OPT1 / OPT2 interfaces not able to access the Internet
-
An edit to my last post.
Since you only want your VPN on your LAN you can probably disregard the outbound VPN NAT rules for your 192.168.20.0 and 192.168.30.0 subnets.
As you can see I have my VPN setup on all interfaces. Basically everything on my network goes through the VPN and I use firewall rules to run certain devices through the WAN by specifying the devices IP and choosing my WAN as the gateway. This is why I have VPN outbound NAT rule for each subnet.
Also for your OPT1 and OPT2 firewall rules, probably no need to choose a gateway in advanced options.
-
I forgot to mention that you may need to make some other changes in pfSense so that you do not have DNS leak issues with your VPN but first please follow the advice given earlier to get your internet working on each interface then report back. I only mention this because of your resolver settings and the fact that you are using a VPN for a reason. The VPN is useless if it is leaking DNS to your ISP.
-
Hi,
I believe we're getting close.
Per my screenshot for outbound NAT, I now have NAT mode set to hybrid and I've removed the ISAKMP rules. I've left the WAN rules for subnets 168.192.20.0 and 168.192.30.0 in place.
As for setting my LAN interface to use the OpenVPN gateway, I've tried setting up a new gateway under System > Routing and/or Status > Gateway. I didn't know what to use for an IP address so I left them blank. The screenshot of the Gateways shows this new OpenVPNGW gateway is in a "pending" status, I'm not sure where to go next with this.
Then, I tried setting up the LAN firewall rule to refer to the OpenVPNGW gateway. I also referred the OPT1 and OPT2 rules to the non-VPN gateway WANGW. Unfortunately, I'm still getting the same results – neither OPT1 or OPT2 can access the internet when OpenVPN is active.
Regards.
-
Looks like you took johnpoz and my advice together. I am sorry I should have stated to do one or the other in regards to your NAT rules.
Below is a copy of your screenshot with some added text. You can safely delete the rules I marked as duplicates as they were already created automatically at the bottom, do this if you want to keep it in Hybrid Outbound NAT. If you want to do the rules like I have in my screenshot you will need to switch to Manual Outbound NAT.
With that said I don't believe the duplicate NAT rules would stop your internet from working so there must be something else going on here.
Then, I tried setting up the LAN firewall rule to refer to the OpenVPNGW gateway. I also referred the OPT1 and OPT2 rules to the non-VPN gateway WANGW. Unfortunately, I'm still getting the same results – neither OPT1 or OPT2 can access the internet when OpenVPN is active.
Do you have internet on OPT1 and OPT2 when the VPN is disabled?
If I were you I would remove the VPN completely until I had internet working on all interfaces just to rule it out. I personally had a lot of strange issues while trying to set up my VPN.
Though it probably won't make a difference please fix your NAT rules as I mentioned above and then reboot your pfSense box. If you still have no internet on OPT1 and OPT2 the best advice I can give is try to get this all working WITHOUT your VPN. Once you have your internet working, then add the VPN back in.
-
Hello,
I've played around with things a bit more and am in a slightly different situation. All interfaces - LAN, OPT1 and OPT2 – work whether the VPN is active or not. However, now when I run the VPN, I'm no longer getting connected as I was before. Running the VPN or not, has no impact on any of the interfaces at the moment. I haven't deleted the VPN client yet but will do so if you feel it's necessary. I also tried setting up a gateway for the VPN but must not be getting the configuration right.
Please let me know what you think.
-
Hello,
I've played around with things a bit more and am in a slightly different situation. All interfaces - LAN, OPT1 and OPT2 – work whether the VPN is active or not. However, now when I run the VPN, I'm no longer getting connected as I was before. Running the VPN or not, has no impact on any of the interfaces at the moment. I haven't deleted the VPN client yet but will do so if you feel it's necessary. I also tried setting up a gateway for the VPN but must not be getting the configuration right.
Please let me know what you think.
Hi,
So you are saying you do have internet on all interfaces now?
If so no need to disable your VPN.
I'm not sure what you mean by "However, now when I run the VPN, I'm no longer getting connected as I was before". Do you mean you loose internet or you are not getting expected speeds? Please elaborate.
I can say, I think it is normal to see less speed while using a VPN.
-
Confirmed – I am able to connect to the internet from all interfaces now: LAN, OPT1 & OPT2. The problem I'm having now is when I start my OpenVPN service, I'm still seeing my home IP address and not the IP address(es) of my VPN provider. Somehow, I managed to disconnect something. BTW - I did reboot my router which seemed to get things working better (except the VPN).
Thanks.
-
Could it be that I need to set up a VPN Gateway as you recommended? If so, I'm in the dark on how to do this.
Thank you.
-
I may be wrong but if I remember correctly the VPN gateway should have been created automatically when you set up the VPN.
In one of your previous post you specified your VPN gateway in your LAN firewall rules.
Out of curiosity who is your VPN provider?
-
Your recollection is correct. I did try to set up my own gateway but this was NOT part of the process I followed to set up the VPN. I followed the instructions in this video to set up a VPN (which did not include setting up a gateway.) https://www.youtube.com/watch?v=jauomZSLUuk
I'm sure that while trying to set up a gateway on my own, I messed things up.
The first problem I'm seeing is that the OpenVPNGW I do set up is in a "pending" state. This may be one reason it's not working.
Let me know what you think.
-
Also, I'm using Private Internet Access as a provider (as specified in the video)
-
The youtube link is for a Private Internet Access VPN setup so I have to assume you are using PIA?
If so I noticed that video is almost a year old. It is possible there have been some code changes since then.
Try this tutorial: https://www.privateinternetaccess.com/pages/client-support/pfsense or at least verify your setting against it.
Also, anytime you make changes to the VPN setup it is good to reboot the pfSense box.
It could be something got borked when you were messing around so you may need to delete your VPN setup and start over.
I use ExpressVPN so my setup is similar but different. With the VPN gateway I did have to set my own monitor IP. I'm not sure if that is needed with PIA but you could add 4.2.2.1 as your Monitor IP.
What do you see when you goto Status –> OpenVPN? Does it show status up or down?
-
I must have been writing my last post when you posted that you are indeed using PIA.
-
Hello -
At the moment, I'd taken a turn for the worse….
I tried several different variations of VPN configs, and though I see that the client is active and connecteed, the VPN doesn't work on any of the interfaces.
Then I had the bright idea to restore my back-up from before I started this work and the VPN was still working. Alas, I seem to have disabled the webConfig interface running at http://192.168.1.1.
I've restored to factory defaults and can access my router through the serial interface. However, no matter what I try, I can't get into WebConfig.
At this point, I need to take a break working with pfSense and come back with fresh eyes in a day or two. I may even need to purchase a new box.
Thanks so much for all your help.
-
Alas, I seem to have disabled the webConfig interface running at http://192.168.1.1.
Sorry to hear of your bad luck. Hopefully you will have better luck when you come back to it.
Just out of curiosity, did you try accessing the web interface at 192.168.10.1 ?
-
hey buddy can you help me on how to set-up opt1 and opt2 and wan with the same gateway.