system routing with default gateway set to ovpnc interface

SimpleTechGuy

Hi all,
Starting to think this isn't possible, but here's to hope that I'm an idiot and this is actually really easy.

pfsense CE v. 2.6

set /system/routing/gateways - Default gateway IPv4 to any WAN Gateway, then all is well.

set default gateway to any ovpnc gateway; cannot check for updates or view available packages (everything else works fine). diagnostics/routes lists ovpnc default on lo0.

static routes are configured for ovpnc connections, goal is to have all other traffic pass through ovpnc interface, including system traffic for updates, ntp and package management.

Thanks!

Re: Route default over AWS Transit Gateway VPN over an AWS Direct Connect

viragomann

@simpletechguy
Setting a VPN remote endpoint as default gateway is a pretty bad idea at all.
If the VPN is down it cannot be used and doesn't work.

If you want to use the OpenVPN as default gateway, go into its settings and enter 0.0.0.0/0 into the remote networks box instead.

SimpleTechGuy

Hi @viragomann, thank you so much. I had completely forgotten about 0.0.0.0. I was hoping to maintain a little more control over the routing if possible, but this is a great start! Thank you!

@viragomann said in system routing with default gateway set to ovpnc interface:

Setting a VPN remote endpoint as default gateway is a pretty bad idea at all.
If the VPN is down it cannot be used and doesn't work.

Yes I agree, it is a bad idea lol, but I do have multi WAN, and also multiple vpn clients setup with failover. Wondering if failover would continue to work if I were to set 0.0.0.0/0 on two vpn clients? And how to control which client is routed first.

viragomann

@simpletechguy
I expect that the client which started up at last one grabs the default route.

Apart from this the failover group should not have an impact on the default route over the VPN.

However, if you want more control over VPN routing, remove the default route from the client settings again and assign a gateway to each if you haven't already done.
Then you get a gateway for each VPN, which you can use in gateway groups. You can also configure multiple gateway groups for different purposes, e.g. for policy routing.

But, consider that in the gateway group, which you set as default gateway, you also have the WAN included, possibly with the lowest priorities.

SimpleTechGuy

@viragomann
Thanks again for all your suggestions.

The default routes are currently setup for all the vpn clients and all my rules are set up with policy routing.
The main problem is that I can't find a way to manually set the default route for the system itself (eg. 127.0.0.1 default route). It really doesn't make any sense to me. I should be able to set the default gateway in /system/routing/gateways/ to any available gateway and all system traffic should route through that default gateway, but it just doesn't work. I do already have manual outbound nat rule for localhost to the ovpnc client gateway.

If I set the default gateway to a WAN interface then the firewall itself reaches out to the internet, but if I set the default gateway to a ovpnc interface then routing stops for the firewall localhost, although all other policy routing is passed correctly for the other interfaces..

When i try to ping from the firewall, a lo0 state is added to the state table showing localhost ping, but routing fails. Packet capture on local host shows the ping but no response and always results in TTL exceeded in transit. Firewall logs the traffic outbound from loopback interface as pass, but fails to route through any gateways.

I can't seem to find any way to add a policy route for localhost..

I thought it might have something to do with reply-to on WAN and Disable Negate rules, but i've toggled them both and testing with no joy.

viragomann

@simpletechguy
pfSense itself respects the setting of System > Routing > Gateways > Default Gateway.

As said above, don't force the traffic over a VPN only. You can use gateway groups with WANs and VPNs mixed if you want.

When you include a VPN into the default gateway group, you need to add an outbound NAT rule for the source 127.0.0.0/8 to the respective VPN interface so that pfSense can communicate with the outside world.

SimpleTechGuy

@viragomann

Sorry to bring this back up, but i'm still struggling with this. I really don't understand how the firewall can perform system updates and check for packages through a vpn client interface only when the vpn client is set to tier 1 in a gateway group that includes a wan interface. But then it doesn't work if the same vpn client is set as the only default gateway or if the gateway group does not include any wan interfaces. It seems to me that if the system can route an update check through the vpn client gateway when it is in a gateway group with a wan interface, then it should also be able to perform the same update check when no wan interfaces are assigned.

So with these settings I can do updates and they appear to go through ovpnc1 interface:

• default gateway ipv4 = gateway group (ovpnc1(tier1) & wan(tier2)
• default gateway ipv6 = none
• Outbound NAT = ovpnc1 | 127.0.0.0/8 | ovpnc1 address

But with these settings, updates no not work:

• default gateway ipv4 = ovpnc1
• default gateway ipv6 = none
• Outbound NAT = ovpnc1 | 127.0.0.0/8 | ovpnc1 address

The firewall can also perform updates over ovpnc1 when the static routes for 0.0.0.0/1 and 128.0.0.0/1 are configured, but this is something that I want to avoid as well.

So, I do understand the logic of not using the vpn client as the only gateway, because if the vpn client goes down, then you loose internet, but this is exactly what I want to happen. I've tested with opnsense and it is possible on that platform to achieve this, but using the same options with pfsense doesn't work.

The end product would look something like this:

• default gateway ipv4 = ovpnc1
• all !rfc1918 traffic from LAN policy routes to ovpnc1
• pfsense updates and package management policy routes ovpnc1
• all other traffic is blocked

Everywhere I've looked so far, people are just saying it doesn't work, but nobody is providing any explanation as to "why" it doesn't work. It just doesn't make sense and it seems to me that it should work, but isn't recommended..

I'm going to try creating static routes for netgate update servers over vpn client interface and see if that helps out all. As far as I can tell this all seems to boil down to the routing table, but which route is causing the problem, I can't figure out.

SimpleTechGuy

I figured it out, static route to pkg00-atx.netgate.com and pkg01-atx.netgate.com over vpnc gateway works.

Viper_Rus

@simpletechguy please tell me how you did it. I also can't get pfsesne to connect to GeoIP database updates via vpn.

Viper_Rus

@simpletechguy

All ok. I created an Alias with a list of domains where I need the router to go through the VPN. Created a static route where NETWORK this alias and selected VPN gateway. Did you do the same?