Traceroute from the outside world: vpsuser@test:~$ sudo traceroute -I a.b.c.164 traceroute to a.b.c.164 (a.b.c.164), 30 hops max, 60 byte packets 1 daniel.domesticagriculture.org.uk (103.144.176.193) 0.518 ms 0.470 ms 0.457 ms 2 wist.lyle.org (103.144.176.143) 0.479 ms * * 3 100.64.101.167 (100.64.101.167) 10.793 ms 10.781 ms * 4 * * * 5 * * * 6 * * * 7 * * * ... 100.64.101.167 is my router's WG client IP

Unless you need to accept inbound connections there it should only be an outbound NAT rule. Even if you did have inbound connections a port forward is often better. You shouldn't need to manually add any rules though as long as the gateway is added into the new interface. That will trigger the auto outbound rule to be added.

@MartynK that's ok, it's a bit odd that a reboot was necessary. Maybe it was the MTU changes?

@JonathanLee said in Differentiated Services (DiffServ) Identifiers: What TOS would constitute full bandwidth use on pfSense? pfSense doesn't use those values at all by default. You can use them in rules for shaper queues if you want to or set that for use in other devices the connection is going through.

@viragomann It’s a Cisco Meraki the router Site A! But, i’m thinking now: The traffic should be routed to 192.168.100.222, not for the gateway 192.168.100.1 (this is the router with the VPN tunnel). In the 100.1 router have static routes for route the traffic specified throught the 100.222 Is it the same solution (change phase 2 to 0.0.0.0/24)??? Thanks again

@bigtfromaz you could maybe limit the outbound nat for only the device you would be coming from lan with. Like your pc... But yeah that works.. If you just add the route as persistent it should survive reboots, upgrades, etc. you shouldn't need a batch to kick off on startup. I would normally allow ping as a way to validate connectivity..

I would concur using it as explicit proxy where your devices actual gateway points to pfsense vs the proxy should remove such issues what what your seeing with that 22 traffic you listed. Other option with putting such devices that are really internal to your network on their own transit network can eliminate asymmetrical flow issues.

ok, I was not looking at the correct palce. Snort was just blocking the IP I added it to whitelist [image: 1706963904294-37c041c6-7455-4b5d-b5ac-0bbfc12be6cc-image.png]

@viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings: @gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings: So in any case CSO is mandatory? If you want to access a network behind the client, it is, as mentioned. The CSO sets the iroute inside the OpenVPN server. This is needed to route the traffic to the proper client. This routes will not shown up in the routing table of pfSense. There you will only see the network, which you stated in the server settings. Thank you for your help! I have some sites interconnected with shared key option... Should I go to IPSec or ovpn p2p ssl , what do you think better? Because for many sites IPSec is now much easier setup... :)

@steveits I may be interested in knowing more. My ATT router has a 5G port that is unused, but only 1 of the 2 routers has 5G capability, the pfSense. The other router is a MikroTik, but none of it's eth ports have 5G. For clarity, my pfSense router has a 5G wan input, and 2 10G SFP+ ports as potential outputs. I wanted perfect separation at the WAN connection, but I could use the 5G ethernet port on the ATT machine and go to the pfRouter, then split the connection to a second router via SFP+ and then to a switch for VPN access via the 2nd SFP+. This would give me 5G all the way to each router, than separate LANs from there.

And that worked? If not then check for blocked traffic. Check the state table at both sites make sure traffic is going where you think it should. Steve

@johnpoz I'm only using 5 of my 256 /64s. However, I think people have learned a lot of bad habits, with having to conserve IPv4 address space. The only place where a smaller prefix makes sense is with a point to point link, where a /127 is all you need.

@dennism14 Does your home router have a public IP that is it accessible from outside? If he doesn't it won't work with BGP or forwarding naturally. In this case you can only go with VPN.

Yes, you could certainly route between the firewalls. But you need to use a separate transport subnet between the two firewall interfaces and then add gateways and static routes between them. That way you avoid asymmetric routing and can properly filter traffic at both ends. If they have separate ISP uplinks you can also setup each as a failover for the other. Steve

Just want to reply here my discoveries, to save people the hassle of attempting this to find out it does not work, there are two types of GRE tunnels, GRETAP and GRETUN, one supports layer 2 features such as broadcast/multicast and one does not, the PFSense implementation appears to use the later which does not support this feature, please see the following article to show the difference https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels#:~:text=While%20GRE%20tunnels%20operate%20at,header%20in%20the%20inner%20header. You would need a local UDP relay instead (on the client side) to instead allow the client to relay these broadcast message as unicast to a specific host, I struggled with this for Windows File Sharing (WS-Discovery) broadcast packets and ended up resorting to a script that auto maps all network drives on successful client connection, perhaps someone could get this working with a L2TP on top of Wireguard? https://github.com/sparky3387/automapwireguard - Shameless plug of the automap script if someone else also needs this.........

@sdedurana a error in config. Solved. Please close.