Gateway Issue or DNS issue

RobTech

Sorry for the delay in getting back to you. I can try and explain exactly the setup I have but a diagram would be better. I'll see if I can create one later today.

However the setup is as follows. The internet connection that comes into our building is one of 10 external IP addresses we have. These go into a Cyberoam Firewall. One of these IP addresses gets mapped to a specific LAN port on the Cyberoam firewall which the pfSense Wan connection connects to. The Lan port on the pfSense box connects to a network switch on the internal LAN.

My company won't allow me to publicize the external IP addresses we use so I'll use 1.1.1.1 for the sake of explanation. Here is how it's setup:

Cyberoam - WAN 1.1.1.1- LAN Port G - 192.168.1.254
pfSense - WAN 192.168.1.1  - LAN 10.25.1.240

LAN IP on pfSense is obtained via DHCP (Reserved) from a Windows 2012 server.

The default gateway is not pfSense. All services AD, DNS, DHCP are all handled by Windows 2012 on the internal LAN.
Internal LAN is 10.25.1.0/22 - 255.255.252.0, Gateway: 10.25.2.5.

The routing table is taken from a Windows client connected to the OpenVPN server via internet.

Outbound NAT is set to automatic with the following rules:

WAN 127.0.0.0/8 192.168.2.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.2.0/24 * * * WAN address * Auto created rule
LAN 127.0.0.0/8 192.168.2.0/24 * * 500 LAN address * Auto created rule for ISAKMP
LAN 127.0.0.0/8 192.168.2.0/24 * * * LAN address * Auto created rule

My intention is to eventually convince my employer to drop Cyberoam and use pfSense instead but small steps first.

If you need any further information or clarification please let me know.

Thanks,

Rob.

johnpoz

Why would LAN have outbound nat?  You set a gateway on your LAN… Which is borked.. Only WANS have gateways set..

RobTech

Hi,

That certainly makes sense. I'm not sure what I have done to cause auto generated outbound NAT rules to be created that include LAN in them. Can you offer any advice on why this might have happened and how I'd go about removing these references.

Am I right in that I should expect to see 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 in the automatic Rules?
Thanks,

Rob.

johnpoz

What is the setup on your other interfaces other than your wan..  These 192.168.1/24 and 192.168.2/24 networks

0.0.0.0                          0.0.0.0                  192.168.1.1    192.168.1.16  20
0.0.0.0                          128.0.0.0              192.168.2.1    192.168.2.2    276

LAN IP on pfSense is obtained via DHCP (Reserved) from a Windows 2012 server.
Huh??

Please draw up your network… What exactly do you want pfsense to do?  Its "lan" interfaces should not be dhcp...

RobTech

I'll do a diagram because it will likely explain it far better.

The very short version of what I want to achieve is as follows:

We have an internal domain network and want to attach a pfSense box to this network. The LAN connection will connect to the local network and the WAN connection to the internet, and then use OpenVPN to allow full network access including resolving host names to VPN clients. IP addresses are assigned by the internal LAN and not the pfSense box.

Thanks again for your guidance.

Rob.

viragomann

@RobTech:

I'm not sure what I have done to cause auto generated outbound NAT rules to be created that include LAN in them. Can you offer any advice on why this might have happened and how I'd go about removing these references.

There should not be set a gateway on interfaces connected to local networks, as long as there is no particular reason for that.
The LAN interface should be configured with a static IP not by DHCP.

Since the pfSense is not your default gateway in the LAN, you either have to set a static route on each LAN device you want to reach via vpn to direct vpn responses back to pfSense, or you have to set an outbound NAT rule on to LAN interface to translate source address of vpn packets to the LAN address when they go out to LAN network. So responses are directed back to pfSense.
The NAT solution may be easier to set up, but has the drawback, that you're not able to determine the true vpn client on the destination device.

The best way is to run the vpn server on the default gateway. Alternatively you may set up an transit network between the default gateway and pfSense.

johnpoz

If there is going to be some other default gateway on what amounts to pfsense "lan" with clients on it - but they need to go through pfsense to get somewhere you most likely are going to run into asymmetrical issues.

If there is a router downstream of pfsense, and pfsense will be a "gateway" to get to some other network, then pfsense should be connected to this downstream network via a transit network, not a network with hosts on it, etc.

RobTech

I've now managed to create a diagram, hopefully this will explain better:

I'll have to look at what a transit network is though, as I'm not familiar with the term.

Thanks,

Rob.

RobTech

I have a misprint on diagram. The workstation IP range is 10.25.1.1 - 10.25.4.253

Rob.

johnpoz

where is this 192.168.2 network in that drawing?

192.168.2 is your openvpn tunnel network – how would that create an outbound nat on your LAN??

See my attachment the 10.0.8 and 10.0.200 are my 2 vpn tunnel networks... The outbound nat is on the WAN..