Need help configuring PfSense on Protecli Vault
-
Hi first time posting, hopefully i'm in the right spot.
Ill make my question general to start with.
I have a book with instructions for configuring PfSense 2.6 on my Protecli Vault. I reach a point where the instructions are not matching what i see on the PfSense interface. So possibly the book is guiding me in an outdated way.
Im wondering if i could post the instructions, point out where I get lost, and if someone could help me accomplish the instructions.
Thanks.
-
@fiyawall Post them, we're here to help.
-
@akuma1x !
Ok let me know if you need the previous instructions. These instructions are after clicking on OPT4, which I created under previous instructions. I’ll note the section I get lost at. Everything prior to that has been done.
START
-Enable “Enable Interface”
-Provide a “Description” of “OVPNC”
-Enable “Block Bogon networks“
-Click “save” then “Apply Changes”
-Navigate to “Firewall” > “NAT”
-Click on “Outbound” at the top
-For “Outbound NAT Mode”, select “Manual Outbound NAT rule generation”
-Click “Save” then “Apply Changes”
the following step is where I’m unable to execute
-in the lower portion of the screen, click the pencil icon (edit) next to the option with a description similar to “Auto created rule - LAN to WAN”
*** there is no pencil icon in the lower portion of the screen. I searched everywhere within NAT and couldn’t figure out how to do this. I’ll post the remaining instructions just to show what is supposed to be accomplished***
-Change the “Interface” option of “WAN” to “OVPNC” and click “Save”
-In the lower portion of the screen, click the pencil icon (edit) next to the option with a description similar to “Auto created rule for ISAKMP - LAN to WAN”
-Change the “Interface” option of “WAN” to “OVPNC”
-Click “Save” then “Apply Changes”
END
Once I got that step I’m lost and cannot proceed. If anyone can help me accomplish this, thank you.
-
@fiyawall said in Need help configuring PfSense on Protecli Vault:
-Navigate to “Firewall” > “NAT”
-Click on “Outbound” at the top
-For “Outbound NAT Mode”, select “Manual Outbound NAT rule generation”
-Click “Save” then “Apply Changes”
the following step is where I’m unable to execute
-in the lower portion of the screen, click the pencil icon (edit) next to the option with a description similar to “Auto created rule - LAN to WAN”On the Outbound tab,
You have selected select “Manual Outbound NAT rule generation”
and then the bleu Save button
And then the Apply button at the top right.You'll see
and I do have a LAN rule named "Auto created rule - LAN to WAN" with a pensil.
Btw : I'm using 22.05, and I guess 2.6.0 is identical.
-
@gertjan hi thanks for this.
However, under the “Mappings” header, it is just completely blank I have none of those options.
I can’t figure out how to post a screenshot can anyone tell me how? I only see a button to “link image url”.
-
@fiyawall said in Need help configuring PfSense on Protecli Vault:
I can’t figure out how to post a screenshot can anyone tell me how? I only see a button to “link image url”.
You need to have software on your computer to take a screenshot. Don't know if Windows has that built in or not, but a Mac does. Anyway... take a screenshot of the area you want to post online, then simply drag the picture into the comment box that you type into, and it drops it right in.
-
This post is deleted! -
@fiyawall
Add your own mappings.
Forget about the lines 500 (ISAKMP), as you probably not need them.Add your mapping rules for 127.0.0.0/8 - WAN and all your interfaces, like mine :
192.168.1.0/24 WAN ( my LAN )
192.168.2.0/24 WAN (my OPT1 )
192.168.3.0/24 WAN (my OPENVPNINTERFACE)
192.168..100.0/24 WAN (another OPT2) -
i dont know why that confused me. i guess i was looking for an upload tab. Thanks.
well here it is:
login-to-view -
This post is deleted! -
Not sure what to do. It seems like pfsense 2.6 doesn’t have the same dispaly on the outbound section. Maybe I could download 2.5 somewhere? Any ideas?
-
@fiyawall
Hey there,
Have you tried clicking one of the "add" buttons (green)?
