Mobile Ipsec cannot connect from guest wifi when behind same pfsense box
-
Hello, I cannot figure out how to make our Guest clients to be able to connect to the mobile vpn when behind the same pfSense box.
Using version 2.4.3-RELEASE-p1 (amd64)
-
Do you find any blocked entry in Firewall logs ?
-
Post your guest network firewall rules.
I bet its a block rule on your guest interface.
Not exactly sure why you'd want guest users vpning into the same pfSense router.
-
We have a policy to prevent users from using company resources over wifi.
But some users with vpn access want to connect over vpn.
I have a block rule on the guest interface for sure to prevent users from accessing the lan and the firewall itself, but they are allowed to go to the internet via a gateway.
My question is why can't we connect to the vpn if traffic goes out of the gateway correctly.
-
@yasnick said in Mobile Ipsec cannot connect from guest wifi when behind same pfsense box:
We have a policy to prevent users from using company resources over wifi.
Well they are using company resources over wi-fi if you let them vpn back in over wi-fi, if your allowing vpn over wi-fi you might as well create a separate SSID for company access and lock it down with radius access.
Post your guest firewall rules as per my 1st post "I bet its a block rule on your guest interface"
What IP address do they connect to for VPN, I bet its an address that encompasses This Firewall.
This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-basics.html
-
Thank you for your message. I agree with your idea implementing Radius server, it makes sense in some way.
The IP that they connect to the VPN is a virtual IP assigned to an interface. I better understand now.
But on another pfsense box (version 2.3.4) we don't have this issue and we can connect to the vpn from a lan interface.