Difference between Interface subnet and 192.168.2.0/24

panz · Sep 3, 2013, 1:29 AM

I'm not sure why this would work at all. I've never seen anyone do this.
My immediate thought is that you should not be doing this.

Why?

My scheme is:

first OpenVPN is pfsense as client to AirVPN. This allows me to tunnel all the traffic leaving pfsense (LAN, etc.) through a VPN provider.
second OpenVPN is a roadwarrior VPN with pfsense acting as server. It assigns 192.168.2.0/24 addresses and tunnels all the traffic generated by my laptop through the VPN server and then outside pfsense to the Internet through AirVPN client.

What am I doing wrong??? ::)

doktornotor · Sep 3, 2013, 1:30 AM

@panz:

It works flawlessly only with the second rule… :(

If you check the "Topology" checkbox, do both work?

kejianshi · Sep 3, 2013, 1:32 AM

doktornotor - Currently I'm lost…

I'd probably need a drawing of this to know what is going on.

doktornotor · Sep 3, 2013, 1:35 AM

@kejianshi:

doktornotor - Currently I'm lost…
I'd probably need a drawing of this to know what is going on.

Basically something like this. But with client connected not from LAN, but via OVPN.

kejianshi · Sep 3, 2013, 1:38 AM

I'll just watch and see how this goes… Thanks.

panz · Sep 3, 2013, 1:49 AM

@kejianshi:

doktornotor - Currently I'm lost…

I'd probably need a drawing of this to know what is going on.

WAN (ISP) –-- pfsense ---- LAN

So, pfsense has 2 physical interfaces: LAN & WAN. WAN has a public IP; LAN is 192.168.1.0/24 (pfsense is 192.168.1.1).

Then I setup pfsense as client to AirVPN (a VPN service provider) so all my traffic is sent via VPN. Here's my NAT scheme:

Then, I want to use my laptop with maximum security, so I setup a roadwarrior conf with pfsense acting as an OpenVPN server (tunnel is 192.168.2.0/24).

Then, to prevent DNS leaks and LAN clients using Internet when AirVPN is down, I setup 2 floating rules:

where MY_DNS_ADDRESSES is an alias to my favorite DNS servers (OpenNIC).

Now I'm experimenting with firewall rules because, as far as I know, now my "exposed" interface is OpenVPN (because all my Internet traffic comes from there).

doktornotor · Sep 3, 2013, 1:50 AM

Wasn't my question. Let me ask again:

If you check the "Topology" checkbox, do both work (i.e., OPT3 subnet being the same as /24)?

panz · Sep 3, 2013, 1:52 AM

@doktornotor:

Wasn't my question. Let me ask again:

If you check the "Topology" checkbox, do both work (i.e., OPT3 subnet being the same as /24)?

There's only 1 (roadwarrior) client and it has 192.168.2.6 address.

doktornotor · Sep 3, 2013, 1:55 AM

The question still remains the same. See the OpenVPN docs on net30 for the reason I'm asking.

panz · Sep 3, 2013, 1:57 AM

Yes, now checking that, the first rule works… so... why?

doktornotor · Sep 3, 2013, 1:59 AM

Well, because /30 is not /24 :P

net30 – Use a point-to-point topology, by allocating one /30 subnet per client.
subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask

Documentation. Also comparing the ifconfig output for both modes should be pretty much enlightening.

kejianshi · Sep 3, 2013, 2:02 AM

OK - So, your pfsense is a client to a vpn service and then your pfsense is also running an openvpn server to which your laptop/computer is a client while inside your own LAN? Do I have this wrong?

phil.davis · Sep 3, 2013, 2:03 AM

Look in /tmp/rules.debug - down the end you will see the user rules generated from the Firewall Rules tabs. You will be able to see exactly what rules it generates for OPT3. I suspect it gets a different idea about OPT3 Subnet depending if it is set to topology or not. One way may treat it as a /30 and the other as the full tunnel network range.

panz · Sep 3, 2013, 2:04 AM

Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

I understand this IF topology is net30, so is a peer-to-peer like connection.

But the previous scheme was ALL /24. Why this doesn't work?

doktornotor · Sep 3, 2013, 2:06 AM

@panz:

Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

Please, type ifconfig to console. For both modes. Compare the OPT3/ovpns? output.

panz · Sep 3, 2013, 2:07 AM

@kejianshi:

OK - So, your pfsense is a client to a vpn service and then your pfsense is also running an openvpn server to which your laptop/computer is a client while inside your own LAN? Do I have this wrong?

laptop/computer is a client while I'm out (for eg. at a Strabucks coffee).

kejianshi · Sep 3, 2013, 2:12 AM

OK - I see.

When you VPN into your pfsense from your laptop when you are out does all that traffic then go out over the VPN pfsense is client too?

panz · Sep 3, 2013, 2:13 AM

@kejianshi:

OK - I see.

When you VPN into your pfsense from your laptop when you are out does all that traffic then go out over the VPN pfsense is client too?

Yes.

kejianshi · Sep 3, 2013, 2:17 AM

haha - I see where this is going… Good one.

I take it AirVPN doesn't have a bandwidth usage cap?

panz · Sep 3, 2013, 2:17 AM

@doktornotor:

@panz:

Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

Please, type ifconfig to console. For both modes. Compare the OPT3/ovpns? output.

with net30

ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::a00:27ff:fe7f:875d%ovpns2 prefixlen 64 scopeid 0x8
inet 192.168.2.1 –> 192.168.2.1 netmask 0xffffff00

without inet30

ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::a00:27ff:fe7f:875d%ovpns2 prefixlen 64 scopeid 0x8
inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 15822</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></linkstate></up,pointopoint,running,multicast>