Test Site to Site VPN before deploying
-
That doesn't sound right. While I have an Android phone, I have also used an iPhone for tethering a computer. As I mentioned, I get that ue0 interface. Did you try the ifconfig, both before and after enabling tethering, as I suggested? That way you should see a difference which would reveal the interface. Also, try an ordinary computer to see if that gets an IP address. It should, as this is a common way to use a cell phone to get an Internet connection. While I generally use Wifi, I have also used USB several times. In fact, it was a work iPhone that got me in the habit of using USB, as it's Wifi tethering was so crappy. However, from a pfSense point of view, there should be no difference between Android and iPhone for USB tethering.
Don't forget, after that interface appears, you will have to assign it to whatever interface you want to use. I used OPT4, for my test yesterday. -
@JKnott I did check the ifconfig and did not see a change. Here is the before and after ifconfig. I've plugged the iphone into a ddwrt router and it recognizes it and allows me to access the internet on a connected computer.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP> inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=201<PERFORMNUD,DAD> gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 EHC253: flags=0<> mtu 0 EHC250: flags=0<> mtu 0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV> ether 3c:07:54:02:81:06 inet 192.168.1.124 netmask 0xffffff00 broadcast 192.168.1.255 media: autoselect (1000baseT <full-duplex,flow-control>) status: active en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500 ether e4:ce:8f:48:fc:20 media: autoselect (<unknown type>) status: inactive p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304 ether 06:ce:8f:48:fc:20 media: autoselect status: inactive en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=60<TSO4,TSO6> ether d2:00:10:80:34:80 media: autoselect <full-duplex> status: inactive fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078 lladdr a4:b1:97:ff:fe:08:03:48 media: autoselect <full-duplex> status: inactive bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=63<RXCSUM,TXCSUM,TSO4,TSO6> ether d2:00:10:80:34:80 Configuration: id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 ipfilter disabled flags 0x2 member: en2 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 9 priority 0 path cost 0 media: <unknown type> status: inactive utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000 inet6 fe80::379d:ce54:5dc9:9b1d%utun0 prefixlen 64 scopeid 0xc nd6 options=201<PERFORMNUD,DAD> ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP> inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=201<PERFORMNUD,DAD> gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 EHC253: flags=0<> mtu 0 EHC250: flags=0<> mtu 0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV> ether 3c:07:54:02:81:06 inet 192.168.1.124 netmask 0xffffff00 broadcast 192.168.1.255 media: autoselect (1000baseT <full-duplex,flow-control>) status: active en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500 ether e4:ce:8f:48:fc:20 media: autoselect (<unknown type>) status: inactive p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304 ether 06:ce:8f:48:fc:20 media: autoselect status: inactive en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=60<TSO4,TSO6> ether d2:00:10:80:34:80 media: autoselect <full-duplex> status: inactive fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078 lladdr a4:b1:97:ff:fe:08:03:48 media: autoselect <full-duplex> status: inactive bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=63<RXCSUM,TXCSUM,TSO4,TSO6> ether d2:00:10:80:34:80 Configuration: id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 ipfilter disabled flags 0x2 member: en2 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 9 priority 0 path cost 0 media: <unknown type> status: inactive utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000 inet6 fe80::379d:ce54:5dc9:9b1d%utun0 prefixlen 64 scopeid 0xc nd6 options=201<PERFORMNUD,DAD>Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
2 Gigs Ram
SSD with ver 2.4.0
IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320) -
Hello!
It doesn't sound like the Personal Hotspot tethering is being enabled for USB in IOS. The exact steps to do this might be different, based on your version of IOS and plan. I would recommend that you search the interweb for IOS USB tethering and see if any howtos match up with your phone.
The USB tethering is very useful and cool. If you find that you are doing quite a few deployments like this, you could also look into something like a netgear lb1120 with a cheap unlimited paygo sim. I use that setup for client side site-to-site testing in house and for rural/backup wan interfaces.
John
-
@NasKar said in Test Site to Site VPN before deploying:
I've plugged the iphone into a ddwrt router and it recognizes it and allows me to access the internet on a connected computer.
It has a USB port and recognizes the tether? Why not use that router to emulate the Internet, as I suggested earlier? Just configure the subnet so it doesn't conflict with anything on the VPN or pfSense LAN side. Connect the 2 pfSense boxes to it and you have your test setup.
