can not ping access anything behind openvpn
-
not sure what you mean
and I used to have automatic outbound nat.. but since you need set it to hybride when you want to use XBOX One behind pfsense.. but I still didn't get it to work still got Double Nat Typebut the outbound settings I set it like the Pfsense Basics said in the video
https://www.youtube.com/watch?v=Q6YbCQEiC3c
at 8:30 into the video I set it...
and ugh the screen shots are posted I scrollwed down ugh ill see if I can repost them in order.. ugh just a sec -
I re uploaded them 1 file at a time so they are in order now
and ill look for the wizard too
ill delete it all and start over didn't know there was a wizard for openvpn just pfsense basics remote user vpn for the version I have -
something they just added recently I seen
wasn't in the video before openvpn interface to allow traffic from the remote users..ill look into seeing how to do this this must be reason why mine doesn't work
-
@comet424 NAT is required for the client not the router. You need to just create a NAT entry for your whole LAN segment (i.e. 192.168.0.0/24) and also for any other networks you need outbound (i.e. 192.168.100.0/24). Then if you need static port for a specific client you can add those and make sure they are up higher in the list. Also, make sure you have a NAT entry for 127.0.0.1 to be NAT'd as well or the pfsense box will not be able to reach out to the internet itself (updates, etc.).
Beyond that, you need the appropriate firewall rules. If you don't have a firewall rule to allow traffic outbound and to reach the DNS server, etc, etc you won't be able to do anything either. My best advice is to create an Allow any protoctol from any source to any destination firewall rule on the OpenVPN interface and start there. If everything works, then you know that it has to do with your rule configuration. Start simple, then lock down.
IT Rule number 1: It is almost always the simplest thing. Keep your initial testing simple before you get complex.
-
@bloodlogic ok ill look into this.. I was just following step by step from the video I posted above.. but since I tried these settings a month or so ago they added they forgot a openvpn interface to allow traffic from the remote users...
I'm guessing that's what your talking about
I re read what you wrote takes me a few times to read things to understand it dyslexia and learning disability.. I a visual learner not so much a words learner.. ill try to take what you said and what the video posted about this openvpn interface and incorporate itI appreciate the help from @johnpoz and @bloodlogic
-
@comet424 Here is a screenshot of my NAT settings. The "Gaming Console" is an Alias I created in pfsense for my gaming console IPs and gave them static to help with the problem with NAT mode
Notice how that rule is above the other global network rules to allow my whole LAN and LAB networks outbound NAT so that they match first for my gaming consoles.
-
Also, not all youtube videos are correct so I understand the confusion when you perform their steps and it doesn't work. If you understand the why of things in your network it serves you to better understand the how to make them work. Hope you get it working.
-
@bloodlogic wtf you hiding rfc1918 for? That sure is not going to help anyone understand anything.
-
@johnpoz Because while it is not globally useful unless you are on my network, it still puts my internal layout of my network out on the internet which saves a black hat recon work. All information is usable depending on the context. If you want to put yours out there than go ahead. That being said, I already specifically named the CIDR blocks that would need to be in the OPs entries in a previous reply as well as left the /24 bit at the end.
-
Yeah ok sure <rolleyes> You might want to loosen up the tinfoil hat seems to be a bit tight ;)
-
ok I see I kinda confused why does it matter what comes first.. if your port forwarding say it just follows the rules in the list why it matter what comes first... I tried to copy yours.. I don't know if it will help for the couple issues I have.. and how did you rename Source to gaming Console doesn't it need an ip address here is what I just did
I wish there was a up down button I had to fiddle with add up and down and stuff
oh and the video they edited I need a openvpn client interface this is what I did there was no instructions let me know if I did it right?
