Multi-LAN
-
The first rule with destination WAN Address is the problem. That is only allowing traffic with a destination of your particular public IP on WAN, which is not so interesting for LAB clients to browse ;) They probably also want to get to destinations like google.com pfsense.org and so on. Change that rule to destination any (*) and LAB net will get full access.
(Of course you can design a set of restricted pass rules to only allow access to certain public IPs, certain ports… but that is a whole lot more complex than allowing destination any) -
The first rule with destination WAN Address is the problem. That is only allowing traffic with a destination of your particular public IP on WAN, which is not so interesting for LAB clients to browse ;) They probably also want to get to destinations like google.com pfsense.org and so on. Change that rule to destination any (*) and LAB net will get full access.
(Of course you can design a set of restricted pass rules to only allow access to certain public IPs, certain ports… but that is a whole lot more complex than allowing destination any)Dear Phil,
thank you for your help, I've edite the rule, however it still not allows me to go to the internet
any more suggestions please?
also I've noticed today is when I am connected with the VPN, I can't reach the machines behind the WAN.
I've created a rules from the OPNEVPN to the WAN to allow any but still can't reach the WAN or ping them .
I believe for PING need to allow icmp from OPENVPN toward WAN, but it not important really the ping, what important is the to reach the machines behind ! -
It is time to post a network diagram - I think we are misunderstanding something.
Does WAN go directly to the real internet? or is it attached to some other "real" LAN that then gets to the internet?
Does traffic from pfSense LAN devices get out through pfSense WAN OK?
Can you ping to the internet (like 8.8.8.8) from pfSense itself?also I've noticed today is when I am connected with the VPN, I can't reach the machines behind the WAN.
I don't quite understand what you mean by "behind the WAN"? Do you mean machines in LAN and LAB?
Post more detail of your OpenVPN server config - what is in "Local Network/s" and your OpenVPN rules… -
It is time to post a network diagram - I think we are misunderstanding something.
Does WAN go directly to the real internet? or is it attached to some other "real" LAN that then gets to the internet?
Does traffic from pfSense LAN devices get out through pfSense WAN OK?
Can you ping to the internet (like 8.8.8.8) from pfSense itself?also I've noticed today is when I am connected with the VPN, I can't reach the machines behind the WAN.
I don't quite understand what you mean by "behind the WAN"? Do you mean machines in LAN and LAB?
Post more detail of your OpenVPN server config - what is in "Local Network/s" and your OpenVPN rules…Dear Phil,
Internet >>>> ISP Gateway>>>>>PFSENSE with 3 NICS
PFSENSE >>>>> NIC1 192.168.2.X
PFSENSE >>>>> NIC 2 ( LAN ) 192.168.4.x
PFSENSE >>>>> NIC 3 LAB 192.168.5.Xso when the VMS are configured to use the LAB NIC as Gateway they can't browse to the internet dont know yet why !
when the VMS are configured to use the LAN NIC as gateway the internet works fine no issues !i have configured the Tunnel Subnet to use 192.168.200.0/24 so when my VPN client is connect with VPN recieved 192.168.200.x as IP after that they can reach all the VMWARE are behind the NIC2/NIC3 of Pfsense but not the Machines are behind the NIC1 like my ISP gateway.
waiting for your answer
thank you so much -
For reaching devices on the private part of the WAN (192.168.2.x) , you will need to include that in Local Network/s on the OpenVPN server settings, so the OpenVPN client receives a route to it.
Your LAB settings should work! Automatic Outbound NAT should NAT anything from LAN, LAB and OpenVPN tunnel when going out WAN. Look in /tmp/rules.debug for <tonatsubnets>- there should be a list including LAN, LAB and OpenVPN tunnel.
I can't think what to change next, so post screenshots of your rules now, and an "ifconfig" or "ipconfig /all" of a LAB client.</tonatsubnets> -
For reaching devices on the private part of the WAN (192.168.2.x) , you will need to include that in Local Network/s on the OpenVPN server settings, so the OpenVPN client receives a route to it.
Your LAB settings should work! Automatic Outbound NAT should NAT anything from LAN, LAB and OpenVPN tunnel when going out WAN. Look in /tmp/rules.debug for <tonatsubnets>- there should be a list including LAN, LAB and OpenVPN tunnel.
I can't think what to change next, so post screenshots of your rules now, and an "ifconfig" or "ipconfig /all" of a LAB client.</tonatsubnets>Dear Phili,
do you mean create rules on both sides ( LAB+LAN) to allow to WAN subnet ? -
Sorry, I was off-line for a while - had a major fibre cut here, and ISPs don't have working failover!
I think your LAN and LAB firewall rules already have rules that allow general internet access, and that will include to the WAN-side private IP address subnet. You would also need a rule/s on the OpenVPN tab to permit traffic to the WAN-side network. But I think those are already there?
The main thing I suspect is the the OpenVPN server "Local Network/s" box needs to have the full list of LAN, LAB and WAN-side private subnets specified so that routes are given to the OpenVPN client.
Post some OpenVPN settings and rules, and the definition of <tonatsubnets>from /tmp/rules.debug</tonatsubnets> -
For reaching devices on the private part of the WAN (192.168.2.x) , you will need to include that in Local Network/s on the OpenVPN server settings, so the OpenVPN client receives a route to it.
Your LAB settings should work! Automatic Outbound NAT should NAT anything from LAN, LAB and OpenVPN tunnel when going out WAN. Look in /tmp/rules.debug for <tonatsubnets>- there should be a list including LAN, LAB and OpenVPN tunnel.
I can't think what to change next, so post screenshots of your rules now, and an "ifconfig" or "ipconfig /all" of a LAB client.</tonatsubnets>Dear Phil,
thank you so much for your help once again,
attached are screenshots from a LAB client and VPN rules
please note : LAB-LAN isn't attached to a fysique NIC as showed on the screenshotswaiting for your answer
-
The first rule is allowing everything on that side to everything, no need for the second rule.
-
The first rule is allowing everything on that side to everything, no need for the second rule.
do you mean removing the second rules would allow the connection to the WAN over the VPN ?
-
I mean that the second rule is redundant, since the first rule is already allowing anything anywhere on that interface.
-
I mean that the second rule is redundant, since the first rule is already allowing anything anywhere on that interface.
i was thinking the same however the client can still not reach the WAN from VPN and also not to the internet,
any more suggestions please?