Then just fill in as shown in Screenshot posted by @Gertjan
Then "save" or apply...No, you should not look for an older pfsense version, rather look for a newer book. Or still better, read that book. Try to understand the way it works then apply that knowledge no matter how the gui looks...basics do not change. :)
Also, netgate's documentary is quite good... -
Thing is I honestly don’t even understand what I’m doing, so I don’t know how to follow those instructions above for manually mapping.
I’m a total novice when it comes to this stuff. I was following step by step instructions until that one point.
-
Setting up pfSense doesn't need you to visit the Outbound NAT page, less alone remove it from Automatic outbound NAT rule generation. (IPsec passthrough included) to Automatic outbound NAT rule generation. (IPsec passthrough included) or the hybrid mode.
Depending your interfaces creates, you should have this :
and this will work out of the box.
When you see "(IPsec passthrough included)" and you don't use, or don't plan to use IPSEC, you might as well delete (or not create) the rule that mentions "Auto created rule for ISAKMP ".
You know that the page is on the NAT tab.
What this means (my words, so bare with me):For devices on any LAN type network (LAN, OPTx, OpenVPNclient instance), for any outgoing connections from this LAN to the WAN, LAN addresses in the traffic have to be remapped from, for example, 192.168.100.2 to the WAN address, and then send to the destination somewhere on WAN (somewhere on the Internet).
When info comes back, pfSense knows now how to remap the traffic (packets) back again to the right LAN type address.When you have a multi WAN setup, or a WAN plus an OpenVPN client setup, you might want to choose what traffic, from what LAN, goes to what WAN or outgoing interface.
That's where this page comes into play.
For 95 % of all pfSense users, you will never have to visit this page.
Now read Outbound NAT.
And telle me, what documentation are you reading, that it tells you to edit these settings ?
I'll bet it's related to an OpenVPN client setup ;) -
It is from a book focused on privacy. So the goal is to instal pfsense on my protecli firewall which routes all my internet traffic through my ProtonVPN.
Apparantly this step is where this is made possible. I’ve already configured the router and the ports and everything.
Maybe if I supplied the text in the book it might help. I’ll try to decipher what you wrote here
-
So your issue isn't NAT, but more a how to set up a OpenVPN client to XXXVPN with pfSense as a client.
This page https://protonvpn.com/support/pfsense-2-6-x-vpn-setup/ seems actual to me.
Still, before you proceed, I advise you to read about the subject. Intermixed with some youtube videos. And even if they are old, look also the videos from here.
If you don't 'master' this subject, you won't be adding security and privacy, it will be more matter of danger (insecurity) for yourself, or plain routing issues.
Btw : you are aware of the fact that everything that enters and leaves your home, through the WAN interface, is already TLS encrypted. If not, then stop now retrieving and sending mails "in clear", and stop visiting "http" sites, use only https sites ;)
If DNS worries you, forward over TLS to some TLS capable DNS resolver like 1.1.1.1.
Now, your ISP can only see the IPs your visiting. IMHO, that can't be a big deal. -
@gertjan Hi so actually, the author of this book has some custom scripts on his website. This is to make the process easier for configuring the firewall.
So i went ahead and uploaded a custom script with all the settings i need.
However, my issue now is that in the "status" of "OpenVPN" is never showing as "up". It is either "pending" or "down" or "failed". Seelogin-to-view :
Part of the additional instructions is to designate a custom server IP address from my ProtonVPN service. Basically you choose a server from a list on ProtonVPN's site, and then download a file. I was instructed to open it in a text editor and identify the IP address and manually enter it. That way all my internet traffic is being routed through that specific server.
However, in the file looks like this: login-to-view
If i enter any of those full IP addresses, it gives an error, saying its no t a valid address. When i use the root address 156.146.54.97, it will accept it. So i'm not sure if that is correct or not.
In the end, my status on OpenVPN is not showing "up" and thats the end goal according to my instructions.
Any ideas?
