Stopping my pfsense router from shoing my login page on the internet.
-
ok, first of all, sorry for my shitty English.
i have now tried with Another computer in Another home, with a totally different isp an ip than my own, and when i type my real ip in the adress field i end up at my pfsense router, and if i enter my viritual vpn ip (looks like 10.4.20.1) i also ends up at my router, and when i enter the external ip that my vpn provider gives me i end up at my router, and if i use tracert in the computer from that other house im in ,and enter the vpn ip from strongvpn i can trace it all the way back to my own and real ip.
i have used this guide: http://swimminginthought.com/pfsense-routing-traffic-strongvpn-openvpn/#comment-1131
i have used the NAT and rules exactly as in this guide, and i end up like this.
i would really wanted to post a Picture of my NATs and rules, but i dont know how i make a copy of the screen like the others that can be found on this forum.
thank you for all your help
-
10.x.x.x is a private IP and is not routable on the Internet so I don't know how you got your PfSense Page. If you want any help you are going to have to go to your NAT page and take a screen capture (use something like greenshot) and you will need to take a screen capture of your rules and post them. Anything short of this and we will just be spinning our wheels. Please post the screen shots or it will really be hard helping you.
-
"i would really wanted to post a Picture of my NATs and rules, but i dont know how i make a copy of the screen like the others that can be found on this forum."
What OS are you using - windows 7 you can use the built in snipping tool.. And then attach it on the forum under attachments and other options.. See attachments on finding snipping tool and adding it to forum post.
Or upload your picture one of the many image sharing sites http://imgur.com/, http://imageshack.us/
And then use the image share button – see next email. Or use the code they provide for putting your image into a forum post.
Or you can use one of the many many screenshot taking tools -- my personal favorite is http://www.faststone.org/FSCaptureDetail.htm but its not free, but there is a free trial. Or do you have dropbox, they have a way of sharing screen captures now with simple print screen button your keyboard. http://betanews.com/2013/09/29/dropbox-adds-screen-capture-sharing/
Really need to see some rules - but as stated it is IMPOSSIBLE for you to gotten to a 10.x.x.x address across the internet.. Since this is a rfc1918 address and not routable - PERIOD!!
Happy to help -- just need some actual info to work with vs your misunderstanding of what is happening.
-
Ok, now im finally got snipping tool to work, and i was wrong, after a new look i noticed that the internal vpn ip (10.5.21.0 something like that) didnt work the second time, i was pretty tired when i noticed all of the problems.
so here we go.
i needed to set aliases to get the computers to be able to access internet trough the vpn, it wasnt possible to access internet without it, and i just want these computers to connect trough vpn, the rest of my computers dont need to go trough the vpn.
so please explain how i should set up these NATs and rules for it to work.
Idont want to be able to access the router from the "outside" , and i dont want to be able to track down my real ip from the strongvpn ip, and i want to get the ips in the aliases to go through the vpn.
thank you
-
You know what I don't see here? Your NAT rules…
Just saying.
-
So as how you can access your web gui from the outside.. You have a freaking any any any rule on your wan interface – what the hell do you think is going to be allowed? ;)
From looking at those rules you seem to think they are outbound rules I think? All rules in pfsense are inbound to the interface..
There should be NO rules on your WAN, other than the block bogon or private that are "inbound" rules to the interface. Unless you want to allow unsolicited traffic INBOUND to your pfsense.. See my rules below. I have unchecked the block private and bogon -- was troubleshooting some stuff.. Really need to put those back.. Anyhoo as you can see I allow icmp to my wan IP, And the rest are rules that match up to my nats and openvpn connectivity to my box.. I run openvpn both on tcp 443 and default udp port - since some places udp 1194 is not allowed outbound.. But almost everywhere 443 is open outbound.
You need to read the rules as a packets ingress to the interface, not egress. From top to bottom
Remove that nonsense in your wan - there should only be that bogon rule if you don't want any inbound traffic and your access to your web gui witll be gone.. As to your 10.x address -- again those are NOT routable on the internet.. so not exactly sure what your complaining about. We reread your posts to see if can make heads or tails out of your issue.
btw -- why all the outbound manual nat rules?? Why can you not leave as automatic? Looking at them to see what your trying to accomplish other than more work for yourself.
