How to put router before pfsense 22.01 firewall

stephenw10

You can't screw it up too badly, you can just remove pfSense to get access to the VPN router again if you need to.
Basically:

{Public WAN IP/VPN}--[WAN VPN_Router LAN]-10.105.17.1----10.105.17.2-[WAN pfSense LAN]-192.168.1.1----192.168.1.100-[client]

rupocinski

This post is deleted!

stephenw10

Yes, you would need to change those statically configured devices to be in the same subnet.

Or you can use the 10.105.17.0/24 subnet on the pfSense LAN and change the VPN-router LAN to be some other subnet.

Clients in a 192.168.1.X subnet behind pfSense will be able to reach 10.105.17.X addresses because that is in the default route. pfSense will route between the subnets.

Of course it would still be better to just use the OpenVPN client in pfSense directly and not have two subnets at all.

Steve

rupocinski

This post is deleted!

Gertjan

@rupocinski said in How to put router before pfsense 22.01 firewall:

I read forums and worked with ExpressVPN techs and still could not

Upfront, I use "2.6.0 CE", not "pfSnse Plus 22.0x".
I'm not working for ExpressVPN (support) but I'm in the 'assisting' : I work for a hotel.

In the OpenVPN forum I've posted two ( ? ) step by step OpenVPN with Express setups.

I have the OpenVPN client still 'ready to go', let me start it up :

there. Connected. So pfSense 2.6.0 works with ExpressVPN.
And yes, I'm using "usa-sanfrancisco-ca-version-2.expressnetw.com:1195" as the ExpressVPN other side end point. I do pay ExpressVPN every month "just to have a VPN ISP for the day I need one". Never found the reason, but that's another story.

I've not set up the other second half of the needed setup, the routing part.
Connecting, making the tunnel, to a VPN ISP is one thing.
Having traffic, like some LAN devices, or just one LAN, or all the LAN networks being routed over this tunnel instead of the default WAN interface needs some more setup.

The somewhat outdated documentation on the ExpessVPN site uses an older version of pfSense and, more important, presumes older OpenVPN "2.4.x" version.
pfSense 2.6.0 (probably also 22.0x) uses OpenVPN 2.5.4.

Go to to pfSense OpenVPN forum, use my name, look up all the posts that are ExpressVPN related, and you will find, I hope, useful information.

Also, I have a ISP router before my pfSense, and this is IMHO the most common setup. Not that this is important when you want to use the OpenVPN client. This only matters when you want to use the OpenVPN server, as the 1194 UDP port has to be natted to pfSense in the upstream router.

I'm not an ExpressVPN fan or so, and as said, I never actually used their services (yet I'm stupid enough to pay them ?!? - and they are not what I call cheap).
Express proclaims to use OpenVPN on their side as the server part. So OpenVPN on the pfSense client side should work.
Now you know it does. I hope I convinced you that, as you use the same software on your side as I do, pfSense, you can make it work.

And yes, creating an OpenVPN connections is not easy. They never was, and never will be. It's a beast will a lot of options, as it is an open source thing and everybody (the entire planet by now ?) wanted options in it.

stephenw10

They don't need to be in the same subnet. pfSense routes between the subnets. The same way you can reach 8.8.8.8 or any other IP that is not in your subnet. You will be able to access the VPN-router from a client on the pfSense LAN.

There is no special work-around required to use pfSense as an OpenVPN client in 22.01. It just needs to be configured correctly. It will work if it is.
So far we have nothing to use to diagnose whatever issue you might have been having.
If you can post the OpenVPN logs with the connection error(s) then we can offer guidance.

Steve

rupocinski

This post is deleted!

bingo600

Removed, as it clutters up the OP's topic

/Bingo

stephenw10

@rupocinski said in How to put router before pfsense 22.01 firewall:

I got the openVPN up and running

So Status > OpenVPN showed the client as UP with traffic passing?

but the interface would not connect

What interface? The assigned OpenVPN interface?
If the OpenVPN tunnel was up that interface would show as connected.

Steve

rupocinski

@bingo600
Ok so what I want to do is have a vpn for encryption then my firewall then a the dhcp router. I just wanted to use the pfsense as the firewall so that means I would always be connected to VPN. I am worried about security. I know the firewall is good but would feel better with a vpn in place. Not really happy with expressvpn subscriptions up in sept so not renewing it. Would like another alternative to this whole configuration setup. So you use your VPN now and then not all the time. Sounds like a good setup. What advice do you have for me at this point you know what I want to do, firewall the DHCP firewall had issues dropping clients at times so I thought why not use it and put a router behind it to handle the DHCP which are all static routes anyway with MAC. Just want to be secure. I setup the pfsense as it was supposed to be and I did Pfblocker also. Will install Snort also.

bingo600

@rupocinski
I'm sorry i "Polluted" your thread, shouldn't have done that.

I think you should continue your debugging with @stephenw10
And get the OpenVPN working on pfSense.
That would give you some experience with pfSense configuration, and the basic idea of OpenVPN client setup.

The setup i have is not an easy setup to make, unless you're quite experienced in Linux , Networking and pfSense.

One thing though - Re. your issues.
You are not in a "VPN restricted country" are you ?
And have you tried without pfBlocker active ??

/Bingo

rupocinski

This post is deleted!

bingo600

@rupocinski
Please answer @stephenw10 's post here
https://forum.netgate.com/post/1036574

I'm also wondering which interface that is down ...
Is it the OpenVPN client interface ?

I haven't any experience in setting up a pfSense ExpressVPN Client setup, as i have always chosen to do the "VPN Provider VPN-tunneling" elsewhere.

My OpenVPN experience is in Lan2Lan or "Client Dialin" (RoadWarriors).

What does your Status --> System Logs --> OpenVPN show on "Client connect ?

rupocinski

This post is deleted!

stephenw10

Go to Status > OpenVPN. Does it show the client as connected with traffic passing?

If not go to Status > System Logs > OpenVPN and look for errors.

Steve

rupocinski

This post is deleted!

stephenw10

Ok so the OpenVPN looks something like this?

Screenshot from 2022-04-06 18-31-03.png

What exactly shows as down still on the dashboard?

@rupocinski said in How to put router before pfsense 22.01 firewall:

I tired my IP and it is my local so it is not connected to the interface

So by 'connected' you mean your traffic is still being routed via the WAN and not over the VPN?

You have to do this one step at a time. So the first thing to do is make sure the OpenVPN client is actually connected to the server.

Then try to ping something over it. So go to Diag > Ping and ping google.com with the source IP set as the VPN like:
Screenshot from 2022-04-06 18-36-20.png

bingo600

@rupocinski

So it's the "Interface you're talking about is displayed like this on the dashboard

But with a "Red Down arrow" ?

And your Status --> OpenVPN

Shows something like this , where Status is "up" ??

Do you have any Numbers at "Bytes Sent" & "Received" ?

/Bingo

stephenw10

Yeah, if you have an assigned OpenVPN interface (which you must to policy route across it) the interface status should reflect the OpenVPN tunnel status.

bingo600

@rupocinski

Are you using Windows 7/8/10

You have a built in "Snipping tool" , where you can "Cut out parts of the screen image"

After that you can "Copy" the image in the "snipping tool" , and then "paste it in the pfSense message" (CTRL-V)

Some screen images from you , would be super helpful.

/Bingo