@gertjan The suggested system patch fixed the issue. Thank you!

For anyone else finding this thread. I've found the solution.

Create a port forwarding rule

INTERFACE: WG0
PORT: 44158
DESTINATION: WG0
DEST PORT: 44158
REDIRECT TARGET IP: MINER IP
REDIRECT PORT: 44158

Then everything works as expected.

@mdomnis I have since upgraded to 22.01 with FRR version 1.1.1_6. In my preliminary testing, the routes seems to be working closer to what is expected. I still have a weird issue where sometimes the neighbors don't like to peer fully and I have to force restart FRR, but from some quick tests, it looks like at least the route is being added to the table correctly. For now at least.

Thank you all for your answers and discussion. Unfortunately it’s a “real problem”. There is a person who I trusted before but this person is now in suspicion for a bad deed. While changing my passwords (way too late I did that) I saw a log in to my personal account that was definitely not made by myself. It’s possible that that person had an auto login but I also had the hunch this person spied my personal mailbox (which is of great concern because I was in touch with official entities). Well I think the chance is quite low I forgot to logout somewhere and that that device has the same /56 prefix as that person. So I can just hope that was an auto login or that person did not found anything. Thank you all.

@johnpoz excatly , so i can change the gateway in routing of this isp , and under interface assimgnets, change the ip ,and add the new gateway that was given by isp.

@mpcjames glad I could help.

@SteveITS From what I can tell, drivers are up to date.

Make sure you have the Don't pull routes option checked in your OpenVPN Client configuration:
pfSense_Dont_pull_routes.png

-Rico

Very thankful for this discussion. Provided a much greater understanding of many things and overall.

For those reading: As to this specific issue, one that I saw many posts about, but this solution I have not seen:

Just found this under logs-->firewall-->settings. I tested it and worked for the noise. Just don't know if will be losing any other and important logging with it. Looking at default block rules I do not think so, but not sure.

Screen Shot 2021-09-28 at 08.20.10.png

Nevermind. It was traffic shaper mucking me up.

If they are different interfaces and not switch ports - then no there is no way to put them on the same network without bridging them.

But the only reason you need for them to be on the same network is broadcast traffic.. They could be on different networks and still access everything on the other network. Just create any any rules.

Do these devices use some broadcast/multicast discovery or protocol that is required that they are required to be on the same network..

If want to leverage your ports for individual devices - ok... But why do you need to bridge them.. Just use 192.168.1/24 on 1 and 192.168.2/24 on 2.. And use an any any rule - there you go these devices can talk to each other for anything other than broadcast traffic.

Bridge is only going to complex up the config, and more overhead for what? Are you doing something that requires broadcast to work? Then get a switch... Really the only time it makes sense to leverage a bridge is media conversion...

Or I had something that required the devices to be in the same broadcast domain, ie the same L2 network.. But I also wanted to be able to firewall between them for some stuff. In that case you would use a bridge (transparent firewall) and be able to do such a thing. But just wanting to leverage the ports on your pfsense box.. I don't see the point of trying to bridge them?

You do not need to create a nat - but if your policy routing, then yes you need a rule above that policy route rule that allows where your trying to go before you policy route out a vpn.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

@vlan1 said in Mapping WAN IP's from a VPS directly to local Host ?:

The question for me is, how do I assign the pfsense my WAN IP's ?

The WAN IPs have to stay on the VPS, where you run an OpenVPN server. Your pfSense connect to this server and set it as default gateway.
So any outgoing upstream packet from your home is dericted over the vpn and goes out to the internet with the static public IP of VPS.

The other way around you can use the public IP for your services like you do already, but incoming traffic on the VPS is forwarded directly to your server at home.
So you have only one time to nat the traffic in each direction like you was having the VPS public IP at home.

@kiokoman Thank you Sir. You're correct.

