you send a ping to your pihole, do you see pfsense send on the traffic? If so then you should check pihole firewall allowing what you want to allow. Or if you can ping, its maybe just a acl on pihole. There is a setting in pihole. Which is default I do believe.. [image: 1709912400776-pihole.jpg] That would not answer some query from some 172.16 address when its local address is a 10.0.0 because that is not its local network.

Just chiming in that this has already been reported https://forum.netgate.com/topic/183141/wireguard-status-shows-last-handshake-1-years-11-months-ago And I think the issue is not because of the leap year, but rather certain end-of-month days. It's happened to my firewalls before (during 2023 and 2024) but not every month. When it happens, it's usually the last few hours of the day.

Thank you so much! I created an Interface for the WG tunnel set a Gateway to WG peer address via this Interface and created a static route to opposite network through this new GW. It is working fine now!

@Bob-Dig Thanks !!! After some research on policy based routing, I managed to give Internet access to a vm on my LAN using this tutorial as inspiration : https://protonvpn.com/support/pfsense-wireguard/ now I'll try to configure haproxy to expose the services of the vm on my lan !

@renegade I have both, CE and plus and none is showing this. So get rid of this I guess.

@Lace Not sure what you mean exactly. His intrusion detection had gone a little rouge and was blocking allowed traffic. It seems the last Unifi update added a feature he was not aware of. There are complications doing a tunnel. We share a subnet, and it happens to be the one my computer is on at his house. There was some reconfiguring to do beyond the actual tunnel. For now, no tunnel.

A big Thanks to Jarhead. I have succeeded in my aim today, which I had planned for. I can ping both sides and access via RDP, but I still don't understand few things. Normally, if you want to access a network, you need to be in the same range as that network. For example, I would like to access "side A" (192.168.10.0/24) from "side B" (192.168.20.0/24). I always kept a PC with an IP setting in the range of 192.168.10.50 on "side B", and actually, this is the issue with my settings, other than the gateway setting in the past. Today, when I changed this IP to the normal 192.168.20.50, it is working fine now.

For future travelers, this Youtube video is helpful: https://www.youtube.com/watch?v=ralWaBL98pU

@viragomann I got it. The "WireGuard Networks" alias wasn't defined/working... Changed it to the address of my WG network and things are working. Thanks!

@jtressler I wasn't checking the WG status quite often but I now see it's happening again. This time I'm running the latest pfSense Plus 23.09.1 and up-to-date WireGuard 0.2.1 package. [image: 1706756031506-wireguard-datez.png] It's January 31st, and I had suspicion being the end of month would have something to do with this; I'd want to test this theory but haven't been able to set the date to a specific day without the firewall getting auto-synced to the current date. I also recall checking another month's last day (October 31st I think) and it was showing all normal. At least I can document that this happened again on the last day of January, as well as September. I remember others posted on June 30th about this problem. So we now have: Jan 31st Jun 30th Sep 30th I wonder if there is any correlation between the months...