PfSense as OpenVPN Client
-
I suspect you are best to use a "not" rule. For example, on WIFI1, you want to route all traffic except for packets with destination (LAN or WIFI2), to WAN_DHCP.
a) Put the default rule back the way it was (so it will allow any packets that don't match special rules, and those packets will get routed by the normal routing table, e.g. WIFI1 to LAN, WIFI1 to WIFI2).
b) Add a rule to WIFI1 passing source WIFI1 Net, destination not LAN Net, gateway WAN_DHCP - this will not match traffic to LAN, so traffic to LAN will fall through to the default rule and get normal routing. All other traffic will head out WAN_DHCP.For you, (b) is not quite right. You really want "destination (not LAN) and (not WIFI2)". To do that, add an Alias which has the network IP ranges for LAN and WIFI2 in it - e.g. name it InternalIPs - then in (b) make the destination (not InternalIPs).
Essentially, you want a way to specify destination "all addresses not in my internal network", and do the policy-based routing to WAN_DHCP on those only. In your case, you can even use (not 192.168.0.0/16) - then if you add other 192.168.n.0/24 nets to your internal network in future, the rules will work. It would be handy if there was a "built-in" alias for the private IPv4 address space, then it would be easy for anyone to specify rules to match (private IPv4 address) and (not private IPv4 address) - hmm now I'm rambling:)
Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other?
-
UPDATE: I went ahead and tried doing it the route-nopull way instead. Had some success!
I added the route-nopull command to the OVPN client config. This leaves my routing intact, I think. Then I added this OVPN client connection as an interface, named it "VPN". This made the VPN appear under "Gateways", but the default is still my usual ISP on WAN. I then under "Outbound NAT", I removed all the rules, switched to automatic, saved, and then back to manual and saved. This created a number of rules apparently needed for this to work. Applied the changes.
Then I created rules for interfaces LAN, WIFI1, WIFI2. For all interfaces, I added three rules at the top that tells any traffic that has destination LAN, WIFI2, and WIFI2 to use default gateway (). For LAN and WIFI1 I then added a fourth rule at the bottom for any traffic with any destination to use the VPN gateway instead. So everything that isn't headed for LAN, WIFI1 or WIFI2 will go through the VPN instead. For WIFI2 I just set the fourth any rule to go through the default gateway (), so that one goes through my usual internet connection.
This actually worked!
The downside is that for some reason, this causes the CPU use of the pfsense machine to be at around 50% at IDLE. Load is 3,5-ish. This is without any heavy traffic over the VPN. When I use the VPN normally (before doing these latest changes), like downloading at 1 MB/s, I certainly see an increase in CPU use (like 20-30%) due to the encryption going on, but now it is constantly there instead. Very strange.
Also, one machine is connected to IRC, and that connection drops frequently (start lagging, and then reconnects) after these last changes.
Any ideas? Maybe I've done some configuration wrong, but what I don't get is what's causing all this CPU use.
EDIT: Something strange is definitely going on. When downloading, general speed to the internet slows down in a way that it doesn't normally do. Also, when I look under Status->Gateways, the VPN-gateway shows as Offline while the WAN-gateway is Online. The VPN still works for all interfaces using it, though…
EDIT2: Download speeds are also very unstable, varying between 50-1000 kb/s for the same torrent over time. Distinctly different behavior from before my latest changes.
EDIT3: Now I got a message in pfsense that something crashed (something with PHP..), and after that CPU use normalized. Download speeds are still going up and down like crazy though. Torrents sometime stop downloading completely for 5 min and then go up to 1 MB/s again.
EDIT4: I think I got rid of the problem with losing internet access. I disabled flushing of states when a gateway goes down. Seems like when I saturated the connection, "apinger" (or whatever it's called) couldn't ping my WAN gateway so it flushed states, making the connection go down for a couple of minutes. WHY this started happening with my new conf, I have no idea..
-
Alright, you have enough for a couple of topics right there XD
Going back to your first problem, I think the problem is the "redirect-gateway" option you seem to have on the ovpn config. Could you try disabling that and manually direct traffic to the right gateway through rules? (as we have been suggesting). I insist that all this "playing around with the gateway option and outbound NAT" mess shouldn't be needed. The redirect-gateway seems to be messing up your default gateway (which you don't want to be changed! You want to send specific traffic through it)
Cheers!
-
Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other?
- Any special rules need to go before (above) the more general rules. The rules are checked from top to bottom, and the first match is what counts.
- If you put 2 rules on WiFi1
(a) (destination !LAN) to WAN_DHCP
(b) (destination !WIFI2) to WAN_DHCP
then:
(i) traffic from WIFI1 to WIFI2 matches (a) - so it gets routed to WAN_DHCP
(ii) traffic from WIFI1 to LAN matches (b) - so it gets routed to WAN_DHCP
not what you want!
The rule on WIFI1 needs to be
(destination (!LAN and !WIFI2) to WAN_DHCP)
For that, you need an alias that covers LAN and WIFI2 together, and use (destination !alias) in the rule.
-
Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other?
- Any special rules need to go before (above) the more general rules. The rules are checked from top to bottom, and the first match is what counts.
- If you put 2 rules on WiFi1
(a) (destination !LAN) to WAN_DHCP
(b) (destination !WIFI2) to WAN_DHCP
then:
(i) traffic from WIFI1 to WIFI2 matches (a) - so it gets routed to WAN_DHCP
(ii) traffic from WIFI1 to LAN matches (b) - so it gets routed to WAN_DHCP
not what you want!
