Difference between Interface subnet and 192.168.2.0/24

phil.davis

Look in /tmp/rules.debug - down the end you will see the user rules generated from the Firewall Rules tabs. You will be able to see exactly what rules it generates for OPT3. I suspect it gets a different idea about OPT3 Subnet depending if it is set to topology or not. One way may treat it as a /30 and the other as the full tunnel network range.

panz

Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

I understand this IF topology is net30, so is a peer-to-peer like connection.

But the previous scheme was ALL /24. Why this doesn't work?

doktornotor

@panz:

Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

Please, type ifconfig to console. For both modes. Compare the OPT3/ovpns? output.

panz

@kejianshi:

OK - So, your pfsense is a client to a vpn service and then your pfsense is also running an openvpn server to which your laptop/computer is a client while inside your own LAN?  Do I have this wrong?

laptop/computer is a client while I'm out (for eg. at a Strabucks coffee).

kejianshi

OK - I see.

When you VPN into your pfsense from your laptop when you are out does all that traffic then go out over the VPN pfsense is client too?

panz

@kejianshi:

OK - I see.

When you VPN into your pfsense from your laptop when you are out does all that traffic then go out over the VPN pfsense is client too?

Yes.

kejianshi

haha - I see where this is going…  Good one.

I take it AirVPN doesn't have a bandwidth usage cap?

panz

@doktornotor:

@panz:

Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

Please, type ifconfig to console. For both modes. Compare the OPT3/ovpns? output.

with net30

ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::a00:27ff:fe7f:875d%ovpns2 prefixlen 64 scopeid 0x8
inet 192.168.2.1 –> 192.168.2.1 netmask 0xffffff00

without inet30

ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::a00:27ff:fe7f:875d%ovpns2 prefixlen 64 scopeid 0x8
inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 15822</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></linkstate></up,pointopoint,running,multicast>

panz

@kejianshi:

haha - I see where this is going…  Good one.

I take it AirVPN doesn't have a bandwidth usage cap?

no limitations as I know

doktornotor

Yeah. So, see:

netmask 0xffffffff = /32 (really just the OVPN IP itself, does not include any client, 192.168.2.6 certainly out)
netmask 0xffffff00 = /24 (the configured subnet)

panz

@doktornotor:

Yeah. So, see:

netmask 0xffffffff = /32 (really just the OVPN IP itself, does not include any client, 192.168.2.6 certainly out)
netmask 0xffffff00 = /24 (the configured subnet)

why  inet 192.168.2.1 –> 192.168.2.1

doktornotor

@panz:

why  inet 192.168.2.1 –> 192.168.2.1

What's your problem with that, again? The question has been answered already. The tunnel endpoints are the same there.

kejianshi

So, anyway - I've not been running pfsense this way before.  I've only done this with a DD-WRT as client to Pfsense/Openvpn and then DD-WRT has its clients…  Similar.

No one has said yet, but I'm guessing the OPT3 got created auto-magically when you created the OpenVPN client in pfsense?  If so, I'm clear now.

How well is this working for you?

panz

@kejianshi:

So, anyway - I've not been running pfsense this way before.  I've only done this with a DD-WRT as client to Pfsense/Openvpn and then DD-WRT has its clients…  Similar.

No one has said yet, but I'm guessing the OPT3 got created auto-magically when you created the OpenVPN client in pfsense?  If so, I'm clear now.

How well is this working for you?

Absolutely not, I created the OPT3 to add a roadwarrior after all VPN testing from LAN –> to AirVPN were successful.

kejianshi

Yeah - See thats the part I don't understand why you need it.  But if its working for you, I guess I don't need to understand necessarily.
I have road warriors and I didn't have to create an interface for them - Thats why I'm confused.

panz

@kejianshi:

Yeah - See thats the part I don't understand why you need it.  But if its working for you, I guess I don't need to understand necessarily.

I need it because the VPN provider is one (= 1 account), but I have to protect at the same time my internal LAN clients AND roadwarrior client(s) under the same umbrella (LAN = home office; roadwarrior = mobile office).

panz

Thank you doktornotor, now I understand (yeah!)  8)

kejianshi

OK - If it works it works.

panz

@kejianshi:

OK - If it works it works.

If you're interested, now I'm going to add a Wi-Fi interface!  ;D  ;D  ;D with OpenVPN peers, of course!

kejianshi

Its not the adding of physical interfaces that confuses me.

Or the fact that you can have VPN clients to a pfsense that is running as a client to a VPN its self.

Or that you can add a wireless interface + its clients to pfsense which is client to a VPN.

The thing that confuses me is that I've always been able to firewall my pfsense road warriors just fine from the Openvpn firewall tab without the addition of an interface for their subnet.

So, what I'm wondering is was that interface necessary at all?

I'm probably just missing something.  Its OK.