Hi,
It likely means you have triangle/asymmetric routing happening.
Packet goes from your PC to your 5009 to VPN 5009 to other end,
return packet goes from other end to VPN 5009 to your PC, so your 5009 doesn’t see return traffic
and stateful firewall gets upset.
A good way of checking is to change the following rule:
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
And make it only apply if the packet is coming from the WAN interface in-interface=WAN, (or disable it completely)
If it then works this is likely the problem.
You could just leave it at that, but it is somewhat expensive CPU wise on the 5009.
(It can’t fast track these packets)
You can add a DHCP Option 121 with some static routes (and the default route) to the 5009 DHCP Server so (modern) dhcp clients will
get the route over the VPN via DHCP.
Setting this up is a bit manual…