PfSense as OpenVPN Client

georgeman

Alright, you have enough for a couple of topics right there XD

Going back to your first problem, I think the problem is the "redirect-gateway" option you seem to have on the ovpn config. Could you try disabling that and manually direct traffic to the right gateway through rules? (as we have been suggesting). I insist that all this "playing around with the gateway option and outbound NAT" mess shouldn't be needed. The redirect-gateway seems to be messing up your default gateway (which you don't want to be changed! You want to send specific traffic through it)

Cheers!

phil.davis

Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other?

1. Any special rules need to go before (above) the more general rules. The rules are checked from top to bottom, and the first match is what counts.
2. If you put 2 rules on WiFi1
     (a) (destination !LAN) to WAN_DHCP
     (b) (destination !WIFI2) to WAN_DHCP
   then:
     (i) traffic from WIFI1 to WIFI2 matches (a) - so it gets routed to WAN_DHCP
     (ii) traffic from WIFI1 to LAN matches (b) - so it gets routed to WAN_DHCP
   not what you want!
   The rule on WIFI1 needs to be
   (destination (!LAN and !WIFI2) to WAN_DHCP)

For that, you need an alias that covers LAN and WIFI2 together, and use (destination !alias) in the rule.

pelle_chanslos

@phil.davis:

Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other?

1. Any special rules need to go before (above) the more general rules. The rules are checked from top to bottom, and the first match is what counts.
2. If you put 2 rules on WiFi1
     (a) (destination !LAN) to WAN_DHCP
     (b) (destination !WIFI2) to WAN_DHCP
   then:
     (i) traffic from WIFI1 to WIFI2 matches (a) - so it gets routed to WAN_DHCP
     (ii) traffic from WIFI1 to LAN matches (b) - so it gets routed to WAN_DHCP
   not what you want!
   The rule on WIFI1 needs to be
   (destination (!LAN and !WIFI2) to WAN_DHCP)

For that, you need an alias that covers LAN and WIFI2 together, and use (destination !alias) in the rule.

That makes sense, thanks!

pelle_chanslos

@georgeman:

Alright, you have enough for a couple of topics right there XD

Going back to your first problem, I think the problem is the "redirect-gateway" option you seem to have on the ovpn config. Could you try disabling that and manually direct traffic to the right gateway through rules? (as we have been suggesting). I insist that all this "playing around with the gateway option and outbound NAT" mess shouldn't be needed. The redirect-gateway seems to be messing up your default gateway (which you don't want to be changed! You want to send specific traffic through it)

Cheers!

But isn't that what I've done? The "redirect-gateway" that shows up in the OVPN log isn't something that's decided by me, the server is just configured that way I guess. But when I did put in "route-nopull" in my config, doesn't that disable the redirect-gateway effect? Because after putting that in the config, my gateways are not changed (ie, WAN_DHCP is still the default one). I then proceeded with adding rules for each interface as you said.

The difference from what you suggested is just that I had to create and interface for the VPN (after which a VPN gateway also appeared) in order to be able to actually use rules to direct traffic to the VPN. The NAT-things I'm less sure of. I just noticed that if I leave it at automatic, my configuration won't work. Perhaps I could replace all the rules I created with just two rules like you suggested, one for WAN and one for VPN, allowing all on both. Would that increase performance? I don't really understand what those rules do, to be completely honest.

georgeman

Ok, if it is not in your config then the "redirect-gateway" is being pushed by the server, the "route-nopull" should be enough.

As regards Outbound NAT, I'll summarize for you (I'll put it the easy way, don't blame for the technical inaccuracies!).
On the inner side of your pfSense you have multiple devices with multiple IP addresses, but on the outer side you usually have only 1 public IP address. When you send a package out to the internet from a PC within the LAN, the package has the originating header set to the internal IP address. In order to be able to receive a response from the remote machine, that package needs to have the header set to the public IP (otherwise it will never get routed back). This is what "NAT" (or "Network Address Translation") does. pfSense grabs every package going out and replaces the originating header with the the WAN IP address, and at the same time keeps an internal record (based on the ports) of which package going out corresponds to which internal IP (so it can deliver the response whenver it arrives). When the response arrives, pfSense does the same but the other way around (replaces the WAN IP that comes in the destination with the proper internal IP address

So when the Outbound NAT is set to Manual, the rule tells pfSense to follow this procedure to every package matching the rule (that's why it is usually set to match everything leaving out the WAN interface, and in your case, also everything leaving out the OpenVPN interface). This can get more complicated as the network grows, since you might need some traffic NAT'ed and some traffic not, etc.

Hope that helped!

Regards!

pelle_chanslos

georgeman: Thank you for the excellent explanation. I had some sort of understanding of this, but now you made it much clearer. I am now using only two rules, and it works fine. The only thing I don't understand now is why the automatic NAT doesn't work when running an VPN client?

My pfsense is now running as I wanted it to in my initial post, so big thanks to everyone who came with input on this and helped me, very appreciated!

gekko

pelle_chanslos, can you please tell me in summary the configuration you have done? As i understood you have some LAN Clients which are allowed to use VPN and the other only WAN. Is it right?
I have a similar network with 4 LAN clients and only 2 of the should use the VPN client connection (established within pfsense) and the other 2 should use directly the WAN.

Your support is much appreciated.

pelle_chanslos

@gekko:

pelle_chanslos, can you please tell me in summary the configuration you have done? As i understood you have some LAN Clients which are allowed to use VPN and the other only WAN. Is it right?
I have a similar network with 4 LAN clients and only 2 of the should use the VPN client connection (established within pfsense) and the other 2 should use directly the WAN.

Your support is much appreciated.

I don't have that, I have different interfaces instead of different users. But I think you could use the same method anyway.

1. Add the VPN connection as an interface. This will add a "VPN gateway".

2. Create two rules for the LAN, one with the IPs of the two that shouldn't use the VPN, and use let them use the default gateway. The other rule should contain the IPs of the clients that should use the VPN, make it exactly the same as the first rule, but change gateway to the VPN gateway you just created when adding the interface.

You could also create two aliases, one for the two IPs that should go through the VPN and one for the two IPs that should go through the regular WAN connection.

Good luck!

gekko

@pelle_chanslos

It works fine, thank you for the short and clear description. Only one point is open i could not solve. Whats happend if the VPN connection is lost? In this case i am connected again to the WAN Interface and i would like to avoid this.

I tried to add a rule where any traffic between my "PC" and "any" over "WAN-gateway" is blocked. But this doesnt help.

deltalord

@phil.davis:

Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other?

1. Any special rules need to go before (above) the more general rules. The rules are checked from top to bottom, and the first match is what counts.
2. If you put 2 rules on WiFi1
     (a) (destination !LAN) to WAN_DHCP
     (b) (destination !WIFI2) to WAN_DHCP
   then:
     (i) traffic from WIFI1 to WIFI2 matches (a) - so it gets routed to WAN_DHCP
     (ii) traffic from WIFI1 to LAN matches (b) - so it gets routed to WAN_DHCP
   not what you want!
   The rule on WIFI1 needs to be
   (destination (!LAN and !WIFI2) to WAN_DHCP)

For that, you need an alias that covers LAN and WIFI2 together, and use (destination !alias) in the rule.

Wouldn't it be clever to implement AND, OR into the pfSense ruleset right away to be able to use them within the firewall rules? I think this would make sense, because the two dimensional matrix layout (aliases) doesn't suit very well for a three dimensional problem (single host aliases, groups of hosts, groups of groups meaning different layers).