Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    static are not used when trying to communicate between 2 pfsense CE

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    5 Posts 2 Posters 135 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      urbantao
      last edited by

      Hi,

      I've got a strange issue in my configuration. I have 1 pfsense use for openvpn client and another pfsense for a local network. I also got a gateway internet which is the default GW for both pfsense. Static route were created to make openvpn client ping the LAN behind the other pfsense without going to the gateway internet. Fallback routes were also created. But when a vpn client ping the LAN behind the other pfsense the echo reply request go through the gateway internet even I had static route... !

      Here is a small explanation with a diagram :
      Capture d’écran du 2025-07-01 09-38-02.png

      Did anyone had an issue like that ?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @urbantao
        last edited by

        @urbantao
        I suspect, that the response packets are sent to the upstream gateway anyway due to reply-to tagging.

        You should be able to circumvent this by editing the rule, which allow access from VPN on the WAN. In the advanced options you can check "Disable reply-to".
        If you have multiple rules on WAN move this one up to the top.

        Alternatively you can disable reply-to globally by checking
        System > Advanced > Firewall & NAT > Disable reply-to.

        1 Reply Last reply Reply Quote 0
        • U
          urbantao
          last edited by

          Oh thx for the hint !

          Your suspicious is exactly what you describe. But I don't understand why ? Is that a bug or a mistake from me ?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @urbantao
            last edited by

            @urbantao
            No, it's a feature of pfSense.

            reply-to is useful in a multi-WAN setup, where multiple upstream gateways are connected multiple interfaces and each specified in the respective interface settings.

            pfSense uses the WAN rule, which allows the incoming traffic to tag the connection with the gateway assigned to the respective interface. With this pfSense can route response packets back to the proper gateway, no matter if it's the default upstream gateway.

            However, in your setup two gateway are connected to a single interface. Hence this does not work for you, because pfSense routes the response packets to the upstream gateway (which is assigned to the WAN) and you have to disable reply-to for traffic from the VPN router.

            1 Reply Last reply Reply Quote 0
            • U
              urbantao
              last edited by

              Ok I tried your solution, and it's ok. Really thank you, for the solution and for the explaination. I really don't like doing thing without understanding what I'm doing and why.

              One more time Thank you

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.