Firewall rules for two openvpn clients
-
Hello everyone. I just started using pfsense this past weekend and am really loving it. I am using this in a home environment. I have a fairly rudimentary understanding of networking but have a tendency to get lost if things get too complicated.
Here is my situation. I have 1 wan, 1 lan, and 2 vpn connections (opt 1 + opt 2). opt 1 connects to a European VPN and opt 2 connects to a US VPN. My goal is to have all traffic on my LAN except one computer (sheevaplug) connect through the US VPN. I would like the sheevaplug, and the sheevaplug only, to connect to the European VPN.
I can get IP addresses for both VPN's and all computers can connect to the internet, resolve names, and ping each other. However, I am not sure (more about this later) that the sheevaplug computer is running through the European gateway. This is because when I do something like
curl ifconfig.me/ip
I get the US address. However, if I go to google.com and type "ip address" in the search bar I get the European address returned. If I go to my VPN providers homepage it tells me that I have the European address. All other IP address lookup type services show the US address. I'm kind of stumped. Just for completeness sake I only get the US address showing up on other computers (even google and my VPN provider) as expected.
I have set NAT by deleting all rules. Selecting auto -> save -> selecting manual -> save. This autogenerates rules for me. I have only set firewall rules on the LAN tab (I have attached these). If someone could tell me whether my rules look good and why I am getting different ip address lookup results I would appreciate it. Also, if I need other rules or to modify NAT, etc.
Thanks!
-Bob
![Screenshot - 011314 - 20:27:47.png](/public/imported_attachments/1/Screenshot - 011314 - 20:27:47.png)
![Screenshot - 011314 - 20:27:47.png_thumb](/public/imported_attachments/1/Screenshot - 011314 - 20:27:47.png_thumb) -
Hi Bob,
I've just setup a similar configuration.
In my case, I want to route most of my traffic through a London VPN gateway, one machine through the Netherlands VPN (as it supports port forwarding) and one machine has to go through my WAN connection (for work VPN access).
Basically, I've created two aliases:
BYPASSVPN
PORTFORWARDOne contains the IP address of my work machine, and the other contains the IP address of my media box.
You don't have to use aliases, but I figured it would be easier if I ever wanted to add extra machines.I also set NAT, by deleting existing manual rules, switching to automatic and saving and then back to manual again and saving.
In my screenshots below, you'll see an extra set of RULES for the alias ROUTER. You can ignore them. That's just me trying to solve another problem (I want to ensure that any traffic from the router itself goes via the NL VPN (so that it can run the portforwarding script).I think where you are falling down is with your firewall rules.
I've attached an image of mine, and this works perfectly. My media server uses the Netherlands VPN, my work machine uses the WAN and everything else goes to the London VPN.
Remember that the ordering of rules is important (going top to bottom). Once you get a match, the other rules are ignored.
Hope this helps,
Andy.
-
Andy:
Do you have any other rules in your other interface tabs?
As a side note I was basically able to get what I wanted by adding another NIC to my pfsense box and setting up a second lan (LAN1). I then connected only my sheevaplug to this second lan and added a rule on that interface that all traffic is to go through the European VPN. This worked. My other computers all use the US vpn while the sheevaplug uses the European VPN.
However, this does not completely solve my problem because I would like to have one computer on my first LAN (like your situation) to just go through the WAN gateway. I set up a rule just like you have it, at the top of the LAN section but it doesn't seem to work. However, that computer still gets routed through the US vpn. I am at work now but will post a picture of my rules tonight when I get home.
Thanks for your time and response.
-
Hi Bob,
No other rules in the other interface tabs. PIAVPNLONDON, PIAVPNNL and OpenVPN are all empty.
There are two rules in the WAN tab, which are 'Block private networks' and 'Block bogon networks', both of which were there by default.Simply, creating the rule wasn't enough to get it working. I had to create the second set of NAT rules to cover the PIAVPNNL interface.
Once I did that, it all sprang into life.I did have to disconnect and reconnect the VPNs, though.
I've also found that you sometimes need to reboot the box in order to get the results you expected.
Andy.
-
Well it turns out that my problem is not necessarily one that is exclusively related to two different vpn's but rather two gateways. I can't seem to figure out how to make one (or more) ip's access a specific gateway and the remaining to access another.
I have tried attacking this from many different angles but just can't seem to get the desired behavior. My current desire is this:
All IP's except one on LAN to go through VPN. The other IP should always go through WAN.
The weird thing is that if I do a traceroute on the expected non-vpn client the starting position is my WAN ip. However, when I go to ip address lookup sites it shows the VPN address.