I can see from here - https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=29&cip=155.70.7.55&ctype=ipv4&printit=0&x=109&y=13 -
that the first usable is 155.70.7.49, which will be the ISP router (pfSense default gateway) set into the WAN interface. Can I rather use 155.70.7.48, the network address in a bid not to waste IP addresses?

Invariably, is this how to reuse IPs (network and broadcast addresses)?

Pardon me, it was indeed 155.70.7.56/29. And sorry, I'm trying to learn the IP addresses by heart. In this case, can I use 155.70.7.56 in the WAN as against 155.70.7.57, the first usable IP? I'm trying to maximize the IP addresses.

OK, I worked it out!

I had the following Firewall rule for LAN:

Screen Shot 2021-04-06 at 8.17.46 pm.png

But of course, the 10.8.0.0/23 and 10.9.0.0/23 (I changed them to /23 instead of /24) are not in the "LAN Net", so I had to add extra rules to allow that traffic out:

baecb64d-b9fb-4d84-b216-035dbd903399-image.png
That as well as the static routes fixed it!

@serbus Just saw the latest video from Tom Lawrence and it seems to be a bug in the software we are using. So the solution will be to roll back.

@operator2024 Hi
I have same situation, no matter what I do I can't get a second phase 2 to come up when it uses a subnet that doesn't directly exist on a local interface.
could you please tell me what exactly you did so i can compare with my conf

in my case i have
Palo Alto --- IPsec ---- Pfsense --- IPsec --- AWS

Pfsense --- IPsec ---- Pfsense --- IPsec --- AWS

both don't work
could you please help

@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan

Do you see it being routed in packet captures or the state table when you try to reach 1.1.1.1?

Where does it fail?

@viragomann thank you for the suggestion, I am gonna give it a try, we should fix the issue by having the remote endpoint add a phase 2 for the openvpn subnet but in the meantime this should fix it as well.

Thanks for all your help your comment about the windows firewall got me to look at it a different way. Turns out during one of my previous attempts to get internet to my VPN clients (a different issue not this one) I messed with some other firewall settings and pushed all of the VPN traffic out the WAN interface which worked fine for getting my clients internet access but caused issues when I tried to access the LAN. I removed that and now with the push route command my clients are able to access the Internet and my LAN

Thank you very much! Your solution fixed my problem! I missed to add the tunnel network to the remote networks on site B.

Good day,
I think it is necessary to solve it on the switch via ACL ... I don't have a UniFi switch, so I can't advise it much. I only have UniFi AP AC RL. I don't have any NETGATE devices yet, I'm just getting ...

I have now added a VLAN to the LAN port in proxmox and created a bridge from that. This I have added to pfSense with the first address of the ip subnet which will act as gateway for the /29 addresses from the guests/hosts on the network.

So far so good.

@JeGr said in Multiple Gateways on same subnet:

Why not simply reconfigure those routers

Because some devices (not mine) directly connected to router 1 have in their routing table certain rules to redirect traffic through 10.1.0.4. Hence those routers need to be on the same subnet.

These routers are shared by around 20 people, in 4 rooms on single floor. Hence I cannot change settings on those routers.

Well, the part with 2 LANs and 2 WANs is quite easy.

You configure the transit network interface as defined by your second ISP. You configure e.g. 129.x.?.1/24 as a static IP on your "Public LAN". You either set the NAT mode to "Manual Outbound NAT rule generation." and set all NAT rules manually, or you set it to "Hybrid Outbound NAT rule generation" and manually add a "Do not NAT" rule for the traffic between your new LAN and WAN. This should already create the appropriate routing table entries so that incoming traffics finds your 129.x.?.1/24. What's missing to tell the outgoing traffic which gateway to use. This can e.g. be done by specifying the gateway of the second WAN interface in the "allow to any" (or whatever firewall rule you use to allow internet access) firewall rule on your "Public LAN" interface.

Regarding the public IPs for your 192.168.x.1/22: From my perspective, the clean solution would be to give them a second network interface (e.g. using VLANs) in the "Public LAN" network. This also makes it easier to separate the administrative from the public traffic, e.g. only enable SSH on the interface in 192.168.x.0/22 network.

