Interface Route to local IP
-
Ok, normally Lan3 would go out the WAN to get to the internet, right?
Instead, it would work something like this:
Lan3 -> Lan1 (computer) -> WANI'm Sorry I'm not being very clear.
-
Your being clear – but there is ZERO point to do this... WHY would you want/need to do this - is freaking pointless!!! Are you wanting to run some sort of proxy on this box on lan 1?
What is the point of sending traffic to lan 1 computer to just get to the same internet connection??
-
There is a point, but that's not the issue. Can this be done? How? Where can I find out how to do this?
Thanks. -
Find out how to do what.. Are you running a proxy, are you running a vpn on this box. You have to run something on this box or even if you send it traffic its not going to do anything with it.
Without some understanding of what your trying to accomplish no its not possible…
-
Could this be achieved by setting the DHCP default gateway for LAN3 Network to be the IP of LAN1 Host.
LAN1 host would then need to be able to forward those packets on to the internet after you have done whatever you are trying to do.If you are looking at an IDS type solution, I'd highly recommend looking into a switch that can mirror ports (SPAN PORTS) instead.
-
Thanks!
I will give that a try.
I was thinking it was a custom Route, but your suggestion sounds logical. -
instead of being evasive how about telling us what you are trying to do? Routing to the LAN1 host is easy. What it does with the traffic might not be.
Create a gateway on LAN called LAN1_HOST with the IP address of LAN1 Host.
Policy route LAN3 traffic to LAN1 host.
I want it to be routed to the computer on LAN1, and then go to the Gateway.
The and then go to the gateway part is up to that host. What it does with the traffic is outside the scope of the firewall.
Could this be achieved by setting the DHCP default gateway for LAN3 Network to be the IP of LAN1 Host.
No because the LAN1 host is not on the same subnet as the LAN3 hosts. They will have no idea where to send the traffic to get to LAN3 even if they do accept that as the gateway.
-
Under System / Routing / Gateways:
Enabled: LAN1_Host / LAN1 / 192.168.1.4In Firewall / Rules / LAN2, there is no option to specify the Gateway.
:( -
It's under the Advanced options for the rule, I believe.
-
Where did LAN2 come from?
Match the traffic coming into LAN1 and set the gateway under advanced on that rule.
-
Sorry about that - meant to say LAN3
I thought using numbers instead of my assigned names would make it easier for everyone, but instead its just got me confused.
From now on in all my posts (hopefully not many more :)…) I will refer to them by the assigned names so I don't get confused and muck up everything...again.
LAN1 = SIF
LAN2 = THOR
LAN3 = LOKII seem to be having lots of problems with SIF since I changed it from 192.168.1.x to 192.168.4.x as I was doubled-NAT'd. I've since removed that other NAT device and now single NAT'd with pfSense. Therefore, I've set SIF back to 192.168.1.x, but it still seems to be messed up.
The DHCP service on SIF is not talking to anyone. I've posted a message in the HDCP/DNS forum asking for help as I cannot seem to get it working now
https://forum.pfsense.org/index.php?topic=121772.0Maybe once I get that sorted out, my route from LOKI to 192.168.1.4 (Wormhole) will work.
I'm also building a new Wormhole to test with because I can't even PING the old Wormhole no matter what Interface I put it on (if different than the Ping Sender's)
https://forum.pfsense.org/index.php?topic=121748.0Ugh, what I mess I've made…I really do very much appreciate everyone's help!
-
What are you doing dude.. Completely agree with you here
"Ugh, what I mess I've made.."
Do you understand the hairpining that would be going on in this network?? So in going to the internet. Follow your path..
lanPC
To
langw
outlan3gw
Inwormhole
Outwormhole
inlan3gwHow does your traffic expect to get back now?? Because if you don't go through your wormhole its asymmetrical and your firewall will kill any states it sees not traffic on once it hits is timeout, etc..
So yeah what a mess..
Lets try this again - if you actually explain what you want to accomplish we can go over the options of doing it is whatever it is your wanting to do.. Without a borked up pile of crap!!
-
So, two steps forward, one step backwards
My Pi VPN/SSL Client in working on 192.168.1.4 and connects to the VPN/SSL Server just fine.
But…you knew there'd be a 'but'...When I enable the Policy Route and Upstream Gateway, it (the Pi) cannot connect to the VPN/SSL Server anymore.
