After About 5 Days I get this: openvpn[5531]: RESOLVE: Cannot resolve host addre

archedraft

As far as the original issue of the network cannot resolve host name, it is still to early to tell if that is fixed (It used to happen after about 5 days or so… and I am only on day 2).

I believe I now have the same setup as you are describing. The weird thing is that if one VPN goes down then both the US and EU VPN's kill the connections (I do have 2 - Do NOT NAT rules). I would have assumed that if the EU VPN went down then only the EU connections would be stopped.

So why did you want to setup random remote IP's? Also I have attached a couple of screen shots of how I setup the various remote severs (hopefully I did that correctly).

m3ki

I have random servers just so it connects to different servers and not single one every time no particular reason but just to make sure if  one of servers is slow it will connect to different one automatically next time i reconnect.

Could you take screenshots of:

1. List of your gateways.
2. Your floating rules.
3. Your LAN rules.
4. Your NAT outgoing table
5. Your clients list (you can blank out what you dont wanna show)

archedraft

I have attached the screenshots. I also have an internal OpenVPN server setup so that I can access my network so that is why my NAT outgoing tables has so many entries. Let me know if you need any other screenshots.


archedraft

More Screenshots


m3ki

Your protocols should be any.
Also floating rules should block traffic not allow it.

archedraft

Oh thanks! I changed the rules to blocked. The protocols are set to any see the attached screenshots (I am not sure why it says IPv4 *). Also, to make sure it is working all I have to do is disable a vpn client and then ping google.com and as long as the packets don't send I am good right?


m3ki

Theoretically now you should have either one vpn working. I don't know why both of yours go down. Maybe something to do with your interface assignments ?

archedraft

Here is the interface assignment page?


m3ki

Strange so if you disable one of the clients now. Then both EU and US machines wont have internet ?

archedraft

Correct, If I disable one VPN client both the US and EU machines will not ping google

m3ki

Hmm… that could be dns issue.... what if you ping google on one of those machines by ip?
Also is there an overlap in your aliases by any chance?

EU_VPNCLIENT -> DOWN
US_VPNCLIENT -> UP

EU_MACHINE -> ping -> 8.8.8.8 ??
US_MACHINE -> ping -> 8.8.8.8 ??

archedraft

I checked to make sure the aliases where in the correct spots and they appear to be. I then took the EU vpn down and tried 8.8.8.8 and still both will not get packets.

m3ki

can you screenshot the do not nat rule?

m3ki

Also try disabling floating rules try to troubleshoot. What happens if floating rules are disabled? any luck then?

archedraft

Here is the DO NOT NAT RULE


archedraft

If I disable the floating rules and ping 8.8.8.8 instead of getting "destination host unreachable" it says "request timed out" on both machines. So that doesn't seem to be the problem.

m3ki

This means that DO NOT NAT is applied. So packets are not dropped. But still lurking. Keep Floating disabled for now. Try turning off do not nat rules. ( keep in mind they are applied top down.) If one doesnt apply next one will catch it ;)

archedraft

OK so (Note: EU Do NOT NAT is on top)

TEST 1:
ALL floating rules disabled -> USA DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine will not ping

TEST 2:
ALL floating rules disabled -> USA DO NOT NAT unchecked -> EU VPN disabled = USA machines can ping / EU machine will not ping

TEST 3:
ALL floating rules disabled -> EU DO NOT NAT unchecked -> EU VPN disabled = USA machines can ping / EU machine will not ping

TEST 4:
ALL floating rules disabled -> EU DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine can ping

TEST 5:
ALL floating rules disabled -> ALL DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine can ping

archedraft

Figured it out. The problems was that under Firewall -> Rules -> Lan, proto was set to "TCP" on both VPN's, I changed proto to "Any" and now if one vpn goes down the other one still works.

archedraft

How to use Policy Based Routing and Multi VPN

• I Followed this guide http://www.komodosteve.com/archives/232

• NOTES: I used the same server port for both VPN's

• NOTES: I added the following commands into Advanced Config (When pfSense first boots it loads VPN_IP_#1 but if the client gets restarted it will randomly pick of the the 3 VPN_IP's

• SCREENSHOT: OpenVPN Client 1

• SCREENSHOT: OpenVPN Client 2

remote_VPN IP_#1 Port#;
remote VPN_IP_#2 Port#;
remote VPN_IP_#3 Port#;
remote-random;

• SCREENSHOT: System Gateways

• This is where you will setup two aliases for the USA VPN's and EU VPN's

• Make sure you have static IP address for the machines

• I made 3 rules (1 that redircts the EU vpn through the EU gateway, 1 that redirects the US vpn through the US gateway, and 1 that selects every other IP address not specified in aliases and sends it to the defualt WAN gateway)

• Proto: ANY, Source: Alias, Gateway: VPN

• SCREENSHOT: Firewall Rules 1

• SCREENSHOT: Firewall Rules 2

• First delete all rules

• Select "Automatic outbound NAT rule generation" and click save

• Select "Manual Outbound NAT rule generation" and click save

• This should auto created any rules needed for the VPN's

• Now create a rule that will stop traffic if the VPN is down

• Click "Do not NAT", Interface "WAN", Protocol "any", Source "Alias"

• MAKE SURE you move the rule to the top of the list as pfsense carries out rules from top down

• SCREENSHOT: Firewall NAT Outbound 1

• SCREENSHOT: Firewall NAT Outbound 2

• Action "Block", Interface "WAN", Direction "any", Protocol "any", Source "alias"

• SCREENSHOT: Firewall Rules Floating 1

• SCREENSHOT: Firewall Rules Floating 2

• This along with with #5  will block your machine from going to internet