@serbus said in Puzzled by entry in routing table:

Hello!

My netgear lb1120 pushes that route to pfsense through dhcp when you put it in bridge mode. I think it is just a courtesy route to help get to the admin interface.

Shell Output - clog /var/log/dhcpd.log | grep "192.168.5.1"

Jun 12 23:13:43 pfSense dhclient: New Static Routes (mvneta0.4092): 192.168.5.1 100.101.128.1

John

Thanks! Yeah, I arrived at the same conclusion after I did more research.

@viragomann said in Routing configuration issue between 3 interfaces on pfsense (New to pfsense):

Check that twice to be sure.

Than check it again... Your lan rules are by default any any so if you did not mess with that, then any devices on the lan would be able to talk any device on either of your 2 networks with no rules even on those interfaces.

So as long as the device in the other vlans is pointing back to pfsense as its gateway.. Its most likely the devices firewall, or other security software on it that you didn't disable..

Simple test can device in nework A ping pfsense IPs you have listed there 10.1.2.1 and 10.1.3.1 from the 10.1.1.0 network..

If so simple do a sniff on pfsense say on network B interface - while you ping something network be at 10.1.2.x -- do you see the ping go out from pfsense.. If so then its not pfsense..

Here example..

My lan rules.
lanrules.jpg

My lan is 192.168.9.0/24, pfsense IP is 192.168.9.253
Another segment of mine (dmz) is 192.168.3.0/24 where pfsense IP in that is 192.168.3.253

I can ping 192.168.3.253 from my 192.168.9.100 box.

$ ping 192.168.3.253 Pinging 192.168.3.253 with 32 bytes of data: Reply from 192.168.3.253: bytes=32 time<1ms TTL=64 Reply from 192.168.3.253: bytes=32 time<1ms TTL=64

Here is sniff of that 192.168.3.253 interface only for stuff going to 192.168.3.10 while I ping that ip

sniff.jpg

So you see the ping go out, and in my case get a response... Do you see ping request go out.. Make sure your sniffing on pfsense B interface, while you ping from A (your lan with rules that are any any)..

Just to be complete - my dmz rules do not allow pinging anything in my other networks.

dmzrules.jpg

So while something in my dmz can ping pfs IP 192.168.3.253, can not ping pfsense IP say 192.168.9.253

root@pi-hole:/home/pi# ping 192.168.3.253 PING 192.168.3.253 (192.168.3.253) 56(84) bytes of data. 64 bytes from 192.168.3.253: icmp_seq=1 ttl=64 time=0.653 ms 64 bytes from 192.168.3.253: icmp_seq=2 ttl=64 time=0.497 ms

Trying to ping 192.168.9.253 just fails..

root@pi-hole:/home/pi# ping 192.168.9.253 PING 192.168.9.253 (192.168.9.253) 56(84) bytes of data. ^C --- 192.168.9.253 ping statistics --- 10 packets transmitted, 0 received, 100% packet loss, time 9350ms

@stephenw10 I just tried it again and it works. Looks like they finally updated their certs. Thanks for the help!

@Rico sadly doesn't seem to solve the issue.

I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working.
I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's.

Anyway thank you for all the help.

@PiBa Good news, I got it to work! I did as you suggested and got a self signed certificate on the server using this guide. After that HAProxy is able to route traffic to the host. It even works with the Let's Encrypt wildcard cert I have through the ACME package, so there's no cert errors getting to the site. Thank you for the help again.

@ddbnj said in Cannot access beyond router via OpenVPN:

10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

Yeah that would dick it up ;)

Glad you got it sorted! Told you it wasn't pfsense ;) hehehehe

The trick is getting the person to clearly see that themselves... Which is why the sniff proves to the user, hey pfsense is doing what its suppose to be doing... Have to look elsewhere..