And can you explain
"and i dont want to be able to track down my real ip from the strongvpn ip, and i want to get the ips in the aliases to go through the vpn."
How do you think you are doing that?? Sorry its NOT possible just the way vpns work does not make any sense that you think your seeing your pfsense end point somehow in tracing what exactly?? If you trace exit point from your vpn connection from the outside - how does it show you your pfsense IP?? Now shit if you trace it from your pfsense side your going to go right through your pfsense -- since you have a tunnel going there ;)
Ok took a quick look at the guide your running - and sorry you did not follow it.. You have all your outbound nats turned OFF?? And in your lan rules your allowing everything, and then you have an allow rule for your vpn connection?? That is NOT how the guide says to do it. And you created aliases -- where are you using them in any rules?
Also just noticed you have 192.168.10 addresses in your aliases -- where are those suppose to hit pfsense? Is your pfsense lan not on 192.168.1.0/24 so where do 192.168.10.x come in?
-
well as i said, im a totally newbie on this, and i followed that guide of how to install the openvpn and open ports and stuff, so i guess that the guide wasnt that good.
i have deleted all the wan rules, and i can still reach my web interface from the outside, and i can still trace my vpn ip back to my real ip.
i have tried to read as much as i can about this NAT and rules but i dont really understand it.
is there anything else that i need to delete from my NATs and rules?
really apreciate your help
-
"i have deleted all the wan rules, and i can still reach my web interface from the outside, and i can still trace my vpn ip back to my real ip."
I say BS sorry – did you clear your states once you deleted the rules -- let see your wan rules! And this time your nat rules.
as this
"and i can still trace my vpn ip back to my real ip."explain what your doing??? PM me if you don't want to post public IPs.. Where are you getting your VPN IP from exactly?? And where are you tracing to that? How do you think you can see your pfsense IP in that??
So here is example.. I connect my box to my host in the UK via vpn.. see my public IP since my traffic flows through the vpn tunnel to get to the internet -- see my public IP via whatsmyip.org
Now see 2nd post when I am not connected to vpn - my box does not get a 10.x address which is MY end of the tunnel and a NON routable address on the internet.. When I am not connected I only have my normal 192.168 address on pfsense -- see how my public IP changed to be comcast IP - my normal ISP vs the network of my exit point of the vpn connection.
So please explain to my how your tracing to your normal isp connection via the IP address of your vpn connection to the public internet??
-
my first problem was that my computers didnt go through the vpn, they just Went through my ISP ip, so i read that it was possible to ad aliases to get some of the computers to go through the vpn, and that worked.
but the other problem a encounterd was that if i shut down the vpn, then the aliases assigned computer suddenly got Connection with my "real" ip, and i dont want that,i want the internet Connection to stay down to these computers until the vpn connects again, so i read that if i block these computers in the wan rules, they wont get any Connection exept through the vpn, and also that worked.
when i started with this pfsense thing i had even more problems than i have now so i bought a preconfigured backupfile from the maker of that guide that i posted, thats where the 192.168.10… comes from, i havent deleted them.
and as i was saying, i am really not good at these things, so sorry if i seem stupid :-[
so what i really want of this pfsense is:
connect some computers/ip through vpn, and when/if the vpn disconnects i will loose the internet to these computers, not to connect with my "real" ip
and ofcourse a very secure firewall, with no web access.thank you.
-
And are you going to post up your new wan rules.. Sorry if the wan rules do not allow it, then the webgui is not available via the internet.. if the internet is actually connected via your WAN interface..
See my example of tracing to your isp via a vpn IP address – please explain what you think your doing exactly.. Because its not possible what your saying..
From your rules you have NOTHING that points to your aliases at all.. Be it his or yours.. They are not used in any of the wan or lan or even stronvpn interfaces.. So how do you think they come into play??
Can you post up your interfaces so we can see what IPs your on.. Anything that starts with 10.x.x.x, 192.168.x.x, 172.16-31.x.x or 169.254 is NOT routable on the public net and can freely bee shown.. See mine.. If it starts with something else then sure hide the last couple of octets..
example
-
Well that looks right – you have a public on your wan and then private on lan.. So 213.64 is
inetnum: 213.64.0.0 - 213.64.255.255
netname: TELIANETSo what is your vpn IP, that 10.8.0 you see is PRIVATE rfc1918 addressing -- that is not traceble or routable on the public net..
