OVPN route to 0.0.0.0/0 via a static route with LAN GW
-
How to configure pfsense so that OVPN clients (10.1.0.0/24) can route to any address 0.0.0.0/0 but through gateway 10.0.0.1
By default, all OVPN clients (10.1.0.0/24) have a route to 0.0.0.0/0 through NAT on the WAN
specifically all OVPN clients (10.1.0.0/24) have a route to 192.168.0.0/16 via a static route with GW 10.0.0.1
Requires all OVPN clients (10.1.0.0/24) to have a route to 0.0.0.0/0 via a static route with GW 10.0.0.1
-
WAN 1.1.1.10/24
def GW 1.1.1.1LAN 10.0.0.10 /24
GW 10.0.0.1Statik route
192.168.0.0/16 GW 10.0.0.1OVPN clients have 10.1.0.0/24
-
@andrewr_net
What do you mean with "OVPN clients"?
Are these clients connected to your OpenVPN server or are these local devices, which you try to route over a VPN? -
@viragomann said in OVPN route to 0.0.0.0/0 via a static route with LAN GW:
these clients connected to your OpenVPN server
these clients connected to my OpenVPN server
-
@andrewr_net
And you want to route the clients to a certain gateway, which is connected to pfSense LAN?
Or is 10.0.0.1 the LAN IP of pfSense? -
@viragomann
yes
route the clients to a certain gateway, which is connected to pfSense LAN?
10.0.0.1 the IP of another gateway not PF -
@andrewr_net
So you have to policy route the traffic to that gateway. -
?-->!
-
@viragomann
Can you tell me more, can you show a screenshot? -
@andrewr_net
You have to add 10.0.0.1 as the gateway first (System > Routing > Gateways) if you haven't done this already.In the settings of the respective OpenVPN server you need to check "Redirect gateway" to push the default route to the clients.
Then on the OpenVPN tab add a pass rule for the concerned tunnel network as source, destination any, open the Advanced options, go down to gateway and select that one you have added above.
Put this rule to the top of the OpenVPN rule set.If there is no route back to the OpenVPN tunnel network behind pfSense (on the LAN gateway) you need also an outbound NAT rule for masquerading:
The Outbound NAT must be set to hybrid mode. Then add a rule:
interface: LAN
source: the respective VPN tunnel pool
dest: any
translation: interface addressThink, it should work with these settings.
-
@viragomann said in OVPN route to 0.0.0.0/0 via a static route with LAN GW:
You have to add 10.0.0.1 as the gateway first (System > Routing > Gateways) if you haven't done this already.
In the settings of the respective OpenVPN server you need to check "Redirect gateway" to push the default route to the clients.
Then on the OpenVPN tab add a pass rule for the concerned tunnel network as source, destination any, open the Advanced options, go down to gateway and select that one you have added above.
Put this rule to the top of the OpenVPN rule set.
If there is no route back to the OpenVPN tunnel network behind pfSense (on the LAN gateway) you need also an outbound NAT rule for masquerading:
The Outbound NAT must be set to hybrid mode. Then add a rule:
interface: LAN
source: the respective VPN tunnel pool
dest: any
translation: interface address
Think, it should work with these settings.here is the magic line i needed, thank you so much
I will check and let you know
-
all work fine!
-
@andrewr_net
That’s what we call “policy routing“. - 10 days later
-
Hi
May I add a subtask to this topic? I added a second WAN2 provider. Now I haveWAN 1.1.1.10/24
GW 1.1.1.1WAN2 2.2.2.10/24
GW2 2.2.2.2Can you tell in one picture how to make any incoming traffic to the WAN interface go through GW, and any incoming traffic to WAN2 go through GW2
Should I tag (TAG) incoming traffic and wrap the response to this traffic through the appropriate GW?
-
@andrewr_net
Everything worked, it turns out that in the Rules --WAN(1,2) -- Advanced ---GateWate settings, you had to leave Default. Before that, I changed it to the corresponding to WAN (1,2) GW (1,2) -
@andrewr_net
Also you have to ensure that a pass rule on WAN1/2 is applied to the incoming traffic, but not one on an interface group (in case you plan to create one) and not a floating rule.With the rules on the WAN interface tabs, pfSense tags incoming connections automatically with "reply-to" (gateway). This is not the case for the other rules, since these rule could be applied to multiple interfaces.
-
@viragomann
One more question please. VLANs. What is the general concept if I want VLANs to work through PFSENSE? In this case, PFSENSE, as the core of the network, has OVPN and IPSEC clients. Should I want VLAN111 on the OVPN1 client to see VLAN111 on the OVPN2 client, or even more VLAN111 to see on the IPSEC1 client?