Routing single computer to vpn network
-
So I assume, pfSense isn't the default gateway for the vm hosts you want to access. If it isn't, you either have to nat the vpn traffic to LAN address using oubound NAT on pfSense or you have to add static routes to all the host you want to reach over vpn.
I think you have the solution for my problem but I cant seem to make it work. How do I add the static routes?
-
How do I add the static routes?
That depends on the specific operating system.
So if feed Google with " <your os="">add static route", you will get the howto like:
https://technet.microsoft.com/en-us/library/cc757323%28v=ws.10%29.aspx
http://www.cyberciti.biz/faq/ubuntu-linux-add-static-routing/</your> -
I use windows sever 2012 r2. So you mean that I need to setup an static route from the pc to pfsesne and not from my other router to pfsense? I don not need to push some ip in the openvpn server?
-
I don not need to push some ip in the openvpn server?
You have to enter your LAN subnet 192.168.3.0/24 at "IPv4 Local Network/s" to get this route pushed to the vpn clients.
However, your LAN hosts will not know the way to the vpn client to send back responses. It will be sent to the default gateway, which is your router. For some connection it will also work to add a static route to the router, but that's not stable.
So the best solution is to add a static route to each LAN host to send vpn traffic to pfSense.If you have just one vpn client or you are not interested in the source address of vpn access, you can also easily get it work by natting traffic to LAN address at pfSense.
-
Sounds like that it is the NAT solution to go then. Is there any guide or "how to" I can use to manage this?
-
In this setup you have asynchronous routing problem.. This is always going to have complications…
Replace your router with pfsense and all your problems go away. Put it behind your current router if you so wish, you will have a double nat, but its much easier to work that sort of setup than an asynchronous routing issue when you don't even understand how to add a route to your own devices.
-
I agree. However, if he doesn't care about the vpn clients IP that access the hosts, NAT is a solution and circumvents asynchronous routing.
So go to Firewall > NAT > Outbound. If it if set to automatic rules configuration, check hybrid and hit save the button.
Add a rule by click "+":
Interface: LAN
Protocol: any
Source: <vpn tunnel="" network="">Destination: any
Translation: Interface addressWith this NAT rule you can access any LAN host without special routes, but the source IP seen by the hosts is the pfSense LAN address.</vpn>
-
I agree. However, if he doesn't care about the vpn clients IP that access the hosts, NAT is a solution and circumvents asynchronous routing.
So go to Firewall > NAT > Outbound. If it if set to automatic rules configuration, check hybrid and hit save the button.
Add a rule by click "+":
Interface: LAN
Protocol: any
Source: <vpn tunnel="" network="">Destination: any
Translation: Interface addressWith this NAT rule you can access any LAN host without special routes, but the source IP seen by the hosts is the pfSense LAN address.</vpn>
Thanks I Will try that. But what you are suggesting are that I use my pfsense as default gateway instead for my other router. Is i better in a sense of restricting separate users to find individual pc on my local network?
Like: User A can find say 192.168.3.201 and 192.168.3.202
But user B can only find 192.168.3.201.
In this setup you have asynchronous routing problem.. This is always going to have complications…
Replace your router with pfsense and all your problems go away. Put it behind your current router if you so wish, you will have a double nat, but its much easier to work that sort of setup than an asynchronous routing issue when you don't even understand how to add a route to your own devices.
I'm here because I'm new to this and are trying to learn. I appreciate advice on how I best can resolve this. and the benefits each solution provides.
your suggestion are that I use only the pfsense router. What benefits will that give in restricting users to find my lan?
-
But what you are suggesting are that I use my pfsense as default gateway instead for my other router.
This is the suggested way, so you have distinct routing and there is no need for NAT to access your hosts from vpn.
Is i better in a sense of restricting separate users to find individual pc on my local network?
Like: User A can find say 192.168.3.201 and 192.168.3.202
But user B can only find 192.168.3.201.
You can control vpn access at pfSense anyway.
But the disadvantage of NAT is that you're not able to determine the vpn client at destination hosts, cause the access comes from pfSense's LAN address.
-
Thanks! work like a charm I did the NAT solution but will maybe to the other one later on.
