@Rico sadly doesn't seem to solve the issue. I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working. I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's. Anyway thank you for all the help.

@PiBa Good news, I got it to work! I did as you suggested and got a self signed certificate on the server using this guide. After that HAProxy is able to route traffic to the host. It even works with the Let's Encrypt wildcard cert I have through the ACME package, so there's no cert errors getting to the site. Thank you for the help again.

@ddbnj said in Cannot access beyond router via OpenVPN: 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 Yeah that would dick it up ;) Glad you got it sorted! Told you it wasn't pfsense ;) hehehehe The trick is getting the person to clearly see that themselves... Which is why the sniff proves to the user, hey pfsense is doing what its suppose to be doing... Have to look elsewhere..

@JKnott It is unusual, but it's the standard Comcast setup when you have a business account with static public IPs. For residential, or lower-tier business accounts, you get a dynamic public IP. I'm talking about v4, but they are now providing a static v6 block with the v4, and a residential user gets a dynamic /60.

No need tu put it off, because The style of routing described on that link won't work since pfSense doesn't enable the options for multiple routing tables So, what isn't implemented can't be switched off - neither on.

I realized that I do not need to add 192.168.0.x since my WAN interface is 192.168.0.1 and /32 was incorrect too. I have removed that. I can see the route in the table but still the ping to google.com or 8.8.8.8 or 192.168.0.1 from a VM(192.168.1.100) connected to pfsense is very random. how can I troubleshoot that? edit: do I have to reboot each time I save anything? that seems to do the trick

the routing table now is the same ? maybe it was something else on the configuration

So a smart/managed layer 2 then ;) BTW, if your going to route and your wanting to access something on your downstream from a IP that is on your transit network you are always going to run into asymmetrical problems.. [image: 1568768481992-asymmetrical.png] If you want to route to other networks on your downstream, then that needs to be connected to your upstream router via a transit network.. If you going to want to get to it from devices on your transit network.. Then you need to host route on them, or you run into the above asymmetrical problem. Connect your upstream to your downstream via transit network (no hosts on it) and your asymmetrical issues are gone [image: 1568768794638-17216.png] Also if you created your SVI on the L2 that your 10 network is on, then its IP would be in the 10 nework.. If you created put the svi on a different L2, then you need to route it via a transit or host routes or your going to have the asymmetrical problems.

@gary201 The issue from July 2019 was resolved without them really going into detail about what was happening during their large maintenance/migration. When I got in touch with them they were still in the "putting out fires" mode. They made a note of my issue, emailed me a few days later when they had a fix in place for me to verify, and all was good. Around December 2nd of 2020 I did have an IPv6 outage after a maintenance window. No IPv6 traffic was routing. I also tried different machines directly wired to the ONT at that time to verify it wasn't something on my end (not that I had changed anything). I reached out to them and they were able to in their words, "remove a filter" and it fixed my issue. I'm not sure how helpful that is, but it's all they told me.

Yeah you should be able to use either HAProxy or reverse Squid to redirect requests based on the host headers to different internal servers. Or different ports on the same server. https://docs.netgate.com/pfsense/en/latest/packages/haproxy-package.html https://youtu.be/FJSHMyrd29E Steve

Yeah Rico hit it on the head.. Where you can run into problems is when the site could be really any IP owned by the CDN its being hosted on.. So the specific IP you use could change all the time.. And some of these have ttls as short as 60 seconds for example... So when the filterdns process runs (every 5 minutes by default) that populates your alias for www.somedomain.com you get IP 1.2.3.4... But then 3 minutes your client wants to go there and you get 4.5.6.7 which is not in your alias. Even if you put in the whole swath of IPs that are owned by CDN.. you now get sites that you might not want going through the vpn since they are hosted on the same CDN, etc. So while yes you can do it.. Be aware that there could be complications based upon if that fqdn is hosted on CDN..

@jimp Thank you! Works perfectly as you described. Regards,

Sorry. I have no idea what you are even asking. The basic things that need to be changed to run pfSense HA in VMware ESXi are described here: https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-high-availability-clusters.html?highlight=esxi#hypervisor-users-especially-vmware-esx-esxi