@damianhl said in Block connection attemp from internal LANs: there are many servers, printers, etc, with fixed IPs You don't have to move them all at once.. But this is normally why you would use dhcp, so you could easy migrate 100 if not 1000s of devices to a new IP scheme. But you can for sure just move one at a time if you so desired.. The outage on any specific device would be very short - the time it takes to come up on its new IP. Such a scenario is one of the scenarios where it makes sense to run multiple layer 3 on the same network for a time, ie transition. If me, I would as your migrating devices to a better network IP range change them to dhcp with a reservation so say server 1 always gets IP X, server 2 always gets IP Y, etc.. I would change your network to your new IP range, then put a vip on pfsense for its old 150 address, etc. Then slowly move over the devices to dhcp on the new network assigning the IP address you want for each device. You would just need to change the port forwards you currently have as you do.

@neba said in AirVPN + Open Port, I've tried everything and it's not worth it: pfSense and that it would give me confirmation that the port is open. qBit must also be started. Pfsense doesn't listen and answer - it just forwards traffic it sees. If you want the port to show open, then yes where you forward to would have to be listening on that port, and actually answer. Users also run into sim sort of problem where they think its pfsense port forwarding problem, when its just the client having its own firewall and not answering. All kinds of other problems as well - like were you sending the traffic through pfsense, isn't using pfsense as its gateway so sends the answer to some other gateway. Pfsense port forwarding is pretty rock solid stable and easy enough to setup.. In all the years I have been here on the forums - to be honest I don't recall even one issue that was not user issue.

@br8bruno so gibberish that has zero to do with their interception of dns. The only thing you could do to avoid interception would be to use say doh, or dot might not be intercepted or blocked and you would know if intercepted because there is no way you would trust the cert they send back. Unbound can forward to dot. But with normal resolving dns traffic is sent via 53, which they are intercepting. Part of doh and dot is avoiding interception. And actually validating your talking to the NS you want to talk too. I have no issues with the technology in general, and sure it has some valid use cases. The problem I have with doh is how browsers and apps are turning it on without explicit user acknowledgement and signoff.. And make it difficult to block if you as the admin of your network do not want devices on your network using it. This is easy with dot, you can just block port 853 - but with doh it uses 443.. Which without knowing the actual endpoint they are going to talk to, is impossible to block without breaking the internet for your devices on your network. Use some other vpn service is what I would do.. One that doesn't mess with your dns.

Thanks @viragomann and @Gertjan! Your suggestions gave me stuff to look into further and I now have it working. The net is, check to make sure the correct interface is specified in the firewall rules. I also think including IPv4 and IPv6 (ipv4+ipv6) in the same rule makes things confusing for you and for the firewall itself. Tim

Please see https://forum.netgate.com/post/1181349 and https://forum.netgate.com/post/1181336 for the final puzzle pieces that got it to work.

Please see https://forum.netgate.com/post/1181349 for the final puzzle piece that got it to work.

@viragomann said in Still no reliable peer-to-peer connection, but progress made: And additionally all remote networks have to be stated in the server settings. This was the crux of the matter! Thank you very much!

just checking back if anyone knows why the connection works perfectly in android but wont work at all in pfsense firewall?

@viragomann Oh wow, thats true o.O Thanks for that!

@viragomann That is what i think. A lot of us have home labs. And 130 $ a year, it's much too much.

@the-other said in Dashboard Traffic Graph VPN: what works: Correct that works fine. @the-other said in Dashboard Traffic Graph VPN: I cannot even select opt1 seems "different" that you can't even select it on the widget. My solution to the flat line was to unselect that graph, so it doesn't even try to show the flat line. Deal with it another day. Since it looks like it is most likely a bug.

If you are a n00bie like me, and are coming across this article... I figured it out. Below are the steps: Install OpenVPN Access Server (OpenVPN AS) on a Virtual Appliance or Dedicated Device. On your firewall, "Pinhole" the OpenVPN port through the firewall (usually UDP Port 1194). Update the hostname to OpenVPN AS to a DNS entry that is accessible locally (e.g. 192.168.x.x) and globally (123.210.x.x). Get an SSL certificate from LetsEncrypt, and configure automatic renewals (guide). In OpenVPN Access Server, configure SAML Authentication with your Identity Provider (IdP) of choice (e.g. Entra, Google, IBM Verify, etc.) Within OpenVPN Access Server, configure your Access Control policy via User Permissions or Group Permissions Use your phone to test the if your SAML authentication and OpenVPN Access Control policies are working. As for forum moderators and pfSense developers, I think it would be helpful if within your documentation you emphasised that OpenVPN Access Server is an easy option for organisations looking to implement a MFA-protected VPN solution. IMO everything on the web points to using OpenVPN embedded into pfSense, making organisations think that authentication via RADIUS and LDAP are the only options. Personally, for VPN I think it is safer to limit the number of times end-users need to enter their username/password. Instead, each time they access they should complete a push/biometric challenge. Since re-authentication is so much faster, you can make your VPN disconnect after a few minutes of inactivity. And, end-users can't really complain since reconnecting is so simple. OpenVPN AS as a FREE license that allows 2 concurrent connections. After that you have to purchase a subscription, which is reasonable, all things considered.

@pfadmin so it seams that OpenVPN is not the problem. I brougth up a wireguard tunnel with the same effect. Example File stops at 55% copie. Do I use at the same pc out of the same LAN a OpenVPN connection we use for Roadrunners, than it works. I can not see the difference...

@slu After I've turned off the IPSec-Tunnel it worked again. It routed everything to the IPSec-Tunnel. Of course I have a route 192.168.0.0/16 into the IPSec-tunnel and my local LAN is 192.168.1.0/24, but this normally should work (and it did), because the LAN is locally connected and connected routes are better than static. But I do not have so many subnets behind the IPSec-tunnel, so I can route only the needed subnets.

@gschmidt i stumbled upon this and while youve seem to have had your issue solved, i found two solutions within the several hours i was trying to fix this leak. one way is to use cmd in windows and using openvpn community edition cmd line interface to use "path to ovpn gui exe, keep quotations" --config "path to ovpn file to use, keep quotations" --block-outside-dns pause OR change all dns to google or cloudflare dns in network connections you can use this software to do it automatically instead of manually https://www.sordum.org/9432/dns-lock-v1-5/