VPN Appliance Setup

jwellner

We have a pfsense bucket that is acting as a OpenVPN server appliance and I can't seem to get the routing and gateways right.  This box needs to work with existing gateways on other devices WAN 169.204.240.1 and LAN 172.16.0.1.

When I go to create the gateway for the LAN with the IP of 172.16.0.1 it actually bounces one of our file servers offline.  This is when I figured out that it was trying to act as the default gateway and compete with it.

If I delete the LAN gateway, file server is happy, but the OpenVPN clients go nowhere and the box is unable to ping things on the other internal VLANs.

What am I doing wrong… ?

(attached network diagram..)


thetallkid

The quality of your diagram is low, so it's hard understand your network layout.

Is pfsense placed between the ISP modem and the rest of your network?

heper

you shouldn't create a gateway for your lan interface.

what vlans? your diagram shows no vlans. is the pfsense routing the vlans or is there another routers doing that?
what do you mean by "OpenVPN clients go nowhere" ?

please provide more info, so we get a clear picture of what/where/how

jwellner

Thank you guys for the replies!

Let me take another stab at the diagram…

Internet
    |
    |
Cisco ASA
    |
    |
DMZ / Public IP Space
    |
    |
    ---------------------------------
    |                                      |
Proxy Firewall                  pfSense
      \                                      /
      \                                    /
        \                                  /
              Internal Network
                          |
              172.16/17 VLAN
              |          |          |
    172.17/17    .18/17    .20/17  etc.  VLANs

This is a school district network connection so we have a 1GB fibre connection coming into the Cisco ASA firewall and then the output from that is going into a DMZ switch so we can put publicly facing services there.  Out public IP space is 169.204.240.0/25.

The pfSense box is connected into that DMZ switch with an IP of 169.204.240.7 and then is plugged into the internal network switch with an IP of 172.16.1.51.

We have core switching and routing handled by other things on the network and the role of the pfSense box is purely for it's OpenVPN server and appliance behavior.

OpenVPN clients would connect but then not have a route to parts of the internal network.

So I understand I don't need a gateway for the LAN and that's a very bad thing, however I don't understand how to assign a route to the LAN interface then because it would only let me assign to the WAN gateway.

thetallkid

Why do you need 3 firewalls. Pfsense can be your main firewall, do vpn and be a proxy. Your setup is overly complicated that it needs to be in terms of the amount of hardware you have in place.
I would recommend centralization. Easier to manage all of those services from one device instead of the 3 you have at the moment.

jwellner

Oh I'm fully aware of that.  However that isn't in my power to adjust and besides this is a temporary solution until our redesign goes live in January.

Tis the rules I'm working under.  Can't change all of that.

heper

in your case there is no point in assigning a gateway for the lan interface afaik .

all you'd have to do is add static routes (for your various lan subnets) pointing towards your core-switch-router-thing, that sits internally on your lan and handles the routes.
on your core-switch-routing-thing, you'd need a route (for your openvpn-tunnel-network) pointing to pfsense.

Offcourse you could also choose not todo this all manually and use a dynamic routing protocol, like ospf,rip, … to add the routes for you.