Selective Remote Access

viragomann

You've set up an "IPv4 Local network" and then you've checked "Redirect gateway". Maybe this interferes.

To remove the local network uncheck "Redirect gateway" to get the option displayed, then remove the entry and re-check redirect gateway again.

NasKar

@viragomann:

You've set up an "IPv4 Local network" and then you've checked "Redirect gateway". Maybe this interferes.

To remove the local network uncheck "Redirect gateway" to get the option displayed, then remove the entry and re-check redirect gateway again.

Still can't access the internet when the VPN is turned on after following your instructions above. Is there anything else I could show you to help diagnose the problem?

viragomann

Plex2 cannot access the internet since you've blocked it in the rules.

To get internet access change your block rule so that only your internal networks are blocked.
Best practice is to add an alias for all RFC 1918 networks (assume you use solely private networks) and use this in the rule.
Firewall > Aliases > IP
Name: RFC1918
Type: networks
Add:
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8

Then edit your block rule on PLEX2 and enter the RFC1918 alias at destination. Also you should change the protocol to any. So only any access to private IPs will be blocked.

NasKar

@viragomann:

Plex2 cannot access the internet since you've blocked it in the rules.

I disable the block rule in my plex2 interface and reset the states. I still can't get to the internet with the VPN on. If the block rule was the issue shouldn't it work with the rule disabled?

viragomann

Yes, if you still get no access after disabling the block rule it couldn't be the cause.

Check the firewall logs for hints what's blocking the access.
In the log settings you can find the option "Where to show rule descriptions". Here you can set how the rule name is displayed to get an idea which rule is responsible for the log entry.
Also ensure that the "Log firewall default blocks" options are checked.
And in the firewall rules you should enable logging. Also consider floating rules.

NasKar

I've been trying to figure this out for a while. I've added to the client.opvn "redirect-gateway def1". In the status firewall logs when I try to access a web site it creates a default block on the WAN port. I guessing this means there was no rule above it that allowed the traffic to pass thru the WAN. My head is spinning. Is it correct that any rules I create to pass this traffic should be the 172.16.2.0/24 Virtual address vs the Real Address listed on the openvpn status page?

viragomann

@NasKar:

In the status firewall logs when I try to access a web site it creates a default block on the WAN port. I guessing this means there was no rule above it that allowed the traffic to pass thru the WAN.

Yes, that's it means. But the log entries which matter here are on the PLEX2 interface not on WAN.
You may use the filter option in the GUI to get less noise.

@NasKar:

Is it correct that any rules I create to pass this traffic should be the 172.16.2.0/24 Virtual address vs the Real Address listed on the openvpn status page?

Yes, the source address is the clients tunnel IP.

NasKar

I disabled all the block rules on the WAN, Plex2, and OpenVPN interfaces including Bogons and RFC 1918 networks but still can't access the internet with the VPN on. Am I correct that it must not be a blocked problem. I'm missing a pass command for the traffic?

viragomann

Are the routes on the client set correctly?
Please post the clients routing table.

NasKar

@viragomann:

Are the routes on the client set correctly?
Please post the clients routing table.

Here is the output of the diagnostic/routes :opvns4 is the Plex2 VPN

IPv4 Routes
Destination	Gateway	Flags	Use	Mtu	Netif	Expire
0.0.0.0/1	172.21.92.1	UGS	137	1500	ovpnc1	
default	x.x.x.1	UGS	18	1500	em3	
81.171.110.67/32	x.x.x.1	UGS	169422	1500	em3	
x.x.x.0/24	link#4	U	99628	1500	em3	
x.x.x.x	link#4	UHS	0	16384	lo0	
127.0.0.1	link#9	UH	676122	16384	lo0	
128.0.0.0/1	172.21.92.1	UGS	18201	1500	ovpnc1	
172.16.2.0/24	172.16.2.2	UGS	5139	1500	ovpns4	
172.16.2.1	link#14	UHS	199412	16384	lo0	
172.16.2.2	link#14	UH	0	1500	ovpns4	
172.21.92.0/23	172.21.92.1	UGS	0	1500	ovpnc1	
172.21.92.1	link#15	UH	99536	1500	ovpnc1	
172.21.92.42	link#15	UHS	0	16384	lo0	
192.168.0.0/24	link#3	U	0	1500	em2	
192.168.0.1	link#3	UHS	0	16384	lo0	
192.168.1.0/24	link#1	U	32974135	1500	em0	
192.168.1.1	link#1	UHS	0	16384	lo0	
192.168.10.0/24	link#10	U	0	1500	em2_vlan10	
192.168.10.1	link#10	UHS	0	16384	lo0	
192.168.20.0/24	link#11	U	0	1500	em2_vlan20	
192.168.20.1	link#11	UHS	0	16384	lo0	
192.168.30.0/24	link#12	U	0	1500	em2_vlan30	
192.168.30.1	link#12	UHS	0	16384	lo0	
192.168.40.0/24	link#13	U	0	1500	em2_vlan40	
192.168.40.1	link#13	UHS	0	16384	lo0	
192.168.60.0/24	link#2	U	35513	1500	em1	
192.168.60.1	link#2	UHS	0	16384	lo0

