tablets useless good enough for tv and maybe turning on and off lights like a remote lol
I used this setup to to set it all up
I guess ill fiddle with vpn lan not sure how lol
@philw Thanks. I also currently have a fully working OpenWRT (LEDE) setup. This does the job very well. But, there are certain little things that can be annoying (for me at least). So I am wanting to replicate all my existing LEDE setttings with pfsense and will be comparing which I like better.
After setting this up, and installed this router in the remote side, after several days of testing I notice that there was a 50% decrease on internet speed, so I had to route just the traffic for my primary side, and leaving the remote side with his own uplink for internet.
From primary side to secundary, there is a distance of 30kms, and both have uplinks of 100/100 Mbps.
Here is the issue described:
I found a temporary work-around until I can figure out how to delay the additional openvpn tunnels to start...
Reason I like to use my internal DNS server:
My biggest issue was trying to privatize as much as my DNS queries as possible. I generally run DNS performance checks against public DNS servers as well and my ISP to get the best performance and set those as my upstream servers from my internal DNS setup. I also like running my DNS queries out a VPN tunnel to completely prevent the ISP doing DNS interceptions (of just recording).
The compromise I found was to try and use DNS over TLS for ONLY the pfsense DNS. This allows me to somewhat obscure my DNS queries to my VPN servers, but also allow pfSense to bring up the tunnel interfaces without going into the weird routing/nat bug by being able to resolve them right away.
Yes. You have to configure the vpn routes and firewall rules on all firewalls must allow the access.
Assuming there is a pfSense3 in front of office3 and the vpn connections are stie-to-site and the routes between 1-2 and 3-4 are already working, on pfsense1 add the office3 lan to the "remote networks" in the openvpn config and on pfsense3 add the office1 lan to the "remote networks".
Both endpoints, pfsense1 and 3 have to be the default gateways in the lans.
@jimp said in packet HMAC authentication failed on peer-to-peer (shared key):
Are you certain both systems are using the exact same shared key? That's the easiest way to get that error.
I'm waiting to get the file from the client, but last time I checked (2 weeks ago when we first brought it online) they were the same.
EDIT: Checked and both are identical.
I understand your testing of rfc1918 as "internet" I even stated such..
I am not complicating anything... You put up a drawing with
client rfc1918 --- internet --- made up public IP..
How are they suppose to talk to each other if on the same L2?
Yes if your test shows you can connected through your router to pfsense, then yes if you put actual public IP on it - you should be able to get to it from the internet.
You probably can't afford me.. :)
This is actually pretty simple after you get the actual tunnel up..
IPv4 Remote network(s)
Box 1 LAN 192.168.10.0/24 use 192.168.20.0/24 for this option
Box 2 LAN 192.168.20.0/24 use 192.168.10.0/24 for this option
Go to (yourpfsenseip)/firewall_rules.php?if=openvpn
What do your firewall rules look like?
It sounds like your pfSense machine is behind another router, because as you state, 192.168.2.2 is a non-routable RFC1918 address. Assuming you have access to the router in front of it, you'd need to use its public WAN IP instead, and configure appropriate port forwarding to the pfSense machine.
Won't work out very well.
I made setup choices, and have constraints like "a router in front of a router".
I'm also using a IPv6 network from he.net, so my OpenVPN exposes also an IPv6 to the connected clients.
I decided not to use user and password : the certs on both sides, client and server, will do the authentication.
You have to make up your list with what you want, and then you feed Google with "pfsense setup openvpn" and you choose a recent how-to and you follow the step-by-step.
Install also the vpn-client-export package.
For what it's worth :
Your pfSesne would still need a DNS for lookups. You can either allow it to override or use your own choosing, or even point the pf sense to the Windows DC.
IF, and IF you are using the VPN for the outbound DNS connection to the internet for your pihole, and your VPN service uses a DNS name and not a IP address, it will be a problem and the VPN connection may get in a hung state (my exact issue I'm having now with not having the tunnel up and the PF sense needing DNS). I'm going to play with some settings on my own setup to see a work around for this.
