iPhone VPN into pfsense and not able to route to Internet
-
I have setup IPSEC/L2tp server correctly on pfsense. iPhone is able to connect to the Pfsense box successfully and assigned to an IP 10.0.2.129.
My LAN is 10.0.1.0/24
iphone is able to ping any IP in 10.0.1.0/24 no problem. And iphone is able to access web server within 10.0.1.0/24 as well, so TCP and ICMP are both working in LAN.
I have WAN interface, an OpenVPN interface that connect to VPN provider A, and Wireguard interface that connect to VPN provider B. So, there are a total of 3 outgoing interfaces. And finally one LAN interface.
The problem is, the iPhone can't route to internet via WAN interface. I can't route to the Wireguard interface too. However, I can successfully route to the OpenVPN interface and access Internet if I change the outbound NAT and point to openvpn interface. Why the WAN interface is not routable?
Firewall log also indicated I can NAT correctly
I did the outbound NAT as well
🔒 Log in to viewI also make sure this is 0.0.0.0/0 on phase 2 ipsec server as well.
-
Anyone can tell me where the problem is? The strangest part is that, if I change the outbound NAT point 10.0.2.0/24 to openvpn interface, iPhone then is able to access the Internet via openvpn public IP. However, change the outbound NAT point 10.0.2.0/24 back to WAN interface or wireguard interface, no internet access.
I suspect it might do with NAT rules because one out of three outgoing interface can access Internet....... Or rules in firewall? I really out of ideas...
-
@sdugoten
The traffic might obey the pfSense routing table. I guess, the OpenVPN is the default route on your pfSense.
So if you want to direct the VPN traffic to another gateway you need to policy route it. -
@viragomann said in iPhone VPN into pfsense and not able to route to Internet:
@sdugoten
The traffic might obey the pfSense routing table. I guess, the OpenVPN is the default route on your pfSense.
So if you want to direct the VPN traffic to another gateway you need to policy route it.I wonder where to see the default route? And if I can change the default route back to WAN instead of making policy routing? thanks.
-
@sdugoten said in iPhone VPN into pfsense and not able to route to Internet:
I wonder where to see the default route?
You can verify the routes in Diagnostic > Routes.
And if I can change the default route back to WAN instead of making policy routing?
Or course you can do this in System > Routing > Gateways > Default Gateway, but this affects the whole upstream traffic from pfSense, which is not policy routed.
-
@viragomann said in iPhone VPN into pfsense and not able to route to Internet:
@sdugoten said in iPhone VPN into pfsense and not able to route to Internet:
I wonder where to see the default route?
You can verify the routes in Diagnostic > Routes.
And if I can change the default route back to WAN instead of making policy routing?
Or course you can do this in System > Routing > Gateways > Default Gateway, but this affects the whole upstream traffic from pfSense, which is not policy routed.
Ok..indeed 0.0.0.0 points to the Openvpn gateway...I wonder where can I change this if I want 0.0.0.0 point to the WAN ip instead? And then I will just do policy routing if I really want to route thru the Openvpn or Wireguard VPN.
-
@sdugoten
I assume, that's an OpenVPN client.
So go to its settings and set a check at "Don't pull routes".Most VPN providers push the default route to the clients.