It just initiates, and then gets a soft reset, and tries again - infinitely...So here's how I implemented Derelict's instructions (the Route was Enabled before when I did the test, as was the upstream gateway):
What did I screw up this time??
-
johnpoz,
I have a WiFi AP (192.168.3.2) on Loki Interface (192.168.3.1)
Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
That data is sent to the OpenVPN/SSL Server somewhere 'out there'My issue is getting Loki WiFi AP connections to the OpenVPN/SSL Client.
That's it in a nutshell
-
Ok, I googled around and found this web site that talks about pretty much what I'm trying to do. They set up the VPN Gateway on the same subnet as all the clients (I didn't think you could do that!)
http://ozcan.com/blog/en/setting-up-vpn-gateway-with-raspberry-piSo I put my Pi on Loki (192.168.3.x) and set it as follows:
IP Address: 192.168.3.3/24
Gateway: 192.168.3.1I set this up in iptables:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEWhile the above web site does not mention the second iptables setting, if I don't include it, the PI randomly aborts the SSH connection.
I then SSH'd into my Pi while on the Loki Interface and verified that the VPN Client was connecting to the VPN Server and working properly (it was)
So then I tried to set up the Pi as the new Gateway for Loki using the following setting in pfSense:
However, now with all that in place, when I'm connected on the Loki Interface, I cannot get to the VPN Server - regular Web Sites don't work either. The Web Browser just reports "No Internet Connection".
I feel like I'm really close. Its probably some setting not right in pfSense.
Thank you all for sticking with me on this - I really do appreciate it!!
Any ideas/suggestions on what I've mis-configured is greatly welcome!!!
-
Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
That data is sent to the OpenVPN/SSL Server somewhere 'out there'So you want your traffic to go to a vpn?? Why would you not just setup this vpn connection in pfsense??? Openvpn client, Policy route = done!! 2 freaking minutes. No asymmetrical routing, no hairpinning, no other boxes/devices needed..
Then you could route any of your segments to this vpn, you could route just specific hosts, you could route just specific dest traffic…
You keep saying openvpn/ssl - and you brought up stunnel in your other thread?? So is this vpn connection a openvpn one or stunnel based? Stunnel will run on pfsense.. Your going down the WRONG PATH trying to setup devices to route to a host on their own network or different local network.. The proper way to do this sort of stuff is at the edge of your network, not internally. if done on some internal box you either end up with a messy hairpins best case or hairpins and asymmetrical routing at best. Even when you do this on a transit network to remove the asymmetrical routing issues you end up hairpinning..
Why can you not just do this the simple easy less complex way by running the vpn connection on pfsense and then policy routing the devices on your network you want to use this vpn connection??
If you have more than 1 public IP you could run it on some other box via a transit network connection to pfsense without hairpin..
-
I'll say it again: OpenVPN over SSL. I don't know how much clearer I can be. Google it.
So, no, its not just 'boom' done in pfSense as there is no web interface for stunnel.
I took the 192.168.3.3 ip address out of the Loki_VPNHost Rule and I am not able to get to the VPN Server from clients connected on that Interface (Loki/192.168.3.x)
I have some DNS issues to address, but it's almost there!
Hopefully you'll never have to hear from me again (ha. fat chance)
-
Well, there are two issues:
-
the VPN won't connect if the LOKI_VPNHOST Rule is active. Once VPN is connected, then I can active that Rule. But if the VPN link goes down, it can't reconnect.
-
The Traffic over LOKI is redirected through the VPN, but the DNS lookup is not. So I need to be able to set the DNS Resolver to go through the VPN link
-
-
I think I have it all working now!!!
I disabled the Gateway rule and just set the gateway for Loki on the DHCP Loki Interface.
I also set the specific DNS servers on that page as well.
The Pi likes it too - no more failed connecting.
Awesome!!!Thanks everyone again for all your help!!!
-
"its not just 'boom' done in pfSense as there is no web interface for stunnel. "
So you seem to be able to do iptables via config file - but stunnel is too hard??
Working as a asymmetrical hairpinning nightmare.. Have fun with that mess!! WTF..
Simple search and here looks to be instructions on bringing up stunnel on pfsense inbound
https://forum.pfsense.org/index.php?topic=109873.0I show newer version here http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/stunnel-5.37,1.txz vs the one in that thread.
Tell you for sure the time need to create this sort of connection would of be a fraction of the mess you have!!