I took a guess so don't get mad if I did wrong.. and will your gaming console settings fix the Double Nat Type in Xbox One has
here the pics I did .. oh and other guy said run the wizard for openvpn I didn't find no such thing only the wizard to initially setup the network but nothing for openVPN to just click click click and openvpn is setup... maybe you know where to find itits for the OpenVPN Client setting
-
@bloodlogic you mentioned there all youtube videos not correct. which I understand
is there a correct video or one with pictures to set it up properly that's verified correctly all the time.. as I mentioned I visual learner so I see things better then reading them...
I do appreciate all the help so far.. some of the stuff confuses me so I have to re read things several times -
@comet424 said in can not ping access anything behind openvpn:
oh and the video they edited I need a openvpn client interface this is what I did there was no instructions let me know if I did it right?
Because you DO NOT need an vpn interface for road warrior connectivity.. I wold say 90% of those videos are done by people that don't understand even the basics.. And many of them are for old versions as well.
https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html
Is really where you should be looking.
-
@comet424 It is perfectly fine to not know things. :) No, you don't need a OpenVPN client setup. Your phone is the client and the pfsense is the server. You can delete that. That being said, the Wizard for OpenVPN is the Wizard tab that you see there next to "Client Specific Overrides" in your screenshot for the OpenVPN menu.
In regards to the ordering of rules, it matters because it works on a first matched only basis. If the global rule that allows that network outbound matches first, it is applied and your custom rule for just that one specific host is not even reached to know to do the static ports.
Your main problem with NAT is likely due to the fact that you have hybrid on and I am not 100% on the ordering there. You should switch to manual outbound for the NAT type to be sure. Make sure you keep all the ones created by the automatic rules but now make sure your rule for your gaming console with static port is above the others.
In regards to the "Gaming Console" entry, you can create aliases under "Firewall > Aliases" where you can group multiple addresses together into one logical entry. That field will take an alias. It shouldn't be needed in your case and the IP for your XBOX will do just fine.
All of that will fix your overall other issues but to fix your VPN issue you need the firewall rule as I mentioned. The firewall rule is why you don't have any access if I had to make an educated guess.
-
@johnpoz ok thanks ill check it out
ya like 4 months ago I was told I need vpn on the pfsense board because I wanted access to my network servers like my windows home servers and instead of changing each servers remote desktop port.. all I need is openvpn and I need it for security reasons was told I'm an idiot if I don't use vpn
so I tried and I gave up after a while trying to follow several videos then was told but another user why I using pfsense use mikrotik but it costs money in the end this free and seems ok... but I followed the video I posted because it was the same current version of pfsense I using as I found the older videos didn't work.. and then because I posted on the youtube it didn't work I seen now how I mentioned they posted they forgot to add openvpn client.. reason why I just played with it with the picsill check out the link you posted and ill follow those instructions and see how I get.. I appreciate all your help so far @johnpoz and @bloodlogic @onyxfire
its a learning process always willing to learn sometimes I just need help cuz I get stumped -
Dude it really is as simple as answer the simple questions in the wizard..
-
@onyxfire reason I set it to hybrid is because the few youtube videos posted for xbox and Double Nat Type for pfsense said you need to set it for this and then set a bunch of ports but it never helped in the end.. ill worry about that later...
as for the alias ah cant be bothered I just have xbox one and 360 and a ps3 but only xbox one hooked up
as for the wizards I see it now I didn't see it before.. also with dyslexia I miss read words.. like "mother" I sometimes read as "hello" reason why I need to re read things 3 4 times or so sometimes bad case I have..and reason I was using cell phone was easier for me to take to tim hortons or home depot and test the OpenVPN then taking the laptop in the store and then I installed Ping program so I could see if I could ping my local network least then I could test with a laptop..
as I originally wanted to do Remote desktop server1.example.com remote desktop server2.example.com but was told I idiot no point In setting it up you need vpn as I been doing like 3389 port for server 1 3391 port for server 2.. and I didn't wanna do port forwarding anymore I wanted to connect like I do at home or least have reverse name look up I think its called like remote desktop server1.example.com
@johnpoz and sorry I didn't see the wizard you mention ill try again.. I miss read the screen..