PIA works great BUT can't get pfSense to use public IP
-
i searched and searched but couldn't find an answer to this question so I'm gonna post this here:
Ok so i setup Private Internet Access according to the tutorial here: https://www.privateinternetaccess.com/pages/client-support/pfsense
I want almost all client traffic using PIA works great but I don't want EVERYTHING using it.
within the firewall Rules I am able to make exceptions for certain types of traffic/devices by choosing the actual interface gateway (not PIA gateway) in the advanced options.However I can't seem to have communications FROM the firewall WAN interface to use it's real IP address.
DDNS from the firewall registers the PIA address
IPSEC originates and Identifies as the PIA address
Same with GRE or any other type of service
I wan't to use port forwarding for certain types of services to/from the WAN IPThe following things have had no effect:
I've tried defining it in the firewall rules/advanced on both the WAN/LAN interfaces
I've tried defining outbound source NAT on any traffic originating from the firewallThis leads me to believe that I need to resolve this from within the OpenVPN client with one of the settings or switches, because nothing else that i can think of seems to have an effect on this.
Am i on the right track and is there anything that can help me to ensure that traffic originating from the firewall uses the actual WAN IP and not PIA? -
Don't pull routes in the OpenVPN client, rely on policy routing to send it across. You're letting PIA set your default gateway to them.
-
thanks so much, that did the trick!
EDIT - It only worked for an hour or so, i'm assuming when the openvpn service reset, the ipsec VPN tunnel came up with the real ip before the PIA openvpn got established.
OpenVPN is STILL forcing all traffic from the WAN side to use the PIA tunnel
do i need to select BOTH options or will just the first one (don't pull routes) do?
-
If you "Don`t pull routes" then there are no routes to add/remove via route-upscript ;)
So, second option no need to be ticked. -
can someone tell me why the tutorial step 16 has you duplicate all those rules, but using the PIAVPN network? and the rules that are already there dont make much sense to me, isnt ISAKMP going to get established from the WAN side out the base internet connection out to PIA in order to establish the tunnel?
why are those rules in tthere with loopback and private ip networks?
-
If you "Don`t pull routes" then there are no routes to add/remove via route-upscript ;)
So, second option no need to be ticked.So i guess it didn't actually work in the long run.
when i checked the boxes and reset the service it did work for a little bit, but the OpenVPN still seems to override my gateway settings.
The dead giveaway is my DynDNS results.What else should i try here?
-
can someone tell me why the tutorial step 16 has you duplicate all those rules, but using the PIAVPN network? and the rules that are already there dont make much sense to me, isnt ISAKMP going to get established from the WAN side out the base internet connection out to PIA in order to establish the tunnel?
why are those rules in tthere with loopback and private ip networks?
If you're talking about rule 6 where you're setting up outbound NAT rules, it's because in order for machines behind pfsense to get access through PIA they need to have their private IP address NAT'ed to the IP assigned to the OpenVPN interface. It works exactly the same in a networking sense as NATing to your public IP address.
-
However I can't seem to have communications FROM the firewall WAN interface to use it's real IP address.
DDNS from the firewall registers the PIA address
IPSEC originates and Identifies as the PIA address
Same with GRE or any other type of service
I wan't to use port forwarding for certain types of services to/from the WAN IPHeh. I'm having the exact opposite problem. I'm trying to get pfsense to send DNS queries out over a PIA tunnel but they keep coming from the WAN interface instead. Can you post your routing table? You can get it from the GUI with Diagnostics > Routes or from the command line with "netstat -r"
EDIT: If you do post your routing table you should obfuscate your public IP address.
