pfsense as openvpn server behind fortigate 40F

dutchie

Hello all,

After using Pfsense for more then a decade as my primary router which worked perfectly,
I now have gotten a new fortigate 40F (to play with) as a new router.

I am running some openvpn tunnels on the pfsense box (sitting behind the fortigate)
and i would like to get this working again, as my tunnels are currently not able to connect

text layout of connections is:

internet/dsl modem >> DMZ>> fortigate

Fortigate has 3 connections that i can use for the vpn stuff:

(1) wan to the internet
(2) my main lan subnet >> connected to lanport on the pfsense box (dhcp on lan turned off)
(3) seperate 172.16.x.y subnet to connect to the wanside of pfsense

Portforwarding works on the fortigate, and i am seeying "hits" on the Virtual IP (portforward rule)

i cannot get my tunnels to work.

Could someone please help me ?

viragomann

@dutchie said in pfsense as openvpn server behind fortigate 40F:

Fortigate has 3 connections that i can use for the vpn stuff:

(1) wan to the internet
(2) my main lan subnet >> connected to lanport on the pfsense box (dhcp on lan turned off)
(3) seperate 172.16.x.y subnet to connect to the wanside of pfsense

It's not gonna to work this way.
Connect only a single pfSense interface to the Forti.

I assume, the devices which you want to access over the VPN are connected to 2. So remove this from pfSense. Also remove the interface IP or disable the interface.

I assume, that you have already set the Fortigate 3 IP as default gateway on pfSense. Then nothing else should be necessary on pfSense to access LAN devices from your VPN.
Just allow it on the Forti.

If you need also to access the remote sites go to the WAN settings and remove the "Block private networks" check.
And on the Fortigate add static routes for the remote networks and point them to the pfSense WAN IP and allow the desired traffic.

dutchie

Hello Viragomann,

Thank you for taking the time to help me with this,

Let me clarify a bit more on how it is running:

Internet/dsl (modem has DMZ to wan of Fortigate)
Fortigate has multiple interfaces:

1 for WAN
1 for internal main lan (192.168.0.x)
1 acts as a WAN to the pfsense box

The pfsense machine was my previous router, and currently i want to use it as my vpn server, because my tunnels are all Openvpn based (older consumer routers flashed with ddwrt to create an openvpn tunnel, which has worked flawlessly for the last years)

As per your instructions, i've disabled the wan interface on the pfsense box and added a static gateway (the internal IP of the fortigate)

The "block private networks" has allready been done

Regarding the static networks: you mean the tunnel network or the Lan side network on the other side needs to be filled in?

very appriciate your help

viragomann

@dutchie said in pfsense as openvpn server behind fortigate 40F:

As per your instructions, i've disabled the wan interface on the pfsense box and added a static gateway (the internal IP of the fortigate)

No, my instruction was to remove pfSense from the LAN.

pfSense must not be connected to the same subnet as the devices you want to access from the VPN clients if it isn't the default gateway. Otherwise you would have add static routes for the remote networks to any device, you want to access.

dutchie

Hello Viragomann,

the vpn devices are not connected to the lan,

They are all outside of the lan.

the Pfsense is connected to the lan, has an ip in the subnet of my lan.

The devices that need to connect to the pfsense are the remote endpoints, they connect in as clients