• 0 Votes
    2 Posts
    191 Views
    P
    Traceroute from the outside world: vpsuser@test:~$ sudo traceroute -I a.b.c.164 traceroute to a.b.c.164 (a.b.c.164), 30 hops max, 60 byte packets 1 daniel.domesticagriculture.org.uk (103.144.176.193) 0.518 ms 0.470 ms 0.457 ms 2 wist.lyle.org (103.144.176.143) 0.479 ms * * 3 100.64.101.167 (100.64.101.167) 10.793 ms 10.781 ms * 4 * * * 5 * * * 6 * * * 7 * * * ... 100.64.101.167 is my router's WG client IP
  • Access to new interface

    General pfSense Questions routing firewall rules
    4
    0 Votes
    4 Posts
    160 Views
    stephenw10S
    Unless you need to accept inbound connections there it should only be an outbound NAT rule. Even if you did have inbound connections a port forward is often better. You shouldn't need to manually add any rules though as long as the gateway is added into the new interface. That will trigger the auto outbound rule to be added.
  • 0 Votes
    13 Posts
    652 Views
    patient0P
    @MartynK that's ok, it's a bit odd that a reboot was necessary. Maybe it was the MTU changes?
  • 0 Votes
    3 Posts
    348 Views
    stephenw10S
    @JonathanLee said in Differentiated Services (DiffServ) Identifiers: What TOS would constitute full bandwidth use on pfSense? pfSense doesn't use those values at all by default. You can use them in rules for shaper queues if you want to or set that for use in other devices the connection is going through.
  • 0 Votes
    11 Posts
    823 Views
    A
    @viragomann It’s a Cisco Meraki the router Site A! But, i’m thinking now: The traffic should be routed to 192.168.100.222, not for the gateway 192.168.100.1 (this is the router with the VPN tunnel). In the 100.1 router have static routes for route the traffic specified throught the 100.222 Is it the same solution (change phase 2 to 0.0.0.0/24)??? Thanks again
  • 0 Votes
    4 Posts
    424 Views
    johnpozJ
    @bigtfromaz you could maybe limit the outbound nat for only the device you would be coming from lan with. Like your pc... But yeah that works.. If you just add the route as persistent it should survive reboots, upgrades, etc. you shouldn't need a batch to kick off on startup. I would normally allow ping as a way to validate connectivity..
  • 0 Votes
    7 Posts
    849 Views
    johnpozJ
    I would concur using it as explicit proxy where your devices actual gateway points to pfsense vs the proxy should remove such issues what what your seeing with that 22 traffic you listed. Other option with putting such devices that are really internal to your network on their own transit network can eliminate asymmetrical flow issues.
  • Single website unreachable

    Routing and Multi WAN routing
    2
    0 Votes
    2 Posts
    308 Views
    L
    ok, I was not looking at the correct palce. Snort was just blocking the IP I added it to whitelist [image: 1706963904294-37c041c6-7455-4b5d-b5ac-0bbfc12be6cc-image.png]
  • 0 Votes
    11 Posts
    2k Views
    G
    @viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings: @gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings: So in any case CSO is mandatory? If you want to access a network behind the client, it is, as mentioned. The CSO sets the iroute inside the OpenVPN server. This is needed to route the traffic to the proper client. This routes will not shown up in the routing table of pfSense. There you will only see the network, which you stated in the server settings. Thank you for your help! I have some sites interconnected with shared key option... Should I go to IPSec or ovpn p2p ssl , what do you think better? Because for many sites IPSec is now much easier setup... :)
  • 2 Static Routing Point to one LAN

    Routing and Multi WAN routing
    1
    0 Votes
    1 Posts
    354 Views
    No one has replied
  • 0 Votes
    1 Posts
    392 Views
    No one has replied
  • 0 Votes
    3 Posts
    1k Views
    F
    @steveits I may be interested in knowing more. My ATT router has a 5G port that is unused, but only 1 of the 2 routers has 5G capability, the pfSense. The other router is a MikroTik, but none of it's eth ports have 5G. For clarity, my pfSense router has a 5G wan input, and 2 10G SFP+ ports as potential outputs. I wanted perfect separation at the WAN connection, but I could use the 5G ethernet port on the ATT machine and go to the pfRouter, then split the connection to a second router via SFP+ and then to a switch for VPN access via the 2nd SFP+. This would give me 5G all the way to each router, than separate LANs from there.
  • 0 Votes
    1 Posts
    625 Views
    No one has replied
  • 0 Votes
    4 Posts
    955 Views
    stephenw10S
    And that worked? If not then check for blocked traffic. Check the state table at both sites make sure traffic is going where you think it should. Steve
  • 0 Votes
    5 Posts
    939 Views
    JKnottJ
    @johnpoz I'm only using 5 of my 256 /64s. However, I think people have learned a lot of bad habits, with having to conserve IPv4 address space. The only place where a smaller prefix makes sense is with a point to point link, where a /127 is all you need.
  • PFSense IP Block - Wireguard

    WireGuard bgp ips routing
    6
    0 Votes
    6 Posts
    1k Views
    V
    @dennism14 Does your home router have a public IP that is it accessible from outside? If he doesn't it won't work with BGP or forwarding naturally. In this case you can only go with VPN.
  • 0 Votes
    10 Posts
    2k Views
    stephenw10S
    Yes, you could certainly route between the firewalls. But you need to use a separate transport subnet between the two firewall interfaces and then add gateways and static routes between them. That way you avoid asymmetric routing and can properly filter traffic at both ends. If they have separate ISP uplinks you can also setup each as a failover for the other. Steve
  • GRE tunnel question

    IPsec gre gif wireguard routing
    2
    0 Votes
    2 Posts
    1k Views
    S
    Just want to reply here my discoveries, to save people the hassle of attempting this to find out it does not work, there are two types of GRE tunnels, GRETAP and GRETUN, one supports layer 2 features such as broadcast/multicast and one does not, the PFSense implementation appears to use the later which does not support this feature, please see the following article to show the difference https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels#:~:text=While%20GRE%20tunnels%20operate%20at,header%20in%20the%20inner%20header. You would need a local UDP relay instead (on the client side) to instead allow the client to relay these broadcast message as unicast to a specific host, I struggled with this for Windows File Sharing (WS-Discovery) broadcast packets and ended up resorting to a script that auto maps all network drives on successful client connection, perhaps someone could get this working with a L2TP on top of Wireguard? https://github.com/sparky3387/automapwireguard - Shameless plug of the automap script if someone else also needs this.........
  • 0 Votes
    1 Posts
    682 Views
    No one has replied
  • IPSEC with Nat Translation - no route

    IPsec ipsec traslation routing
    2
    0 Votes
    2 Posts
    669 Views
    S
    @sdedurana a error in config. Solved. Please close.