The rule on WIFI1 needs to be
(destination (!LAN and !WIFI2) to WAN_DHCP)
For that, you need an alias that covers LAN and WIFI2 together, and use (destination !alias) in the rule.
That makes sense, thanks!
-
Alright, you have enough for a couple of topics right there XD
Going back to your first problem, I think the problem is the "redirect-gateway" option you seem to have on the ovpn config. Could you try disabling that and manually direct traffic to the right gateway through rules? (as we have been suggesting). I insist that all this "playing around with the gateway option and outbound NAT" mess shouldn't be needed. The redirect-gateway seems to be messing up your default gateway (which you don't want to be changed! You want to send specific traffic through it)
Cheers!
But isn't that what I've done? The "redirect-gateway" that shows up in the OVPN log isn't something that's decided by me, the server is just configured that way I guess. But when I did put in "route-nopull" in my config, doesn't that disable the redirect-gateway effect? Because after putting that in the config, my gateways are not changed (ie, WAN_DHCP is still the default one). I then proceeded with adding rules for each interface as you said.
The difference from what you suggested is just that I had to create and interface for the VPN (after which a VPN gateway also appeared) in order to be able to actually use rules to direct traffic to the VPN. The NAT-things I'm less sure of. I just noticed that if I leave it at automatic, my configuration won't work. Perhaps I could replace all the rules I created with just two rules like you suggested, one for WAN and one for VPN, allowing all on both. Would that increase performance? I don't really understand what those rules do, to be completely honest.
-
Ok, if it is not in your config then the "redirect-gateway" is being pushed by the server, the "route-nopull" should be enough.
As regards Outbound NAT, I'll summarize for you (I'll put it the easy way, don't blame for the technical inaccuracies!).
On the inner side of your pfSense you have multiple devices with multiple IP addresses, but on the outer side you usually have only 1 public IP address. When you send a package out to the internet from a PC within the LAN, the package has the originating header set to the internal IP address. In order to be able to receive a response from the remote machine, that package needs to have the header set to the public IP (otherwise it will never get routed back). This is what "NAT" (or "Network Address Translation") does. pfSense grabs every package going out and replaces the originating header with the the WAN IP address, and at the same time keeps an internal record (based on the ports) of which package going out corresponds to which internal IP (so it can deliver the response whenver it arrives). When the response arrives, pfSense does the same but the other way around (replaces the WAN IP that comes in the destination with the proper internal IP addressSo when the Outbound NAT is set to Manual, the rule tells pfSense to follow this procedure to every package matching the rule (that's why it is usually set to match everything leaving out the WAN interface, and in your case, also everything leaving out the OpenVPN interface). This can get more complicated as the network grows, since you might need some traffic NAT'ed and some traffic not, etc.
Hope that helped!
Regards!
-
georgeman: Thank you for the excellent explanation. I had some sort of understanding of this, but now you made it much clearer. I am now using only two rules, and it works fine. The only thing I don't understand now is why the automatic NAT doesn't work when running an VPN client?
My pfsense is now running as I wanted it to in my initial post, so big thanks to everyone who came with input on this and helped me, very appreciated!
-
pelle_chanslos, can you please tell me in summary the configuration you have done? As i understood you have some LAN Clients which are allowed to use VPN and the other only WAN. Is it right?
I have a similar network with 4 LAN clients and only 2 of the should use the VPN client connection (established within pfsense) and the other 2 should use directly the WAN.Your support is much appreciated.
-
pelle_chanslos, can you please tell me in summary the configuration you have done? As i understood you have some LAN Clients which are allowed to use VPN and the other only WAN. Is it right?
I have a similar network with 4 LAN clients and only 2 of the should use the VPN client connection (established within pfsense) and the other 2 should use directly the WAN.Your support is much appreciated.
I don't have that, I have different interfaces instead of different users. But I think you could use the same method anyway.
-
Add the VPN connection as an interface. This will add a "VPN gateway".
-
Create two rules for the LAN, one with the IPs of the two that shouldn't use the VPN, and use let them use the default gateway. The other rule should contain the IPs of the clients that should use the VPN, make it exactly the same as the first rule, but change gateway to the VPN gateway you just created when adding the interface.
You could also create two aliases, one for the two IPs that should go through the VPN and one for the two IPs that should go through the regular WAN connection.
Good luck!
-
-
It works fine, thank you for the short and clear description. Only one point is open i could not solve. Whats happend if the VPN connection is lost? In this case i am connected again to the WAN Interface and i would like to avoid this.
I tried to add a rule where any traffic between my "PC" and "any" over "WAN-gateway" is blocked. But this doesnt help.
-
Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other?
- Any special rules need to go before (above) the more general rules. The rules are checked from top to bottom, and the first match is what counts.
- If you put 2 rules on WiFi1
(a) (destination !LAN) to WAN_DHCP
(b) (destination !WIFI2) to WAN_DHCP
then:
(i) traffic from WIFI1 to WIFI2 matches (a) - so it gets routed to WAN_DHCP
(ii) traffic from WIFI1 to LAN matches (b) - so it gets routed to WAN_DHCP
not what you want!
The rule on WIFI1 needs to be
(destination (!LAN and !WIFI2) to WAN_DHCP)
For that, you need an alias that covers LAN and WIFI2 together, and use (destination !alias) in the rule.
Wouldn't it be clever to implement AND, OR into the pfSense ruleset right away to be able to use them within the firewall rules? I think this would make sense, because the two dimensional matrix layout (aliases) doesn't suit very well for a three dimensional problem (single host aliases, groups of hosts, groups of groups meaning different layers).