After About 5 Days I get this: openvpn[5531]: RESOLVE: Cannot resolve host addre

m3ki

Strange so if you disable one of the clients now. Then both EU and US machines wont have internet ?

archedraft

Correct, If I disable one VPN client both the US and EU machines will not ping google

m3ki

Hmm… that could be dns issue.... what if you ping google on one of those machines by ip?
Also is there an overlap in your aliases by any chance?

EU_VPNCLIENT -> DOWN
US_VPNCLIENT -> UP

EU_MACHINE -> ping -> 8.8.8.8 ??
US_MACHINE -> ping -> 8.8.8.8 ??

archedraft

I checked to make sure the aliases where in the correct spots and they appear to be. I then took the EU vpn down and tried 8.8.8.8 and still both will not get packets.

m3ki

can you screenshot the do not nat rule?

m3ki

Also try disabling floating rules try to troubleshoot. What happens if floating rules are disabled? any luck then?

archedraft

Here is the DO NOT NAT RULE


archedraft

If I disable the floating rules and ping 8.8.8.8 instead of getting "destination host unreachable" it says "request timed out" on both machines. So that doesn't seem to be the problem.

m3ki

This means that DO NOT NAT is applied. So packets are not dropped. But still lurking. Keep Floating disabled for now. Try turning off do not nat rules. ( keep in mind they are applied top down.) If one doesnt apply next one will catch it ;)

archedraft

OK so (Note: EU Do NOT NAT is on top)

TEST 1:
ALL floating rules disabled -> USA DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine will not ping

TEST 2:
ALL floating rules disabled -> USA DO NOT NAT unchecked -> EU VPN disabled = USA machines can ping / EU machine will not ping

TEST 3:
ALL floating rules disabled -> EU DO NOT NAT unchecked -> EU VPN disabled = USA machines can ping / EU machine will not ping

TEST 4:
ALL floating rules disabled -> EU DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine can ping

TEST 5:
ALL floating rules disabled -> ALL DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine can ping

archedraft

Figured it out. The problems was that under Firewall -> Rules -> Lan, proto was set to "TCP" on both VPN's, I changed proto to "Any" and now if one vpn goes down the other one still works.

archedraft

How to use Policy Based Routing and Multi VPN

• I Followed this guide http://www.komodosteve.com/archives/232

• NOTES: I used the same server port for both VPN's

• NOTES: I added the following commands into Advanced Config (When pfSense first boots it loads VPN_IP_#1 but if the client gets restarted it will randomly pick of the the 3 VPN_IP's

• SCREENSHOT: OpenVPN Client 1

• SCREENSHOT: OpenVPN Client 2

remote_VPN IP_#1 Port#;
remote VPN_IP_#2 Port#;
remote VPN_IP_#3 Port#;
remote-random;

• SCREENSHOT: System Gateways

• This is where you will setup two aliases for the USA VPN's and EU VPN's

• Make sure you have static IP address for the machines

• I made 3 rules (1 that redircts the EU vpn through the EU gateway, 1 that redirects the US vpn through the US gateway, and 1 that selects every other IP address not specified in aliases and sends it to the defualt WAN gateway)

• Proto: ANY, Source: Alias, Gateway: VPN

• SCREENSHOT: Firewall Rules 1

• SCREENSHOT: Firewall Rules 2

• First delete all rules

• Select "Automatic outbound NAT rule generation" and click save

• Select "Manual Outbound NAT rule generation" and click save

• This should auto created any rules needed for the VPN's

• Now create a rule that will stop traffic if the VPN is down

• Click "Do not NAT", Interface "WAN", Protocol "any", Source "Alias"

• MAKE SURE you move the rule to the top of the list as pfsense carries out rules from top down

• SCREENSHOT: Firewall NAT Outbound 1

• SCREENSHOT: Firewall NAT Outbound 2

• Action "Block", Interface "WAN", Direction "any", Protocol "any", Source "alias"

• SCREENSHOT: Firewall Rules Floating 1

• SCREENSHOT: Firewall Rules Floating 2

• This along with with #5  will block your machine from going to internet


archedraft

Screenshots


m3ki

Sounds about right ;) Glad I could help :)

archedraft

Screenshots


archedraft

screenshots


archedraft

Screenshots


m3ki

Hah now the topic went from cannot resolve address to…..... how to make policy based routing with multiple vpn clients.......

archedraft

Yeah, I was going to rename the first post but I guess it doesn't let you modify the first post… Ill start a new thread as well lol. Thanks again m3ki!

m3ki

Any time :)

Next steps to think about…... you can also forward certain ports, protocols, domains...... to go to vpn........ etc.... moar fun!