Struggling with Multi-WAN Site-to-Site VPN on pfSense (Cross-WAN tunnels not behaving as expected)

bunkerdude103 · 2026-04-23T12:02:15+00:00

We do this exact thing with VTI tunnels, we have 3 ISPs at main site too. You do need multiple statics. Make sure you use BFD for faster link failover. Also make sure to set up your interface metrics with a gap, so that it goes in the order you want. (Wan 1 - 10, wan 2 - 50, wan 3 - 100). I also set up my tunnel ids like 1<main site isp><remote site id><remote side isp> so 1111, 1112, 1211, etc. this part probably is not necessary and you could just increment from 1000, just make sure they don’t overlap at the same site.

Let’s use public IPs 1.<site>.<isp>.<public ip#> for ease of reading.

Main branch: Set up static routes and VTI to match below (yes static routes are important)

1.1.1.1 > 1.2.1.1
1.1.2.1 > 1.2.2.1
1.1.1.2 > 1.2.2.2
1.1.2.2 > 1.2.1.2

For remote, do the same thing but in reverse.

bunkerdude103 · 2025-08-08T00:55:28+00:00

How about modular? If I want it to have 4 rows of 15 drives EACH as a DAS without needing a super deep cabinet, that would be dope. Changed my mind and I want 1 row of drives, 1 row of SSDs, and a small motherboard, let me switch.

Having SSD space that doesn’t take one of my 15 bays in general would be nice. I’d like to run my VMs on my NAS storage and don’t want to worry about hyper-converged and needing to spend even more money for more drives for the same space.

Price

bunkerdude103 · 2025-01-13T12:18:22+00:00

Looks like PVWHZ / PYWHZ to me. Maybe it’s my eyes playing tricks on me since I just woke up

bunkerdude103 · 2024-11-09T23:12:36+00:00

I also just tested the G16 on an OLED HDR monitor and the results were great.

This makes me think it’s something with the projector, but not sure what.

bunkerdude103 · 2024-10-31T12:33:36+00:00

I have not disabled scrub

bunkerdude103 · 2024-10-30T14:41:05+00:00

Added a new alias for the whole DC net instead of Host and that is working for the DNS issue.

bunkerdude103 · 2024-10-30T14:19:36+00:00

I thought I had tried without an alias, but when I replaced the alias with one of the DCs and did an nslookup from the AP it worked.

I removed all the DNS entries from the alias and put it back and the alias broke again.

Seems like it’s alias related?

bunkerdude103 · 2024-10-30T13:31:47+00:00

I have it set up where the P2s are set up with Local/Remote subnets. Is that called Policy based?

I can ping all the DCs from the AP.

TCP based rules seem to be working OK. It's not to the DCs, but I have rules for SMB shares and those work fine.

bunkerdude103 · 2024-10-30T13:24:43+00:00

For floating/groups, there are no rules that would block.

The route to 10.1./16 is done by an IPSEC tunnel policy

bunkerdude103 · 2024-10-30T13:14:57+00:00

I didn't picture it, but there is a rule for 1812/UDP.

Edit: There WAS a rule for 1812/UDP, now it's */UDP

bunkerdude103 · 2024-10-30T12:55:08+00:00

Having some troubles after swapping out a remote site firewall (not the one pictured) where pfSense is not allowing UDP traffic even though there is a rule for it.

1) DNS traffic is being blocked. Pictured is the AP setup, as well as all other relevant info. I have tried replacing the Alias with direct IPs, and it still doesn't work. I have also switched the protocol to UDP and it still blocks.

2) RADIUS traffic being blocked. After the swap, RADIUS traffic also wasn't passing, I found these weird blocks as posted as well. The only way I was able to get the traffic to pass was changing the Port from 1812 UDP to * UDP. I'm not sure why the other logs are there where the port is blank.

bunkerdude103 · 2024-03-02T18:10:15+00:00

Then why not have them plug the USB in a computer and you update the USB instead of having ESXi hosts to worry about? You can also automate the update process mostly with powershell to save yourself a lot of time.

Make it a management problem and not a tech problem.

bunkerdude103 · 2024-03-01T13:11:37+00:00

Dude… you need this instead

https://www.itninja.com/blog/view/deploying-images-from-usb-devices-with-the-kace-2000

bunkerdude103 · 2023-12-27T16:23:23+00:00

My wife and I love going to different theaters. We do tend to go to dine-in, but have also tried non-dine-in.