and the openvpn status routing table

![Routing Table.jpg](/public/imported_attachments/1/Routing Table.jpg)
![Routing Table.jpg_thumb](/public/imported_attachments/1/Routing Table.jpg_thumb)

viragomann

I asked for the routing table of the clients computer.

NasKar

Sorry. I use my iphone. Any tips on how to get it from the openvpn app?

viragomann

Don't know.

Check if you're able to access a public hosts by its IP address. Maybe the iPhone just can't access the DNS while vpn is connected.

On pfSense you can do packet capture (Diagnostic menu) while you're trying to access a internet IP to check if the traffic is routed over the vpn.
To do so, select the PLEX2 interface, to avoid noise you can select a particular protocol and port. At host enter the destination IP and start the capture. Then try to access the destination IP with the iphon. Stop the capture to see the result.
If you can see packets, select the WAN interface and repeat the capture.
Post the results, please.

NasKar

@viragomann:

Check if you're able to access a public hosts by its IP address. Maybe the iPhone just can't access the DNS while vpn is connected.

https://81.171.110.67/ is the IP that is in the packet capture and I can't get to that site on my windows browser (nothing happens). Googling apple.com IP gives https://81.171.110.52/
which also doesn't connect but apple.com does. On iPhone I get forbidden error, you do not have permission to access this server

@viragomann:

On pfSense you can do packet capture (Diagnostic menu) while you're trying to access a internet IP to check if the traffic is routed over the vpn.
To do so, select the PLEX2 interface, to avoid noise you can select a particular protocol and port. At host enter the destination IP and start the capture. Then try to access the destination IP with the iphon. Stop the capture to see the result.
If you can see packets, select the WAN interface and repeat the capture.
Post the results, please.

WAN IP capture

15:48:34.274662 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
15:48:34.275654 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 113
15:48:34.275693 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 209
15:48:34.275717 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 273
15:48:34.283405 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 113
15:48:34.283528 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 129
15:48:34.283737 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:34.283781 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 609
15:48:34.291524 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:34.292272 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 257
15:48:34.292602 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 161
15:48:34.293847 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 161
15:48:34.293875 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 161
15:48:34.293904 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:34.297145 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 241
15:48:34.298144 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
15:48:34.298473 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:34.302017 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:34.302025 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 145
15:48:34.322702 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
15:48:34.342695 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:34.345616 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:34.452554 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:34.456553 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:34.953592 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:34.960886 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:35.454624 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:35.461223 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:35.960584 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:35.965556 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:36.461627 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:36.465892 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:36.895894 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 129
15:48:36.922474 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
15:48:36.962547 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:36.970350 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:37.464638 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:37.470561 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:37.966576 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:37.971022 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:38.468652 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:38.474981 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:38.969589 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:38.973443 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 129
15:48:38.973790 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:38.976065 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:38.986435 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:39.470586 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:39.475903 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:39.972605 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:39.980111 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:40.203479 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 353
15:48:40.203510 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.209728 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:40.209852 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 145
15:48:40.250434 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:40.365267 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 689
15:48:40.365275 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 145
15:48:40.365611 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:40.473600 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:40.480572 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:40.578933 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.578950 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.578965 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.578980 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.586261 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 161
15:48:40.586506 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.587884 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
15:48:40.588119 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.637106 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
15:48:40.647512 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.647559 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.656345 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 161
15:48:40.674960 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
15:48:40.679560 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.730177 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
15:48:40.737581 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.737631 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.746043 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 161
15:48:40.786647 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 161
15:48:40.786811 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.821500 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
15:48:40.821640 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
15:48:40.826996 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 145
15:48:40.846111 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
15:48:40.855365 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
15:48:40.862065 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
15:48:40.874189 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
15:48:40.874248 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 113
15:48:40.892584 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
15:48:40.895565 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:40.924940 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
15:48:40.975709 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:40.981283 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:41.004573 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
15:48:41.067360 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
15:48:41.097216 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
15:48:41.476634 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
15:48:41.481368 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
15:48:41.977559 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97

