OK, I worked it out! I had the following Firewall rule for LAN: [image: 1617704328983-screen-shot-2021-04-06-at-8.17.46-pm-resized.png] But of course, the 10.8.0.0/23 and 10.9.0.0/23 (I changed them to /23 instead of /24) are not in the "LAN Net", so I had to add extra rules to allow that traffic out: [image: 1617704407299-baecb64d-b9fb-4d84-b216-035dbd903399-image-resized.png] That as well as the static routes fixed it!

@serbus Just saw the latest video from Tom Lawrence and it seems to be a bug in the software we are using. So the solution will be to roll back.

@operator2024 Hi I have same situation, no matter what I do I can't get a second phase 2 to come up when it uses a subnet that doesn't directly exist on a local interface. could you please tell me what exactly you did so i can compare with my conf in my case i have Palo Alto --- IPsec ---- Pfsense --- IPsec --- AWS Pfsense --- IPsec ---- Pfsense --- IPsec --- AWS both don't work could you please help

@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan

Do you see it being routed in packet captures or the state table when you try to reach 1.1.1.1? Where does it fail?

@viragomann thank you for the suggestion, I am gonna give it a try, we should fix the issue by having the remote endpoint add a phase 2 for the openvpn subnet but in the meantime this should fix it as well.

Thanks for all your help your comment about the windows firewall got me to look at it a different way. Turns out during one of my previous attempts to get internet to my VPN clients (a different issue not this one) I messed with some other firewall settings and pushed all of the VPN traffic out the WAN interface which worked fine for getting my clients internet access but caused issues when I tried to access the LAN. I removed that and now with the push route command my clients are able to access the Internet and my LAN

Thank you very much! Your solution fixed my problem! I missed to add the tunnel network to the remote networks on site B.

Good day, I think it is necessary to solve it on the switch via ACL ... I don't have a UniFi switch, so I can't advise it much. I only have UniFi AP AC RL. I don't have any NETGATE devices yet, I'm just getting ...

I have now added a VLAN to the LAN port in proxmox and created a bridge from that. This I have added to pfSense with the first address of the ip subnet which will act as gateway for the /29 addresses from the guests/hosts on the network. So far so good.

@JeGr said in Multiple Gateways on same subnet: Why not simply reconfigure those routers Because some devices (not mine) directly connected to router 1 have in their routing table certain rules to redirect traffic through 10.1.0.4. Hence those routers need to be on the same subnet. These routers are shared by around 20 people, in 4 rooms on single floor. Hence I cannot change settings on those routers.

Well, the part with 2 LANs and 2 WANs is quite easy. You configure the transit network interface as defined by your second ISP. You configure e.g. 129.x.?.1/24 as a static IP on your "Public LAN". You either set the NAT mode to "Manual Outbound NAT rule generation." and set all NAT rules manually, or you set it to "Hybrid Outbound NAT rule generation" and manually add a "Do not NAT" rule for the traffic between your new LAN and WAN. This should already create the appropriate routing table entries so that incoming traffics finds your 129.x.?.1/24. What's missing to tell the outgoing traffic which gateway to use. This can e.g. be done by specifying the gateway of the second WAN interface in the "allow to any" (or whatever firewall rule you use to allow internet access) firewall rule on your "Public LAN" interface. Regarding the public IPs for your 192.168.x.1/22: From my perspective, the clean solution would be to give them a second network interface (e.g. using VLANs) in the "Public LAN" network. This also makes it easier to separate the administrative from the public traffic, e.g. only enable SSH on the interface in 192.168.x.0/22 network.

@serbus said in Puzzled by entry in routing table: Hello! My netgear lb1120 pushes that route to pfsense through dhcp when you put it in bridge mode. I think it is just a courtesy route to help get to the admin interface. Shell Output - clog /var/log/dhcpd.log | grep "192.168.5.1" Jun 12 23:13:43 pfSense dhclient: New Static Routes (mvneta0.4092): 192.168.5.1 100.101.128.1 John Thanks! Yeah, I arrived at the same conclusion after I did more research.

Does anyone have any idea on the implementation of this please?^

@viragomann said in Routing configuration issue between 3 interfaces on pfsense (New to pfsense): Check that twice to be sure. Than check it again... Your lan rules are by default any any so if you did not mess with that, then any devices on the lan would be able to talk any device on either of your 2 networks with no rules even on those interfaces. So as long as the device in the other vlans is pointing back to pfsense as its gateway.. Its most likely the devices firewall, or other security software on it that you didn't disable.. Simple test can device in nework A ping pfsense IPs you have listed there 10.1.2.1 and 10.1.3.1 from the 10.1.1.0 network.. If so simple do a sniff on pfsense say on network B interface - while you ping something network be at 10.1.2.x -- do you see the ping go out from pfsense.. If so then its not pfsense.. Here example.. My lan rules. [image: 1588973136568-lanrules.jpg] My lan is 192.168.9.0/24, pfsense IP is 192.168.9.253 Another segment of mine (dmz) is 192.168.3.0/24 where pfsense IP in that is 192.168.3.253 I can ping 192.168.3.253 from my 192.168.9.100 box. $ ping 192.168.3.253 Pinging 192.168.3.253 with 32 bytes of data: Reply from 192.168.3.253: bytes=32 time<1ms TTL=64 Reply from 192.168.3.253: bytes=32 time<1ms TTL=64 Here is sniff of that 192.168.3.253 interface only for stuff going to 192.168.3.10 while I ping that ip [image: 1588973395669-sniff.jpg] So you see the ping go out, and in my case get a response... Do you see ping request go out.. Make sure your sniffing on pfsense B interface, while you ping from A (your lan with rules that are any any).. Just to be complete - my dmz rules do not allow pinging anything in my other networks. [image: 1588973666776-dmzrules.jpg] So while something in my dmz can ping pfs IP 192.168.3.253, can not ping pfsense IP say 192.168.9.253 root@pi-hole:/home/pi# ping 192.168.3.253 PING 192.168.3.253 (192.168.3.253) 56(84) bytes of data. 64 bytes from 192.168.3.253: icmp_seq=1 ttl=64 time=0.653 ms 64 bytes from 192.168.3.253: icmp_seq=2 ttl=64 time=0.497 ms Trying to ping 192.168.9.253 just fails.. root@pi-hole:/home/pi# ping 192.168.9.253 PING 192.168.9.253 (192.168.9.253) 56(84) bytes of data. ^C --- 192.168.9.253 ping statistics --- 10 packets transmitted, 0 received, 100% packet loss, time 9350ms

@stephenw10 I just tried it again and it works. Looks like they finally updated their certs. Thanks for the help!