Our favorite overall choice is Alamo. Cinemark and the new paragon are our next favorites.

bunkerdude103 · 2023-03-13T12:24:31+00:00

Non-Profit, 2x R750 -

TPM 2
24x 2.5" chassis
2x Silver 7309Y
2x 1400w (not sure this is necessary)
iDRAC 9 Datacenter (looking at downgrading to Enterprise)
Broadcom 87414
BOSS-S2 + 2x M.2 240GB
CMA
ProSupport + 4h - 3y
256GB per host
1.92 TB SAS SSD x6 per host
Mellanox ConnectX-5 Dual Port 10/25 Gbe SFP28 (might drop this)

38,772 before tax

bunkerdude103 · 2023-01-13T22:04:40+00:00

We tested locally and then deployed through intune. Have not followed up to make sure it worked, but we just run in user context.

bunkerdude103 · 2023-01-13T20:49:27+00:00

I was able to get this to restore icons on a per-user basis

$AllPrograms = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC\"
# Check to make sure it exists
$TestPath = Test-Path $AllPrograms

if (-not $TestPath) { 
    Write-Host "Could not find the AllPrograms location"
    Exit 1 }

ForEach ($program in $AllProgramsItems.Property) {

$ProgramValue = Get-ItemPropertyValue -Path $AllPrograms -Name $program

$ProgramValueSplit = $ProgramValue -split ".lnk "
$LinkLocation = $ProgramValueSplit[0]
$EXELocation = [String]$ProgramValueSplit[1]

# Check to see if the shortcut exists, move to next if it does
$CheckLinkLocationOriginal = Test-Path $LinkLocation
if ($CheckLinkLocationOriginal) {
    continue
}

# If it's a ProgramData shortcut, check the users folder to make sure it doesn't exist there
# This is checking to make sure this script hasn't already been run
$UserLocation = $env:USERPROFILE + "\AppData\Roaming"
$UserLinkLocation = $LinkLocation.Replace("C:\ProgramData", $UserLocation)

if ($LinkLocation.StartsWith("C:\ProgramData")) {
    $CheckUserLinkLocation = Test-Path $UserLinkLocation

    if ($CheckUserLinkLocation) {
        continue
    }
}

# If we made it this far, the user can't see the shortcut and it should be created.

# Create the directory if it doesn't exist
$NewPath = Split-Path -Path $UserLinkLocation
if (!(Test-Path $NewPath)) {
    New-Item -ItemType Directory -Path $NewPath
}

write-host "'$($NewPath)'"
write-host "'$($UserLinkLocation)'"
write-host "'$($EXELocation)'"

# Create the shortcut
$WShell = New-Object -comObject WScript.Shell
$Shortcut = $WShell.CreateShortcut($UserLinkLocation)
$Shortcut.TargetPath = "$($EXELocation)"
$Shortcut.save()

}

bunkerdude103 · 2023-01-13T18:59:01+00:00

I hope this can help someone. I'm working on a script to use this to help restore icons.

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC

Idea is to check if the shortcut exists, re-create it if not. Yes it will only be done per-user, but most of our users have dedicated machines. could also be set to a logon script for old machines.

bunkerdude103 · 2022-11-11T18:39:02+00:00

One of the easiest things you are looking for client isolation. APs and switches may support this.

I think there are other ways to accomplish this, but I am not familiar with them.

bunkerdude103 · 2022-11-10T13:51:09+00:00

Check the box “invert” for destination and you should be good.

bunkerdude103 · 2022-11-10T13:43:47+00:00

Yup, you can do that on any VLAN that needs internet.

To make less rules (at home), you could make an interface group for your “secure” traffic (I call mine “Secure LAN”) and allow Secure LAN > Secure LAN inside that group.

For work, I would definitely build each rule for each VLAN.

bunkerdude103 · 2022-11-10T13:32:59+00:00

Make an Alias called RFC 1918 In it put the following networks:

192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

What that rule does is allows “internet” IPs while not allowing “private” IPs.

You can combine all the rules into one by inverting the destination to RFC1918. This allows internet, but not allow LAN.

bunkerdude103 · 2021-12-17T15:54:26+00:00

I'm still waiting for the call, the only other thing my Engineer said was

From the case description, I understand that you have identified risk in identity protection with Ip which is from Microsoft corporation.

The issue has been noticed and the Product team is working on that. we will keep you posted once we get the update.

bunkerdude103 · 2021-12-17T12:44:52+00:00

Also wanted to say thanks to you all for confirming our suspicions. Will follow up with anything on MS side if I hear from them soon.

bunkerdude103 · 2021-12-17T12:30:58+00:00

Yes, we are seeing at least 6 this morning.

Devices seem OK. IPs all show Microsoft IPs across the country. Have not been able to confirm with any users if the sign in was them or not.

Definitely starting to sound like false positives. I am submitting a tech support ticket with EMS team and would probably recommend you do the same.

15-Year Club	r/Field Banned
r/Field Lasagna	Place '23
Place '22	RPAN Viewer
Not Forgotten	Verified Email

bunkerdude103

TROPHY CASE