my openvpn site to site i cant seem to ping or access other site doesnt stay stable

comet424

so i have my site to site pfsense to pfsense openvpn connected and i had followed some videos but i not sure if my PIA vpn is conflicting or not

so i can make a connection and the connection stays from site A to Site B

but when you ping a computer on the other network or the other pfsnese box it will work and if u stop and try again it cant ping it.. you stop and start say 10 times and it will ping 4 5 times out of 10 tries.. i find accessing server gui webpages dont always like to load..

si this NAT issue, compression issue under openvpn tunnel.. could be a gate way issue?
and what should a Nat for site to site look like

and i also was googling and seen about wireguard.. is wireguard better for site to site? as my ip is dynamic changes from the DSL modem reboots etc. and i read wireguard needs static ip..

but ya thats what i trying to figure out why my ip pinging and accessing messed.. its like when you have 2 computers on the network with the same IP address and you know it will work sometimes then not cuz there is 2 comps with the same ip.. and it doesnt know which way to go.. so its acting similar to that

i saw in another video they did a NAT setting as other videos ddont do NAT but i did this kinda works better... but the section translation i set to WAN Address in the video it shows network interface

and should it be WAN address? or network & alias?

and the network ip 172.168.0.0 thats the tunnel address

stephenw10

You shouldn't need NAT here, assuming the two networks on each side are using different subnets.

Seeing alternate connections working seems more like you could be policy routing via a load-balanced gateway.

What firewall rules do you have passing traffic on the local LAN interface?

comet424

@stephenw10
and can i delete any of the NATs probably dont do anything? do you see any that are not needed etc? like this 1::128 or whatever they are what is the 127 one do i need all those what does the 128 do to specific network?
trying to make it run as smooth as possible

i found if i didnt haven the openvpn it didnt wanna communicate across the networks and i found some articles have nat setting some dont.. so thats why i confused and whats the proper way
i was having openvpn nat for 192.168.1.0 instead of the 172.168.0.0 and that also caused glitching

so my network is 192.168.0.0 and 192.168.1.0 for both pfsense boxes

as for my firewall rules these are on the 1 server.. the other server is similar but ill have to get pics later if you need them

comet424

the site A main pfsense the LAN firewalls page is

stephenw10

You can certainly remove that OpenVPN oubound NAT rule. It's NATing to the WAN address on the OpenVPN interface which is always wrong!

The two localhost addresses (127/8 and 1/128) are not always needed. pfSense itself will usually use the WAN address directly.

It looks like you have switched OBN to manual mode? Better to use hybrid for most situations.

How exactly are you testing here? From what IP to what remote IP?

It could be the remote device blocking traffic itself. Some OSes (windows) will block traffic from a different subnet by default.

comet424

@stephenw10
ok i removed the openvpn interface to wan address NAT so what was that basiclly doing you mentioned it doesnt work.. and how come there is no openvpn interface in the NAT... so i removed it and seems to be working alot better.. reason i added it was like video from this guy
https://www.youtube.com/watch?v=SVUE6tcznM4
at 11min mark he does the NAT for openvpn is it something that was needed in the past? as it is a 4 year old video.. i have seen this in a couple videos

and reason i use Manual NAT is due to when i had NordVPN and when i switched to PIA VPN they both require manual mode....

what are the benefits of hybrid vs the Manual?

and what does that 127/8 and the 1::128 do like what happenes on the network? so should i just remove the wan too.. or leave it..

as for testing i was pinging from my Unraid Box on the network. a VM ubuntu desktop. VM windows Desktop and my main desktop and i was pinging like 192.168.1.1 and any ip on the 1.x network

and to use wireguard site to site you need static ips right ? cant use dynamic from the dsl modem i get

stephenw10

So you're pinging directly by IP address (not hostname) between hosts on either end of the tunnel? And those subnets are 192.168.1.0/24 and 192.168.0.0/24?

And that's working now?

I prefer to use hybrid mode for OBN because it keeps the automatic rules. If you add or change some internal subnet the rules will be updated to allow connectivity.

If you want to intentional prevent traffic going out of he WAN dircetly you can just add a 'do not NAT' rule.