You should probably paste screen shots of what you have done and not a textual representation of what you think you have done. Screen shots of Diagnostics > Routes, the OpenVPN client and server, and the OpenVPN Firewall rules would be a good start.
Please be a little more specific, like instead of I can ping from 10.6.0.0/24 to 10.3.0.0/24 try I can ping from 10.6.0.101 to 10.3.0.62.
What is an OpenVPN foreign network ??
@unknowneleven said in Difficulties on pfSense 2.4.3-p1 and OpenVPN on WAN TCP 443:
Hi. I have been trying to make OpenVPN work on TCP 443 since the day one that I installed pfSense. I've managed to get it working in pretty much any port and protocol I've tried, except on TCP 443. I knew that it could conflict with the webConfigurator port, so from the beginning of the installation I changed it's port to 8443, and I've even checked on Sockets that there is indeed no other service binding or trying to bind on WAN:443, only OpenVPN.
I've tried to connect on my phone and my notebook, but none will. Ironically, when I try to connect from inside my LAN, it works immediately. It only doesn't connect from outside my network.
I've checked my firewall rule on the WAN interface, but it's as it should be.
In fact, when I try to connect to the OpenVPN on TCP 443, appears a strange connection on Sockets, with question mark (?) identification on the WAN IP:443 and the other end IP:port.
Basically, that tells me that it's not a problem in the end device, for it reaches the firewall. But it seems that pfSense, or OpenVPN, do not identify that connection as OpenVPN on TCP 443.
I've tried everything I could find, even the port-share localhost 443.
If someone can give me some light, I'll be forever grateful.
My setup: OpenVPN on WAN, to TCP 443. Firewall rule on WAN: pass TCP any to WAN address on HTTPS (443).
Just remembering: OpenVPN works on any other port I tried. It doesn't work only in TCP 443 (though I never tried UDP 443).
Also, I've got Dynamic DNS on the configuration, so the client is set to connect to the DDNS.
@aileron said in Route one subnet through VPN, another one through regular gateway?:
These will be connected to the same physical interface.
Doesn't work that way if your network is 192.168.0/24 you can not just add devices using 192.168.1/24
I would suggest you do some research on basic networking 101 before you start playing with policy routing. Change your lan network to /23 if you want to use both .0.x and .1.x addresses. Or put this .1/24 on its own vlan, etc.
Then its very simple to policy route out any clients you want via your vpn. Just make sure to turn off default route from your vpn connection in pfsense and just policy route who you want to use or not use the vpn connection.
@stephenw10 Well you wont believe what it was, it was the WPAD, as site 1 has wpad i also have the proxy auto detect on site 2 i disable the auto detect and bam showing the real WAN ip for the websites. i guess no i have to see how i can disable that.
I realize that this is an old post, but I couldn't find the answer to the Interface Group order anywhere in the forums. Using /tmp/rules.debug. I found that manually created Interface Groups come before OpenVPN rules. I also found that if you have multiple interface groups then they are processed in alphabetical order.
I have three Interface groups: Local for all my local subnets, Clients for local client subnets, and IoT for local IoT subnets. They were processed in the following order: Clients, IoT, Local. When I renamed Local to All_LAN and made a minor change to the rules so they were rewritten, the order changed to All_LAN, Clients, IoT, which is the order I wanted.
I realize I probably don't need so many subnets, but using Interface groups and RADIUS to assign VLANs made it easy to setup. I have a VLAN for each person in my household in Clients Interface Group and my IoT devices are in different VLANs by type. It was simple using FreeRADIUS.
Hello Yes all is working, after some rechearch i found something concerning virus protection.
But now my problem is : i have to disable my bitdefender firewall to access to my network. Someone know how to enable the btdefender firewall and add an exception ?
Thank a lot
I 'm so sorry to be so stupid i was focus on my local network and forgot the client configuration and change the ip --'
I put my public ip and all work fine now.
Thank a lot all for your help.
Have a great day (i't my bithday today :p = 30yo)
By the way, tap mode changes almost nothing in the scenario. The only difference is that the tunnel network is no longer point-to-point and has broadcast semantics resembling a typical ethernet LAN. Client configuration and routing are still pretty much the same and if you can't get tun mode working properly you won't get tap mode working either.