Plex2 Capture Host address gives nothing without it gives

16:04:02.925538 IP 172.16.2.248.55794 > 192.168.1.149.80: tcp 0
16:04:03.901359 IP 172.16.2.248.55794 > 192.168.1.149.80: tcp 0
16:04:04.909655 IP 172.16.2.248.55794 > 192.168.1.149.80: tcp 0
16:04:05.781252 IP 172.16.2.248.55376 > 208.67.222.222.53: UDP, length 42
16:04:05.933556 IP 172.16.2.248.55794 > 192.168.1.149.80: tcp 0
16:04:07.790472 IP 172.16.2.248.55376 > 208.67.222.222.53: UDP, length 42
16:04:11.782673 IP 172.16.2.248.55376 > 208.67.220.220.53: UDP, length 42

Why is 81.171.110.67.1194 on my WAN and not 81.171.110.67.1195 as my VPN sever in on port 1195?

My settings for Plex2 Capture

![Plex2 Capture Settings.jpg](/public/imported_attachments/1/Plex2 Capture Settings.jpg)
![Plex2 Capture Settings.jpg_thumb](/public/imported_attachments/1/Plex2 Capture Settings.jpg_thumb)

viragomann

@NasKar:

https://81.171.110.67/ is the IP that is in the packet capture and I can't get to that site on my windows browser (nothing happens). Googling apple.com IP gives https://81.171.110.52/
which also doesn't connect but apple.com does. On iPhone I get forbidden error, you do not have permission to access this server

???

Resolving apple.com gives me 17.142.160.59

81.171.110.67 seems to be your own public IP. The WAN capture shows a connection to port 1194.
You're running multiple vpn servers. So this might be a connection to another server.

This capture is cannot help to resolve the issue in any way.

NasKar

I have a VPN client running to change my IP address. Didn't recognize the IP address. If I turn off the VPN client I can access the internet while connected to the remote VPN server. Is it possible to run the VPN Client and Remote VPN server and still access the internet? Sorry for the confusion I didn't realize it was an issue.

viragomann

Yes, that's possible. But you've to clarify how the upstream traffic from PLEX2 should be routed out. To the VPN server or to the WAN gateway.
Now, since you haven't specified a gateway in the firewall rule, the traffic is routed to the vpn server. But since you haven't set an outbound NAT rule for this, you get no connection.

NasKar

@viragomann:

Yes, that's possible. But you've to clarify how the upstream traffic from PLEX2 should be routed out. To the VPN server or to the WAN gateway.
Now, since you haven't specified a gateway in the firewall rule, the traffic is routed to the vpn server. But since you haven't set an outbound NAT rule for this, you get no connection.

Thanks for hanging in there with me.
I created a rule on the PLEX2 interface, source =any, dst =any, and Gateway = WAN_DHCP Gateway then
Outbound rule- PLEX2 interface, protocol any, network 172.16.2.0/24, dst any, translation Interface Address.
Rebooted and doesn't work. Any idea on what I did incorrectly?

viragomann

Man, Outbound NAT rules have to be set on that interface where the packets go out!
So if you want to go out on WAN the interface has to be set to WAN.
The necessary rule was already set as shown in this post: https://forum.pfsense.org/index.php?topic=132341.msg729392#msg729392

NasKar

@viragomann:

Man, Outbound NAT rules have to be set on that interface where the packets go out!
So if you want to go out on WAN the interface has to be set to WAN.
The necessary rule was already set as shown in this post: https://forum.pfsense.org/index.php?topic=132341.msg729392#msg729392

I have everything setup with the Plex2 rule having the WAN gateway but still packet capture still show trying to go out the 1194 client VPN instead of the WAN gateway. I even changed all 3 Plex2 rules to use the WAN gateway without success. If the WAN gateway is the default and the rule is set to use the default why does it need to be specified?

Plex2_rules.jpg_thumb

WAN_rules.jpg_thumb

Outbound_rules.jpg_thumb