Routing and OpenVPN

DrJon

Great, thankyou. How do I do that, could you give me an example?

viragomann

@DrJon said in Routing and OpenVPN:

Great, thankyou. How do I do that, could you give me an example?

What? The rule or the static mapping? Don't know how you provide DHCP.

DrJon

@viragomann said in Routing and OpenVPN:

@DrJon said in Routing and OpenVPN:

Great, thankyou. How do I do that, could you give me an example?

What? The rule or the static mapping? Don't know how you provide DHCP.

Both if your able to. DHCP is provided from pfsense on the LAN port.

viragomann

For the static mapping go to Services > DHCP Server > LAN and down to DHCP Static Mappings for this Interface > Add. Enter the MAC, a Client Identifier for you and an IP to map to it, which must be outside of the DHCP pool. Hostname and Description are optional.

Got to Firewall > rules > LAN and add a rule to the top of the rule set:
Action: pass
Source: the IP you have mapped to the firestick
destination: check invert and select "This firewall"
open the Advanced options, go to gateway and select the WAN GW.

DrJon

great, thankyou! that worked...eventually, various restarts from the pfsense to the access point (R8000 Nighthawk, soon to be replaced). not sure if its a router issue or a pfsense issue or user issue but I have had to forget and re-add the network AP to a few of the devices that seem to be having connection issues, this has solved on those devices so far.

nirmalts

@viragomann said in Routing and OpenVPN:

destination: check invert and select "This firewall"

Short question: What's the motivation behind this invert

viragomann

@nirmalts said in Routing and OpenVPN:

@viragomann said in Routing and OpenVPN:

destination: check invert and select "This firewall"

Short question: What's the motivation behind this invert

The rule passes all traffic from the firestick to the WAN gateway. But assuming pfSense provides services like DNS or NTP to the LAN devices, pfSense has to be excluded from destinations. Without that, no access from firestick to these services would be possible.

Of course, the access to the pfSense should be more restricted, but that's not part of this thread and is possibly already done by other rules.

DrJon

I have noticed that randomly the routing and rule set up I used in this seems to not be working as it should. Namely, the rule for the firestick bypassing the VPN for the post part works but sometimes it doesn't. I'm not sure why or what I can do to fix it.

viragomann

How did you determine this?
What is the real problem?

If you think, the rule isn't applied, enable the logging in all rules on that interface and also the logging of the default block rule in Status > System Logs > Settings.
Then look in the log, which rules were applied on upstream traffic from the firestick.

DrJon

@viragomann thanks, will do.