Static route
- 
 @Antibiotic 
 The static route is correct.
 But the firewall rules will only allow internet access if the Wifi router does NAT.
 If not, you have to add a pass rule for 192.168.40.0/24.
- 
 @viragomann Switched OFF NAT on WIFI router and get this rule on NAT: 
  
 Start working))) Can me switch OFF also DCHP server on WIFI router?
- 
 @viragomann Second question, how to set permanent IP for WIFI router, its going via DCHP lease of pfSense? 
 Lets say , have for this ethernet point DCHP range 192.168.10.10-192.168.10.20, but sometimes WIFI router changing IP from 192.168.10.10 to other!
- 
 @viragomann What i have now in gateway status on main, is it normally? 
  
- 
 @Antibiotic said in Static route: Can me switch OFF also DCHP server on WIFI router? Depends on the router, but as far as I remember, I read, that this is not possible. 
 Why want you do this? Do you want pfSense to do DHCP for the wifi?
 If so the wifi router would need relays DHCP requests, and I think, it's not capable of this.If you want to pfSense to administer the wifi, best practice would be to set the wifi router into AP mode. I guess, this should be possible. Second question, how to set permanent IP for WIFI router, its going via DCHP lease of pfSense? Go to Status > DHCP leases, find its entry and hit the "add static mapping" action button. State an IP of your choice for it. Remember that the IP has to be outside of the DHCP range. The gateway offline indicates, that the device is not responding to pings. Go to the gateway settings and disable the monitoring. 
- 
 @viragomann I mean, it's no any conflicts if pfSense as main will do NAT but WIFI router will do DCHP for local subnet behind this router but not pfSense? 
- 
 @Antibiotic 
 No.
- 
 @viragomann Ok , thank you my friend for an assistance!)))) Have a good day! All now, looks working))) 
- 
 @viragomann said in Static route: ISAKMP But if me planning to use OpenVPN on WFI router, do need to create any more rules? in case of NAT will disable on WIFI router?or its only for IPsec 
- 
 @Antibiotic 
 This rule is only for IPSec. It needs a static outbound port, so a rule is required to achieve this.Your current rule set on the wifi interface allows any port to any destination in the internet anyway. So there is no additional rule needed. Consider that it also allows access to the LAN. Maybe this is not desired and you want to block it. 
- 
 @viragomann said in Static route: Consider that it also allows access to the LAN. Maybe this is not desired and you want to block it. Can you suggest rule example for this? Have a dedicated NIC for WIFI router connected to pfSense ( pfSense have 4th NIC's and all home network on different NIC's of pfSense) 
- 
 @viragomann Also have an option on WAN page of WIFI router (Forward local domain queries to upstream DNS) Upstream DNS my pfSense. Is it better to set ON this option or does not matter? in case of NAT doing pfSense! 
- 
 @Antibiotic 
 I use an RFC 1918 alias, which I had add all private network ranges to.
  Add a block or reject rule and use this alias as destination. Put this rule above of the allow-any rule. Also have an option on WAN page of WIFI router (Forward local domain queries to upstream DNS) Upstream DNS my pfSense. Is it better to set ON this option or does not matter? Seems to apply to local domains only. This might assume, that you have domains configured on the router. If it's possible, I would set pfSense as DNS in the DHCP settings of the wifi router, so that the devices send requests directly to pfSense. 
- 
 @viragomann Ah, thank you 
- 
 @viragomann Could you please assist with OpenVPN, don't understanding where is my mistake with settings? 
 https://forum.netgate.com/post/1161108
 
 
 
