@mebert
Consider that you have to state the remote domain if you client uses another search domain, what I assume.

So if you want to request the remote host name is "host" and its domain is "local" you need to type "host.local" to access it.

@steveits

I may be interested in knowing more. My ATT router has a 5G port that is unused, but only 1 of the 2 routers has 5G capability, the pfSense. The other router is a MikroTik, but none of it's eth ports have 5G.

For clarity, my pfSense router has a 5G wan input, and 2 10G SFP+ ports as potential outputs.

I wanted perfect separation at the WAN connection, but I could use the 5G ethernet port on the ATT machine and go to the pfRouter, then split the connection to a second router via SFP+ and then to a switch for VPN access via the 2nd SFP+.

This would give me 5G all the way to each router, than separate LANs from there.

@djdmx Good to hear!!
Sorry I haven't answered any of your posts, just getting over the flu. But you didn't need my help anyway!

@moadmin
Hey guys, can i get any suggestion on this, its still happening even with split tunnel config.
When VPN is on and connected, google meet calls are choppy and distorted, when we turn it off the video is smooth and in good quality.
This happened after we updated our pfsense to 2.6.

But anyway you don't need NAT reflection on pfSense for this now. It's useless, since nothing points to its WAN IP.
And the port forwarding rule with the WAN IP is useless as well.

@viragomann no I need both, I tested it. As soon as I remove the reflection from the port forward, the service is not accessible from within LAN. If I deactivate the WAN port forward Rule, I can't access it from the internet. Maybe because of the first main forward "everything" to pfsense rule in proxmox's network interfaces file. So I will leave as it is for now. I'm just happy that it finally works.
Yes, got a scheduled job doing VM backups every day.

@gertjan said in NordVPN makes internet speeds very slow on PfSense.:

hardware encryption

Thank you for your reply! I believe N*rdVPN doesn't allow to choose from a list of cyphers. AES-256-GCM is the encryption algorithm I use. Hardware Crypto is availible:
7590057b-a6da-40b4-919f-203b79dfee1d-image.png
For now, I'm changing my desktop's local IP to disable the VPN if I need high speed like you said. 180-200 Mbps is still enough for browsing the internet and even gaming, video streaming, but it sucks that 80% of my internet speed goes to VPN. I originally chose NordVPN because they were recommended in many forums and they had a nice deal VPN + Password Manager and Data Leak Scanner, but now I think about switching to PIA.

@stephenw10 I deleted the WireGuard tunnel then I set it up all over again. Done the same thing at VPS. Rebooted remote VM and pfSense and it started working.

I have no idea what happened before but I thanks you for all the support you provided!!

Thanks a lot

:-)

kind regards

@jeffreyn said in No Clients Can Connect To OpenVPN Due to CRL Expiry:

@jimp I applied the patch when it was released. I'm reading the release notes for 23.01 and see Issue #13424 has been addressed in the new version. Do I need to do anything like remove the patch before or after I upgrade? Or does everything take care of itself?

You do not need to do anything with the patch after upgrading. You can delete the entry from the system patches package.

@viragomann
I see. This is all still ridiculously new to me. I will make adjustments.

Yeah still not working. I'm about to give up on this.

I created a small tool luckman212/stv to help make it a little easier to debug states. In case it's useful to anyone else.

@mrDick гляньте тут - https://forum.netgate.com/topic/131401/%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D1%8F-openvpn/75 настроено не по феншую, а переделать не получается. Но сколько лет работает на 3 офиса.

UPD по новым требованиям отключите сжатие и поставьте алгоритм на 512

UPD2 тьфу, забыл. Может уже и не актуально, но в Keenetic в ПЕРВУЮ ОЧЕРЕДЬ отрубите свой OpenVPN от других интерфейсов через CLI (там мануал есть в их хелпе), иначе эта пакость будет туннель пихать и в WI-Fi, даже если там гостевая сеть настроена!!!

@ma0f97 Has no one an idea?

Make sure you have the Don't pull routes option checked in your OpenVPN Client configuration:
pfSense_Dont_pull_routes.png

-Rico

@mer Thanks for the reply! Your comments got me to thinking which can be dangerous ;-)

