PfSense behind ISP modem/router combo
-
@viragomann said in PfSense behind ISP modem/router combo:
The double NAT is not an obstacle for running OpenVPN behind
Very true - but users have issues with configuring their isp device doing nat in front of pfsense, and with the export of config where it gives the wan rfc1918 address vs the actual public IP.
-
@cmos_battery said in PfSense behind ISP modem/router combo:
I'm getting the packets like expected
What packets are you getting exactly?
What I would do here is run a packet capture on the pfSense WAN for the port you have OpenVPN running on (1194 by default). Then try to connect to it via some external network, using your phone as a hotspot for example. Make sure you see that traffic arriving on WAN from the expected external IP.
If you don't then the ISP device is not correctly setup.Switching to L2TP over IPSec is not going to help here IMO.
Double NAT will work fine for almost everything. One thing that will fail is UPnP and many games are unfortunately (and inexplicably!) completely reliant on it. It's a significant security risk anyway which is why UPnP is disabled by default.
Steve
-
I’ve set in the OpenVPN wizard the two checked boxes at the end to enable it for the firewall and WAN. In addition, I did go ahead and removed the checked boxes for Bogon networks and private networks. My virtual network is 10.2.0.0/24. I’ll have to get off work and provide some more details and look through all the info and get pictures.
-
Block bogon or private networks should not normally make any difference. It would only change anything if the ISP device was source NATing forwarded traffic which is unlikely.
If the ISP devic has ever forwarded any OpenVPN traffic you should see state creation on the firewall rule on WAN. That gets cleared if you rebooted though.
-
@cmos_battery said in PfSense behind ISP modem/router combo:
I did go ahead and removed the checked boxes for Bogon networks and private networks
With @stephenw10 - why? So amounts to randomly clicking shit, in a hope to get something work ;)
In what scenario would you hitting your wan for vpn access via a bogon or rfc1918 address?
-
I’ll probably just have to drop attempting the VPN, I’m stuck in a bit loop of being able to access the it from the ISP router but nothing seems to be able to ever get outside when I’m on the public networks.
I’ve created a port forward on the ISP device but lately it seems I can never get ports to open or get my port checkers to see them. Probably just a shit should we of a network I.
-
This isn't rocket science... You have a public IP on your isp router 1.2.3.4 lets say, you forward UDP 1194 to your pfsense wan IP.. 192.168.1.50 for example.
Now you hit 1.2.3.4 from your client on 1194...
-
Well if that was the case I wouldn’t be in said position. I’ve used the wizard to create the OpenVPN, I’ve allowed bogon and private networks. I’ve used the pre done firewall and NAT rules, port forwarded the OpenVPN port to the WAN.
The main issue is that neither the ISP device nor the pfSense will open ports.
-
If you can hit the OpenVPN server and connect when you client is in the 192.168.1.X subnet then pfSense is configured correctly.
Either the ISP device is not setup to forward the traffic to pfSense or the client is using the pfSense WAN IP to try to connect, 192.168.1.94. Obviously that won't work externally.
If you used the OpenVPN client export package what did you set 'Host Name Resolution' as?
By default it will use the WAN IP directly which would fail in your case.
Check the client connection logs. Be sure it's connecting to the real public IP.It should definitely be possible to get this to work with a little troubleshooting.
Steve
-
@stephenw10
Currently its using the interface IP address which would probably be the WAN. There are 3 other options; Multi-WAN IPs, Multi-WAN DDNS, and then installation hostname. Which should be used? Is there a way to specify my publics IP address rather? -
@cmos_battery said in PfSense behind ISP modem/router combo:
Currently its using the interface IP address which would probably be the WAN.
Which would be rfc1918, since your behind a nat - how would you get to that from the public internet.
Think about it for 2 seconds..
I really don't mean to sound rude or anything.. But you put up a drawing showing your pfsense interface as being rfc1918.. How would you get to that from the public internet? So how would you think the interface IP would work?
hint:
Your actual PUBLIC IP! or FQDN that resolve to your public IP.
-
Ok we’ll thanks for not being rude. My professors haven’t taught me too much on VPN’s seeing as I’m only a sophomore.
And I’m just seeing your hint. Thank you, I had seen other. Again, I’m just a sophomore in a CIS program. Thank you for giving me a learning moment, I haven’t been able to get much lab time with Covid and the professors eased up on our work. We haven’t been getting all the info we really need.
It is working so far within my home network, I have the servers address posted as the Public IP. Ill just need to go out to a close by store and test it.
-
So you have not gone over what a public IP is vs rfc1918 yet? I would think that would be like day 1 or 2 ;) When learning about IPs..
This would be top of the list sort of stuff to understand when working with natting and routing and the internet. ;) Would clearly be a prerequisite for setting up a vpn server that does nat and is connected to the public..
Since pretty much every single home router does nat, well really napt. And uses rfc1918 space as their local network.. Understanding the difference between a public IP and a private IP would be pretty early in the lesson plan ;) Where you sick the first week and missed class? I kid you - but this is basic stuff here..
I have to blame the teacher I guess ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Unfortunately it's all too easy to come across as either incredibly patronizing or incomprehensible depending on the experience of the questioner.
You said you were seeing packets as expected on the WAN which lead me down the wrong path.
Anyway I think that is your issue. As I test I would just set the client to use the external public IP manually and retest. If you can do that at the same time as having a packet capture running on the pfSense WAN (using a phone hotspot for example) you should see that traffic coming in even if the connection fails for some other reason.
Steve
-
@johnpoz
Most of my classes that teach me that information wont come till the end of my sophomore year, next spring and fall. My entire freshman year and this upcoming fall semester is nothing but stats business calculus, and low level intro classes like your basic high school classes all over again and for a ton of money.
I don't understand, even in my networking associates why we avoided VPN's so much. I remember briefly doing Public Vs. Private and that we should assume all 10.X.X.X addresses are private and a few others. For the most part we got told "you'll just learn it through the companies you work for." or the even better "If the company is good, you just need to maintain what they have." That's a great fantasy scenario from my professors, I mean really. What would I do if a branch popped up and my boss asked for them to get remote connection to the servers. I cant just say I don't know. At the same time, yeah I feel like a dumbass having to ask some questions here that I feel like my $30K degree should have taught me. -
One thing to bear in mind is there's nothing magic about VPNs. They're just one way to establish an IP connection between sites. Once they're set up, you use then as you would any other connection. Years ago, things like frame relay and fractional T1s were used. These days, out in the real world, you might come across MPLS or QinQ VLANs, As for setting up VPNs, you have to know which one and the specifics depend on the brand. For example pfsense supports OpenVPN, IPSec and Wireguard VPNs. But the details of configuring IPSec, for example, on Cisco would differ from pfsense. I don't know that a class such as your is the place to learn more than general principles, though you may get into setting up one. But when you get out into the real world, you could easily find yourself working with another. The principles will remain the same, the but details may differ and you'd be expected to work those out on your own. One thing I complained about years ago was the schools teaching Windows and Microsoft Office, rather than operating systems and office apps, so that a person would have portable skills. It's sort of like a auto mechanic class teaching only one make of vehicle, as though the others didn't exist.
