Selective Remote Access
-
I have a VPN client running to change my IP address. Didn't recognize the IP address. If I turn off the VPN client I can access the internet while connected to the remote VPN server. Is it possible to run the VPN Client and Remote VPN server and still access the internet? Sorry for the confusion I didn't realize it was an issue.
-
Yes, that's possible. But you've to clarify how the upstream traffic from PLEX2 should be routed out. To the VPN server or to the WAN gateway.
Now, since you haven't specified a gateway in the firewall rule, the traffic is routed to the vpn server. But since you haven't set an outbound NAT rule for this, you get no connection. -
Yes, that's possible. But you've to clarify how the upstream traffic from PLEX2 should be routed out. To the VPN server or to the WAN gateway.
Now, since you haven't specified a gateway in the firewall rule, the traffic is routed to the vpn server. But since you haven't set an outbound NAT rule for this, you get no connection.Thanks for hanging in there with me.
I created a rule on the PLEX2 interface, source =any, dst =any, and Gateway = WAN_DHCP Gateway then
Outbound rule- PLEX2 interface, protocol any, network 172.16.2.0/24, dst any, translation Interface Address.
Rebooted and doesn't work. Any idea on what I did incorrectly? -
Man, Outbound NAT rules have to be set on that interface where the packets go out!
So if you want to go out on WAN the interface has to be set to WAN.
The necessary rule was already set as shown in this post: https://forum.pfsense.org/index.php?topic=132341.msg729392#msg729392 -
Man, Outbound NAT rules have to be set on that interface where the packets go out!
So if you want to go out on WAN the interface has to be set to WAN.
The necessary rule was already set as shown in this post: https://forum.pfsense.org/index.php?topic=132341.msg729392#msg729392I have everything setup with the Plex2 rule having the WAN gateway but still packet capture still show trying to go out the 1194 client VPN instead of the WAN gateway. I even changed all 3 Plex2 rules to use the WAN gateway without success. If the WAN gateway is the default and the rule is set to use the default why does it need to be specified?
-
I've wrote above that you've to clarify where you want to route out the upstream traffic from PLEX2 client. If you haven't specified a gateway, the traffic is routed to the default gateway and this is obviously the vpn client if it's connected. So the packets are routed to the vpn client, but in fact you've no outbound NAT rule that, so the packets get dropped there, cause there is no route back for that source.
If you want the traffic route out to WAN while the vpn client is the default gateway, you've to specify the WAN gateway in the rule.
If you want to go out to the default gateway there's no need to specify a gateway in the rule, but you've to add an outbound NAT rule for that. -
I've wrote above that you've to clarify where you want to route out the upstream traffic from PLEX2 client. If you haven't specified a gateway, the traffic is routed to the default gateway and this is obviously the vpn client if it's connected. So the packets are routed to the vpn client, but in fact you've no outbound NAT rule that, so the packets get dropped there, cause there is no route back for that source.
If you want the traffic route out to WAN while the vpn client is the default gateway, you've to specify the WAN gateway in the rule.
If you want to go out to the default gateway there's no need to specify a gateway in the rule, but you've to add an outbound NAT rule for that.- I have specified the WAN gateway in the PLEX2 rule so have I satisfied the "you've to specify the WAN gateway in the rule"?
- If I have satisfied #1 then the problem is not specifying a outbound NAT rule. Can you give me an example of outbound rule that would work? There are not many options after Interface, Source address. Interface must be WAN, the Source is my 172.16.2.0/24 the VPN tunnel network, destination is any as it could be anywhere on the internet.
-
- I have specified the WAN gateway in the PLEX2 rule so have I satisfied the "you've to specify the WAN gateway in the rule"?
If you intend, that PLEX2 upstream traffic goes out on the WAN interface independently from the vpn client connection, that's okay.
- If I have satisfied #1 then the problem is not specifying a outbound NAT rule. Can you give me an example of outbound rule that would work? There are not many options after Interface, Source address. Interface must be WAN, the Source is my 172.16.2.0/24 the VPN tunnel network, destination is any as it could be anywhere on the internet.
Again, you've already set an outbound NAT rule for PLEX2 on WAN interface. The first rule shown in the picture here: https://forum.pfsense.org/index.php?topic=132341.msg729392#msg729392
Outbound NAT:
When a packet go out to WAN, the packets source address has to be translated to one of your public addresses, mostly the WAN (interface) address. Cause only public addresses are known in the internet, which is necessary to route back the responses to you.
So you have to set in the rule:
interface: WAN
source: here the tunnel subnet 172.16.2.0/24
All other options may be stay on their defaults. So the protocol and destination is any and the translation address is "interface address" which is your WAN address.Is this really as hard?
-
I have the outbound rule as, Intereface WAN, source 172.16.2.0/24 all other options at default.
If I have a rule on the Plex2 interface, source any, destination any, gateway default I can access my local LAN servers but not the internet. If I change the default gateway to the WAN I can access the internet but not any of the LAN servers.
-
If you intend, that PLEX2 upstream traffic goes out on the WAN interface independently from the vpn client connection, that's okay.
If I change the gateway on the Plex2 rule from WAN to default I can't get out to the internet. Not sure why default doesn't work but it still works with the gateway as WAN.
Had to add a path back to the LAN when I connect as the USER so I could access the other servers. All others in the Plex only alias can only connect to the Plex Server and internet through the WAN gateway.
Here is the final Plex2 rules. Thanks again for your help.
 -
If I change the gateway on the Plex2 rule from WAN to default I can't get out to the internet. Not sure why default doesn't work but it still works with the gateway as WAN.
I've mentioned that behaviour and the solution alreade twice.
here: https://forum.pfsense.org/index.php?topic=132341.msg733209#msg733209
and here: https://forum.pfsense.org/index.php?topic=132341.msg732814#msg732814So what are the troubles with that?
If your vpn client connection is up, the packets go out this connection, when there's no gateway specified in the appropriate rule. So you also need to add an outbound NAT rule for this traffic (on the vpn clients interface!). How to do, I've described here: https://forum.pfsense.org/index.php?topic=132341.msg733440#msg733440