I figured out the problem. It has to do with little Windows 10 app that the commercial VPN provides. This app resides in the system tray on the right side of the task bar in Windows 10. The app is used to connect and disconnect from the VPN. With your comments, I had the thought to try to figure out what DNS server windows was using when connected to the VPN and when not connected to the VPN. With a quick google search I found the Windows 10 command prompt nslookup command. Simply entering "nslookup" in a windows command prompt will return the DNS server being used. In my case, when I wasn't connected to the VPN, it returned the ip of my pfSense router. When I was connected to the VPN it returned an ip of a DNS server that belongs to my VPN provider. It seems that everytime you connect to the VPN service using their Windows 10 app, they change your DNS server address to their DNS server. I tried manually changing it back to the ip of my pfSense router but that didn't work when connected to the VPN - in that case I broke internet access altogether and couldn't connect to anything. When connected to the VPN, Windows wasn't able to resolve the local ip of my pfSense router. The solution will have to be to stop using the app provided by the VPN provider so that the DNS server that Windows uses stays pointing to my pfSense router. I had previously setup a gateway associated wiht the commercial VPN provider in my pfSense router. My solution will be to configure pfSense to route traffic from my Windows 10 through the VPN gateway when I want to use the VPN from my Windows 10 pc. Sort of a pain b/c I will have to log in to pfSense every time I want to use (or not use) the VPN. But in this scenario I can use the https://server1name.domain_name.tld paradigm to access my local services from my Windows 10 pc whether or not its WAN traffic is being routed through the VPN. This is because my Windows 10 pc will always be configured to use pfSense for domain name resolution.

@djohnson
This is a late reply but it may assist someone else in future.
The VOIP audio traffic (RTP) require separate UDP ports to be open. The exact range will vary depending on your VoIP system.

Hence, if the RTP ports are not open, you can experience a "working" system, but with a complete lack of audio.

Musste leider feststellen, dass "meine" Lösung wohl nur eine gewisse Zeit funktioniert. Irgendwann scheint es so, dass Windows den "ersten" DNS-Server nicht mehr nutzt und daher interne Namen nicht mehr auflöst.
Habe daher vorerst auf IPs umgestellt.

@noplan said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

@trikki69 said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

so your problem is now solved with this

added this to my advanced custom options within the OpenVPN client setup:
;pull-filter ignore redirect-gateway;

brNP

Yep - works great now, no thanks to ExpressVPN support.

On a Windows laptop you can indeed just use file explorer (smb) to connect to other Windows hosts and view their file shares.
You may need to enter the remote IPs directly. If you are passing a dns search domain to clients and pSense as a DNS server they may be able to resolve LAN side hostnames if pfSense is a the DHCP server there.
The hosts you are connecting to need to allow smb connections from the OpenVPN tunnel subnet of course.

Anything you can do from the Android phone locally on WIFI should also work over OpenVPN.
I don't know what you are trying there. I'm not sure I've ever tried to access smb fileshares on a phone. There may well be an app for that.

Steve

Thanks for all your help your comment about the windows firewall got me to look at it a different way. Turns out during one of my previous attempts to get internet to my VPN clients (a different issue not this one) I messed with some other firewall settings and pushed all of the VPN traffic out the WAN interface which worked fine for getting my clients internet access but caused issues when I tried to access the LAN. I removed that and now with the push route command my clients are able to access the Internet and my LAN

That's using a Netburst Xeon right? It's not going to be fast. I don't have much to compare it with but waaay back when I was running a P4 2.8 it was good for ~300Mbps.
I would expect that pass 400Mbps using firewall and NAT only but maybe not much more.

Try it and see.

Steve

Your rules force all traffic out the gateway.

rules.png

And the rules below that make no sense, because rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

So your rule sending traffic out your gateway is any any.. When would there be traffic that does trigger that rules.

When would there be traffic to ! private, that does not match the rule above it any any?

If you want your clients to talk to pfsense IP.. Where do you allow that? You block talking to pfsense on 443, then your next rule says go out the vpn.. How does vpn have access to pfsense vlan30 interface for example?

@n1kasus
Посмотрите вот тут

https://www.thin.kiev.ua/router-os/50-pfsense/680-pptp-clien-wan-pfsense-20.html

Пост старый , но идея ясна
Тоже самое предложил Dимыч

Use policy routing
https://docs.netgate.com/pfsense/en/latest/routing/directing-traffic-with-policy-routing.html
https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html

@CNLiberal said in Solution for Multicast Over Tunnel:

haven't found decent OpenVPN software for the Mac yet.

On this point, the client linked on this page from the OpenVPN Access server docs, in my experience, works fine with an OpenVPN server on pfSense. Just import the standard config. I have not tried this with a tap connection. I used the 2.7 version, and haven't tested the 3.1 beta. The page also mentions alternate clients.
https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-macos/

@jimp Yes would love this feature as wel. Tested it and works really fast en easy to setup. Timeline even for beta release would be great.
OpenVpn has so much overhead, and just does not meet the speed requirements with low(er) end hardware.

Thanks, I will look into setting up OpenVPN instead.

All of those links take me to a page that requires login on aliexpress.

Is there any reason the official netgate solution wouldn't work for you?

I'm not sure if the SG-3100 would work for the home, office and guest setup using the LAN and OPT1 interfaces. Not sure if the RT-AC87u setup as an access point with a separate guest login would prevent the guest users from accessing the rest of the LAN it's connected to. My feeling is it wouldn't so you might need another interface and AP for the guest if that's the case (SG-5100).

If price is an issue, I hear good things about the apu2 platform.

I could not find my previous post, I thought it was not posted properly, now I found it but can not remove this one... please Admin, remove it and pardon my mistake