Also if I do an ip check from the pfesense box it always shows the VPN address (I don't know if this is normal/expected or not). I have a sneaking suspicion that I don't really want this behavior. I should note that I have the WAN gateway selected as the default gateway. Also, the LAN to LAN1 rule is there because I think I need it for these two subnets(?) to talk to each other.
Any ideas or suggestions as to what I can do to debug this? Thanks!
![firewall rules wan out.png](/public/imported_attachments/1/firewall rules wan out.png)
![firewall rules wan out.png_thumb](/public/imported_attachments/1/firewall rules wan out.png_thumb) -
Your rules look good. Is it just that you need to clear some cache in the browser so it really goes to the "checkip" sites again?
Also, the LAN to LAN1 rule is there because I think I need it for these two subnets(?) to talk to each other.
Yes, that is correct. That rule will let the LAN to LAN1 traffic pass through to the ordinary routing table. Without that rule, it would match one of the policy-routing rules and get forced out the WAN or VPN.
-
I will try clearing the cache when I get home though I don't think this is the culprit because if I stop the VPN service altogether these sites then show my expected WAN ip. If this doesn't solve the issue I will post my routing table and the results from traceroute if that will help.
As a side note, I have read multiple posts about doing this sort of thing and everything basically points to to the usage of the basic firewall rules I have posted. I am starting to think that maybe a setting somewhere got messed up and a reinstall would help. I however, really would prefer to not do this as it is fairly time consuming and of course it means I have no internet in my house which makes for an unhappy wife and kids ;D
I can also post firewall rules debug output if that will help. Thanks!!!!
-
Clearing the cache did not work. However, I think I have found a kind of dirty not satisfying fix. I am definitely not sure about some of this stuff so take it for what its worth. My main intention in posting this is to hopefully help someone else or spur a more satisfactory solution to my problem.
I think (always a cause for concern) that when the openvpn client connection was established it established a default route at the very beginning of the routing table. This was causing everything to be routed through that VPN. When two VPN's were in use whatever was the last one up ended up creating this route. My potential solution for this problem is that I have added an extra config parameter in the vpn client additional config text box
route-nopull
this apparently does this
–route-nopull
When used with --client or --pull, accept options pushed by server EXCEPT for routes.
When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that
this option still allows the server to set the TCP/IP properties of the client'sI put this config in and restarted my pfsense box. When it came back up I got the expected ip for my non-vpn computer from whatismyip type sites. I also pulled my wan ip from the shell of the pfsense box. However, when I query my ip for other computers on my LAN who according to my rules were supposed to be using the vpn I get the wan ip address again. However, when I do a traceroute from these computers the first hop is the VPN internal ip (10.*****). This suggests to me that these computers are actually using the vpn tunnel. This is the exact opposite behavior I was having before (where traceroute showed wan connection on first hop but ip sites showed vpn ip). This reverse problem is preferable in my case because I think I am actually connected to the vpn on the expected computers and therefore I have solved speed type issues (isp traffic shaping) with netflix as i don't care if my ip is exposed. Moreover, there are sites that I belong too don't allow you to access them through a vpn and now I don't have to worry about that on my expected non-vpn computer.
When I think out loud I wonder if there is an IP detection problem with certain ip sites that is exposed when the vpn client is run from the router instead of on an individual computer. On the other hand I have not had an issue with the correct IP being displayed on LAN1. Are there perhaps different default rules for LAN vs. additional interfaces (i.e. LAN1)? that would account for this.
If you have stuck through this far I am amazed and apologize for the at times incoherent ramblings of a pfsense newb :)
-
Are there perhaps different default rules for LAN vs. additional interfaces (i.e. LAN1)?
There is nothing different about LAN or LAN1 rules. On LAN you get the "allow all" rule added for you in the default config, but you can see that and modify or delete it as you wish. There is nothing extra behind the scenes like that.
The only things you don't see on the rules page (that I can think of) are:- Block RFC1918 networks (if that is enabled on an interface)
- Block bogon networks (if that is enabled on an interface)
- System, Advanced, Networking, uncheck "Allow IPv6" - there will be a block all IPv6 rule behind the scenes
- DHCP enable - behind the scenes rules added to allow DHCP port numbers from the interface subnet to the interface IP
You can always look in /tmp/rules.debug to see the complete pf ruleset in use.
Hmmm - it would be nice to have a GUI display that shows all the rules being applied on an interface, so admins can easily see what other options have been (un)checked somewhere and the effect they are having.
-
Problem solved. My setup of Squid proxy was causing a conflict. I had the interface set to LAN which caused the issue. Thanks to those who helped!