@bob-dig
yes destination is internet.

So this is why I get the NAT3 on the ps4 right?
in short, because the vlan's gateway is not exposed to internet but is behind the wan.. right?

sorry what you mean with If the destination is at your place then number 3
another vlan or the lan?

thanks again

Make sure you have the Don't pull routes option checked in your OpenVPN Client configuration:
pfSense_Dont_pull_routes.png

-Rico

For my site the issue has been resolved now. Been running smoothly for more than a week after increasing Router Lifetime in services_router_advertisements.php?if=lan

@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan

Do you see it being routed in packet captures or the state table when you try to reach 1.1.1.1?

Where does it fail?

@JeGr said in Multiple Gateways on same subnet:

Why not simply reconfigure those routers

Because some devices (not mine) directly connected to router 1 have in their routing table certain rules to redirect traffic through 10.1.0.4. Hence those routers need to be on the same subnet.

These routers are shared by around 20 people, in 4 rooms on single floor. Hence I cannot change settings on those routers.

That is a layer 2 issue. Either that NIC is not passed through to pfSense correctly or the ONT is rejecting the MAC address. Rebooting would normally reset that bit not always.

Try some other device using the public IP directly. If that also fails and the Netgear is the only thing that works you will need to spoof the MAC address or call the ISP and have them reset it.

Steve

Yes the netmasks are all /24. For now it is 1 peer for testing. But in the future i would like to have the possibility to add more clients. The following is what I'm trying to accomplish:

test.png

Ok, if you only have a firewall rule with the OpenVPN gateway set it will force all traffic out that way which will break connectivity to the LAN.
Add a rule on the new interface above any rules with a gateway set to pass ping traffic to the LAN.

Otherwise check the firewall logs. Check the state table while you're pinging.

Steve

@xyzzyz said in VLAN question for noob moving from Cisco ASA:

My question: On my pfSense replacement for the ASA, is there any advantage to setting up a VLAN for the WAN port?

No.

@Overclock said in Non local gateway IPv6:

I let you inform about OVH response.

Ask them how SLAAC is supposed to work with a /56. You may be able to get a single /64 to work, but the other 255 will be unusable.

Olha, olhando o problema superficialmente, com as informações que você passou, já levando em consideração que você verificou cabos e etc, digo que sim o problema pode ser na placa de rede.

Não é normal ter problema de conectividade entre o pfsense e o modem, é um cabo, não é pra perder ping nem muito menos perder o MAC da tabela.

Even in the logs, I can see that the server is pushing its own address as the gateway, yet pfSense does not use it as the gateway IP:

Dec 21 02:45:36 openvpn 67745 PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.27.120.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.27.120.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'

Hi.
I had this problem in 2.5.1 and 2.5.2, i tried ANYTHING, even opnsense but i had similar issues;
i found a permanent fix by removing all static routes and migrating them to firewall rules.

Let's say we have three connection WAN1, WAN2 and WANX, we want to use WAN1 and WAN2 in load balancing and WANX ONLY for some routes (no internet is available here!):

1- remove all static routes, they will be ignored anyway and may give error on UI
2- Configure your gateways and create a gateway group for WAN1 and WAN2, in this example we call it LoadBalance
3- Create like usual a firewall rule in LAN to redirect internet traffic to LoadBalance gateway
4- Create one or multiple firewall rules under LAN with source LAN NET and with destination the nework of your static rules
5- Put the "static route" rules on TOP and the load balancing rule on the bottom, save and apply
Everything should now work fine

Example: (note: networks in routes are redacted for privacy)
pfsense.jpg

Merci @ccnet pour votre retour.

Alors depuis mon espace OVH je vois bien une passerelle mais sur mon VPS, il n'y a aucune passerelle de configurer...

2001:41d0:0305:2100:0000:0000:0000:0001

Effectivement le but de ma démarche et d'obtenir une passerelle afin d'interconnecté mon VPS avec un réseau exterieur.

@grimm-spector Exactly, it will work just fine :)