Topics tagged with multiwan

global IPV6 addresses are not routed into the LAN and to the client

Globaltrader312 — Invalid Date

@Globaltrader312 I have now also removed the firewall rules under NAT

Dual OpenVPN-Setting, CARP & Failover (HA, MultiWAN)

JeGr — Invalid Date

@Sperber said in Dual OpenVPN-Setting, CARP & Failover (HA, MultiWAN): (Vorkbaard hat das bereits beschrieben: https://vorkbaard.nl/openvpn-in-a-pfsense-carp-cluster/ ) Die Info ist aber relativ alt und nicht zutreffen. Wir haben da sehr verschiedene und komplexe Services laufen und keiner braucht irgendwelche seltsamen Settings mit "local " o.ä. - das sollte heute überhaupt nicht mehr nötig sein. Macht im CARP Setup auch keinen Sinn, da die CARP VIPs alle auf dem Master laufen und man diese so nicht ansprechen kann. Split CARP mit Master/Backup auf dem selben Node ist in der FreeBSD Variante von CARP/pf nicht enthalten, das ist leider nur in OpenBSD enthalten. Mich interessiert allerdings auch wie @viragomann wie man überhaupt auf der 2. pfSense im CARP die Annahme von OpenVPN erlauben will. Der Traffic kommt ja nicht bei ihr an, weil der via CARP IMMER zur primären läuft, nicht auf den sekundären Node. Und wenn man das forwarden sollte auf Node 2, würde der Node versuchen asymmetrisch zu antworten (oder es läuft alles wieder über Node1), was auch wieder nicht sehr schön ist. Wie ist das also realisiert, dass die Clients sich auf Node2 connecten und das auch funktioniert, wenn Node2 mal aktiv wird und Node1 passiv weil vlt. gerade gewartet wird o.ä.? Ansonsten wäre mir schleierhaft wie das im Redundanzfall wirklich sauber funktionieren sollte ohne dass manuell eingegriffen wird? Cheers \jens

How would I combine 2 WAN routing the same subnets ?

bgpnoob — Invalid Date

So I got a pretty shit setup to work with and my networking knowledge is limited.

We have 2 WAN on premise behind CGNAT e.g. Main & Backup

2 Cloud PoP's announce our IPv4/IPv6 PA and route it via tunnel to our 2 WAN.

Let's say on Pfsense WAN1 will have ASxxxx1 via PoP1 and WAN2 will have ASxxxx2 via PoP2

Routing 5.5.5.5/28 and 2001:/48

My guess would be I setup a third interface let's just call it WAN with 192.168.1.1/24 and fd00::/8 and then setup routes to route 5.5.5.5/28 via 192.168.1.1/24 and same for IPv6 ? Then I can setup VIP's, do outbound PBR / NAT using a weighted gateway group and just setup DHCP4/6 as usual via the single WAN interface ?

I have the feeling I'm doing something wrong and there is a better way ?

My head hurts, please don't talk about CGNAT it is what it is.

Concurrent Multi-WAN

SteveITS — Invalid Date

@aiden21c it’s always the last place you look…

wireguard multiwan doesnt properly round robin traffic

Viss — Invalid Date

Hello!

Multiwan wireguard setup in round-robin doesn't treat traffic the same as exactly the same setup without wireguard.

My setup:
I have a dual-isp setup (cox & starlink), and I have all outbound traffic flowing across wireguard tunnels to a second pfsense appliance in a colo.

I've been able to force wireguard to create tunnels on the appropriate interfaces (since you cant bind it to one) by using static routes. The receiving end is using two IPs for this, and I've created rules on the far end to only permit the appropriate source IP to land on the designated target IP.

The issue:
When using the wireguard tunnels, the same exact round-robin multiwan setting (two gateways, both set to tier 1) traffic only flows over one gateway and the second is idle. If I switch to just using the naked gateways versus the wireguard interfaces, traffic flows as expected and is properly load balanced across both links.

A wrinkle:
If I setup policy rules on the LAN firewall section to specify the same exact gateway group, and also have the default gateway for the firewall using the same group "it kinda works", but I only get about 75% of the bandwidth - the graphs do show traffic flowing across both links, though.

Expected functionality: I would expect that round-robin multiwan would work exactly the same over wireguard versus over naked isp links.

I'm not 100% sure why using wireguard tunnels in a round-robin config would cause the round-robin part to just 'not apply', and I'm even more confused about adding the policy routing component making it mostly work.

Any help here would be great!

MTU question with MultiWan/OpenVPN/Wireguard

murdof — Invalid Date

Hi everyone,

I have some questions about MTU values.
Note that I have not set MSS values anywhere

Current MTU values for my interfaces:
LAN: 1500
VDSL PPPoE: 1492
5G DHCP: 1380 (provider using the same value to get optimal upload speed)
OpenVPN: (nothing set)
WG1: 1320 (over 5G)
WG2: 1320 (over 5G)
WG3: 1432 (over VDSL)
WG4: 1432 (over VDSL)

Now if I try to test my MTU from my Windows 10 PC (1500 MTU set), I get "Packet needs to be fragmented but DF set" with 1472 (1500-28).

I assume that this is happening because it tries to route through the PPPoE which is 1492 or even through the 5G which is 1380 (depending on rules).

For example, I solved download problems of my VMs that go through WG2 by setting the MTU size in Windows to 1292.

Question now is that I have devices that I can't really set/change the MTU size - e.g. LG TV.

So what are the optimal values for MTU (and possibly MSS) that I should be setting on PFSense side without touching and configuring other devices (e.g. the TV)

Sorry I'm not an expert with MTU/MSS so any help is appreciated.

pfBlockerNG blocking SMTP

Gertjan — Invalid Date

@alek said in pfBlockerNG blocking SMTP: No ? That's the easy / easier way. Have a look at this list : Youtube Netgate everything you always wanted to know, and more. There is a Muti WAN video. There is a video about VIP, Carps, etc. The videos are old, but still very valid and very informative. It's a guy from Netgate talking about Netgate/pfSense.

Issue with multi wan & high availability setup - authenticating with radius

se_marc — Invalid Date

please see this post for way more information.

WireGuard MultiWAN Not Failing Back to Tier1

rafe — Invalid Date

@luckman212 Has this been integrated into a subsequent release or is this patch still valid? I'm having the same issue on 23.05.1-RELEASE.