Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unusual behaviour on secondary networks

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    11 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Where are you running the VPNs? In the pfSense box or in the RDP server machines?
      It sounds like the VPN is changing the default route such that the RDP traffic is captured and sent down the VPN instead of across the local network.

      Steve

      Edit: typo

      1 Reply Last reply Reply Quote 0
      • D
        draccusfly
        last edited by

        The VPNs are being run on the Windows boxes.  As we have a large number of clients that our support reps connect to it's more convenient to use this method than create the VPN's on the pfSense box. This all worked fine on our previous firewall so it must be something in the configuration of pfsense?

        Drac

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          The most logical answer is stephen's – Quite often default connection type for a vpn is to prevent split tunnel, and for default gateway to be changed to the vpn connection.

          I would validate your vpn setup, what vpn are you using?  If allows split tunnel then you might need to add the network your coming from to rdp to the box an allowed network, etc.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • D
            draccusfly
            last edited by

            Looking through the VPN > networking > advanced properties there is an option of "Use gateway on remote network" option.  But this has always been ticked, unticking allows users to stay connected to the RDP session when the tunnel is established though, next test is to see if they can actually connect to customer machines.

            Drac

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              It's hard to see how pfSense could differ from any other firewall/router in this setup. I guess your old firewall could have been handing out routing information pointing to local subnets that took priority over the VPN gateway.  :-\

              Steve

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Was the previous setup multi segment?  Or were you rdping to boxes on the same segment.. Did the address space change?  Its possible the vpn was allowing split tunnel with your previous network space and now that your own pfsense you change the address space?

                Impossible to really speculate with such little info to work with.

                But I agree with stephen - the firewall/router involved has really little to do with what would cause you to loose remote access to a machine that kicks off a vpn connection that is set to use that vpn as gateway.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Yep, that seems likely. The VPN connections were setup to route all traffic with some exceptions for local address space. That address space had now changed rendering the exceptions useless. Speculation only at this point of course.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • D
                    draccusfly
                    last edited by

                    Thanks guys, I appreciate the help on this.  Just to give you a better idea of setup:
                    WAN
                    Subnet A 192.168.10.0/22 - this is the local LAN
                    Subnet B 192.168.150.0/24 - DMZ1 - VPN machine 1 connected to this subnet
                    Subnet C 10.10.0.0/24 DMZ2 - VPN machine 2 connected to this subnet

                    Machines on subnet A RDP to machines on subnets B and C in order to start the VPN tunnel to our customers site.  Machines on subnets B and C should not be able to reach machines on subnet A, however with the pfsense firewall they do.  I am pretty sure on our old firewall this wasn't the case, but I have no way of being 100%sure of this now.  What is happening now is that when the tunnel establishes on subnet B or C the connection to subnet A gets dropped, unless I remove the tick from "use the VPN gateway" option from the properties of the VPN tunnel.  This option has always been ticked previously without any issues.  So my thinking is that the issue lies somewhere in the pfSense boxes routing?

                    Address space hasn't changed, the only change to our internal system is the firewall..

                    I hope this helps to give you a better idea of my setup..?

                    Drac

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Hmm, OK. Has the remote subnet at the customers end changed? You could be seeing some sort of address conflict there that might explain the changed behaviour.
                      It's hard to explain why it has changed but not hard to understand what's happening, it's exactly what I'd expect to happen. When you make the VPN connection it pushes a new default route to the client and all traffic is then routed through the tunnel. In those cases you usually still have access to the local subnet but your RDP clients are not on the local subnet.
                      Is it causing a problem when you untick "use the VPN gateway"? Doing so would likely mean the RDP machines have access only to the remote network in the same subnet as the VPN server and not any remote routed subnets. You could probably push routes to allow that though.

                      By default pfSense will block traffic from an additional interface, such as DMZ1, to the LAN interface. This is only getting through because there are firewall rules in place that allow it. What rules do you have on DMZ1 and 2?

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • D
                        draccusfly
                        last edited by

                        I have a couple of inbound NAT rules pointing to other systems on the subnet.  But other than that there is nothing else.  It appears that removing this tick from the VPN connection properties has fixed the issue.  I have had no other negative feedback from our support agents so I have to assume that this change has fixed the issue.

                        Still getting to grips with the system.. :)

                        Drac

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.