-
@JKnott
My goal is to get the client on the dd-wrt as it’s much smaller than my PfSense box and less objectionable to put in someone else’s home. I want to get it working in pfsense before playing with ddwrt.To clarify the reason the router emulating an ISP works is that I can get 2 IP addresses via DHCP making the connected 2 pfsense boxes think they have there own connection to the internet. Simulating having 2 ISP at my home. Any reason I can’t keep the openvpn server on my original ISP and the openvpn client on the cellphone connected to the ddwrt router ?
-
I'm having trouble determining what you want. I thought you wanted pfSense at both ends, now you want to use the DD-WRT router at one end. Which is it? Also, didn't you say that DD WRT router gets an address? If so, you are ready to test.
-
@JKnott I want to get the pfsense to pfsense working.
Update:
The dd-wrt router is getting a wan IP of 172.20.10.2. Is that correct that it is a private IP or should it be a public IP address? -
Is that tethered to your cell phone? If so, it's entirely appropriate, as there aren't enough IPv4 addresses to provide public addresses to mobile devices. However, while you could connect to the other system from that address, you won't be able to connect to it.
-
The WAN IP 172.20.10.2 is tethered to my cell phone.
I tried again to connect the iphone to the client pfsense box following this thread
Plugin iPhone to USB port on pfSense
In the CLI check the ugen # and place in command below
usbconfig -d ugen3.2 dump_all_desc
Find the configuration index # that has PTP+Apple Mobile Device + Apple USB Ethernet
if it is in Configuration index 3 issue this command
usbconfig -d ugen3.2 set_config 3
ue0 now shows up in the interface options or ifconfig
Disable WAN interfaceIt also gives the same private IP address on the client PFSense box.
If I can't connect to that address I will only be able to test the site to site VPN one way. Am I correct that that's useless? Is my only option to take it to another location and test it?
-
@NasKar said in Test Site to Site VPN before deploying:
Plugin iPhone to USB port on pfSense
In the CLI check the ugen # and place in command below
usbconfig -d ugen3.2 dump_all_desc
Find the configuration index # that has PTP+Apple Mobile Device + Apple USB Ethernet
if it is in Configuration index 3 issue this command
usbconfig -d ugen3.2 set_config 3
ue0 now shows up in the interface options or ifconfigWhat's all that stuff???? All I did was connect the USB cable and enabled tethering on the phone. Then ue0 appeared, which I was then able to configure as opt4. It's a simple as that.
Any yes, the phone will give you a private address. However, it should still be possible to test from that address to the pfSense system, which I assume has a public address. If you want to test both ways, then do what I suggested with another router (or even direct Ethernet connection, if you don't mind manual configuration), to emulate connections to the Internet, so you can test in both directions. All you need to test is a couple of addresses. It doesn't matter if you're actually connected to the Internet or not, for the purposes of the test.
-
@JKnott said in Test Site to Site VPN before deploying:
What's all that stuff???? All I did was connect the USB cable and enabled tethering on the phone. Then ue0 appeared, which I was then able to configure as opt4. It's a simple as that.
Apparently it works perfect if you plug an Android phone in but with an iPhone the ue0 doesn't appear without the steps I outlined.
@JKnott said in Test Site to Site VPN before deploying:
then do what I suggested with another router
I'm having trouble understanding how to set that up. Are you saying to setup my spare router and not connect the WAN port and connect the 2 pfsense routers to the LAN ports of the spare router with DHCP. Disconnecting my PFsense Server from my ISP temporarily to test things. To clarify I made a diagram. Then I could ping from the laptop to the Win10 computer and from the Win10 computer to the laptop.
-
@NasKar said in Test Site to Site VPN before deploying:
Apparently it works perfect if you plug an Android phone in but with an iPhone the ue0 doesn't appear without the steps I outlined.
I have USB tethered computers to both Android and iPhone. Never had a problem with either, which is more than I can say about WiFi tether to iPhone.
As for that router. My understanding is that you want to test the 2 devices. Well yes, can do that without any Internet connection. All you need is some way for the 2 devices to communicate. The LAN side of a router will do that. As I mentioned, you could even do it with just an Ethernet cable, if you don't mind doing manual configuration of the IP address, etc..
-
@JKnott I don't know why but I couldn't get the router without an internet connection to work. After starting from scratch creating a pfsense server and pfsense client tethered with the iphone everything works. BTW I can ping in both direction with the iphone on a pvt network. Thanks for your help I learned alot.
