Musste leider feststellen, dass "meine" Lösung wohl nur eine gewisse Zeit funktioniert. Irgendwann scheint es so, dass Windows den "ersten" DNS-Server nicht mehr nutzt und daher interne Namen nicht mehr auflöst.
Habe daher vorerst auf IPs umgestellt.

I would always set 'don't pull routes' personally. Otherwise you're at the mercy of whatever they want to send you, which is usually a new default route.
However if you don't pull routes from them you need to policy route the traffic you want via the VPN gateway.

Steve

On a Windows laptop you can indeed just use file explorer (smb) to connect to other Windows hosts and view their file shares.
You may need to enter the remote IPs directly. If you are passing a dns search domain to clients and pSense as a DNS server they may be able to resolve LAN side hostnames if pfSense is a the DHCP server there.
The hosts you are connecting to need to allow smb connections from the OpenVPN tunnel subnet of course.

Anything you can do from the Android phone locally on WIFI should also work over OpenVPN.
I don't know what you are trying there. I'm not sure I've ever tried to access smb fileshares on a phone. There may well be an app for that.

Steve

Thanks for all your help your comment about the windows firewall got me to look at it a different way. Turns out during one of my previous attempts to get internet to my VPN clients (a different issue not this one) I messed with some other firewall settings and pushed all of the VPN traffic out the WAN interface which worked fine for getting my clients internet access but caused issues when I tried to access the LAN. I removed that and now with the push route command my clients are able to access the Internet and my LAN

That's using a Netburst Xeon right? It's not going to be fast. I don't have much to compare it with but waaay back when I was running a P4 2.8 it was good for ~300Mbps.
I would expect that pass 400Mbps using firewall and NAT only but maybe not much more.

Try it and see.

Steve

Your rules force all traffic out the gateway.

rules.png

And the rules below that make no sense, because rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

So your rule sending traffic out your gateway is any any.. When would there be traffic that does trigger that rules.

When would there be traffic to ! private, that does not match the rule above it any any?

If you want your clients to talk to pfsense IP.. Where do you allow that? You block talking to pfsense on 443, then your next rule says go out the vpn.. How does vpn have access to pfsense vlan30 interface for example?

@n1kasus
Посмотрите вот тут

https://www.thin.kiev.ua/router-os/50-pfsense/680-pptp-clien-wan-pfsense-20.html

Пост старый , но идея ясна
Тоже самое предложил Dимыч

Use policy routing
https://docs.netgate.com/pfsense/en/latest/routing/directing-traffic-with-policy-routing.html
https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html

@CNLiberal said in Solution for Multicast Over Tunnel:

haven't found decent OpenVPN software for the Mac yet.

On this point, the client linked on this page from the OpenVPN Access server docs, in my experience, works fine with an OpenVPN server on pfSense. Just import the standard config. I have not tried this with a tap connection. I used the 2.7 version, and haven't tested the 3.1 beta. The page also mentions alternate clients.
https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-macos/

@jimp Yes would love this feature as wel. Tested it and works really fast en easy to setup. Timeline even for beta release would be great.
OpenVpn has so much overhead, and just does not meet the speed requirements with low(er) end hardware.

Thanks, I will look into setting up OpenVPN instead.

All of those links take me to a page that requires login on aliexpress.

Is there any reason the official netgate solution wouldn't work for you?

I'm not sure if the SG-3100 would work for the home, office and guest setup using the LAN and OPT1 interfaces. Not sure if the RT-AC87u setup as an access point with a separate guest login would prevent the guest users from accessing the rest of the LAN it's connected to. My feeling is it wouldn't so you might need another interface and AP for the guest if that's the case (SG-5100).

If price is an issue, I hear good things about the apu2 platform.

I could not find my previous post, I thought it was not posted properly, now I found it but can not remove this one... please Admin, remove it and pardon my mistake

@Pippin Thank you for the reply. I went into VPN -> OpenVPN -> Clients and edited my client's configuration. Under Advanced Configuration I put into the custom options "ns-cert-type server; persist-tun; persist-key; mssfix 1400" and then saved. I then reloaded the VPN by going to Status -> OpenVPN. I did the usual ping/nmap verification checks to confirm connectivity. However this does not seem to have done anything. Below is a picture of the wireshark output (with the TCP stream from the browser being currently selected) and below that is the capture file.

Untitled.png

mssfix1400_full_cap.pcapng

BGP over policy based IPSec is just asking for trouble IMO. It's possible to make it work but you need P2s to cover all traffic being routed and the BGP traffic itself. Since AWS only allows 2 P2s on each P1 that's often a problem.

Steve

@KOM ok thanks will try that

Show your OpenVPN Config and Firewall Rules (Screenshots).

-Rico

Thanks Pablo. Good to have in case we ever move to an HA setup with Google VPN. For anyone else that reads this, my posts were for the Classic Google VPN setup (non HA).

One note I wanted to add, in the BGP settings in my instructions above, don't change the setting for "Redistribute connected networks" to Yes. When set to Yes this advertised our WAN network to Google and caused issues with hitting public facing servers we had in Google. Since we only have a few networks locally, I just manually defined those along with the BGP network 169.254.10.0/30 in the fields below that setting.

The other option may be to change the setting to Yes and somehow mark it to ignore the WAN network, but I haven't looked into that.

ah ok i added a Fall over for P2P so if Nord Goes down it cant leak internet and start using the WAN.. had to adding a Floating Rule... this way IF Nord goes down i can still use internet but it denys it to the P2P and my guest network router

After contact with microsoft helpdesk I found the solution for me.
For future reference: I had to turn on mss clamping and set it to 1350. This is also in the advanced IPSec settings

Maybe this settings was defaulted after an update? I wasn't the one who configured it in the first place, so I wouldn't know for sure.

I made sure to match my settings to this document https://docs.microsoft.com/nl-nl/azure/vpn-gateway/vpn-gateway-about-vpn-devices

@stephenw10 Thanks for the reply, I had this disabled already, but the pointer was appreciated

Solution can be found here:
IIPsec to Mikrotik

Hi, your machines uses s.o windows ? in that case turn off the firewall each and check pin to the other machine

@treborjm87

I'd be curious about this as well...

I think you need to establish how much throughput/bandwidth you need and how many concurrent user connections you anticipate, etc? (Is this box dedicated to routing and VPN only or more exotic use cases like running VMs, etc)

I've seen some charts floating around with hardware recommendations based on required throughput here and at the servethehome website.

https://www.netgate.com/docs/pfsense/virtualization/virtio-driver-support.html

Yes, nothing will change unless you change it. For example:
https://www.netgate.com/docs/pfsense/book/openvpn/openvpn-and-multi-wan.html

Steve