Access form WLAN to VPN Network, both different Networks



  • Hello Forum,

    i set pfsense on a Alixboard a1u.
    Now i try to give users access to a vpn-network over wlan.  wlan and the target network are different networks.
    How can i solve this? i dont get it running.

    i attached a png to show setup

    I did a Bridge on pfsense where  Lan1, Lan2.Lan3 are connected to.
    and OPT4 and OPT3 ( the both openvpn connections that exist).
    OPT2 is the Bridge itself.

    Is it possible to do this? users on Wlan-AP2 (192.168.2.0/24) shall have access to VPN2 (192.168.17.0/24)

    If you need more infos, screenshots from my rules etc, i can do if needed.

    thx alot

    marko



  • Rebel Alliance Global Moderator

    why is your "cablemodem" connected to pfsense via a lan port?

    And you did what you bridged all your interfaces??  WTF??  Dude if you need more lan ports get a switch…

    Get your networks working locally how you want..  Then add your vpn connections..  But that looks like a complete mess..  cable "modem" do not nat, do you mean you have a cable gateway?  What is the IP address on pfsense WAN?  What are you lan networks... I would really really really, lets repeat really suggest you stay away from briding anything on pfsense...



  • Hi Johnpoz,

    i did the bridging, cause i found i found it an howto/guide…..

    Ok , at FiRST, in the png i draw, the naming is bit wrong.  The LAN1-3 should present the Eth1-3 on the Alix Board.

    I connect the cable modem via one of the eth-ports, cause i dont have box woth pfsense directly connected to internet.
    We have cable inet in our area. So, the provider sends a DOCSIS-3 Modem with 4 Lan Ports.
    To one of them i connected the the box with pfsense.

    I need the box, cause the box should do the two openvpn connections to the remote server.

    Goal , on Ethernet-1 it should be possible to reach vpn1, on Ethernet-2 the vpn2

    On both Ethernets i will connect wlan-accespoints, so multiple users can access both vpn networks.

    Maybe i did totally wrong and it looks like a mess for a pro like you. Maybe u calm down a bit and have the mood to guide / help me???

    Ok, to the setup
    From your post i notice, i do not need brdiging at all, right?
    For better understanding, we can name the 3 network ports on the board  eth1 eth2 eth3

    The openvpn works like a charm and are up.
    Should i remove all bridging? and do then:

    eth1 no ip config, and set in rule as gateway the openvpn (192.168.5.0/24) connection it should go to?
    eth2 same and choose in rule the 2n openvpn connection (192.168.17.0/24) ?
    eth3 is configured with ip and as gateway the cable modem

    so at this point, both vpns are up (192.168.5.x) & 1(192.168.17.x)

    on eth1 i want to connect the wlan-acces point with 192.168.2.x network, and it should be possible to reach the 192.168.17.x Network

    on eth2 the wlan ap works fine and reaches the network from openvpn.

    hope this is a bit more clear for you

    marko

    and sorry, i am not a network pro  :-[



  • Yes it's better to remove the bridges. pfSense is a router and all your needs can be achieved by routing.

    Ensure that you use tun devices for the VPN clients and assign an interface to each. Then add firewall rules to eth1+2 to allow the access to the respective VPN subnet.



  • hi viragoman,
    sorry, can you short explain why bridging is such a mess, or not a good idea?
    i try to understand it, cause many howtos and guide have bridging…

    thank you
    marko



  • There is no need to bridge network interfaces to reach your goals. Bridging OpenVPN can only be done by using virtual tap devices and there are much troubles with that.


  • Rebel Alliance Global Moderator

    " cause many howtos and guide have bridging…"

    For what a vpn connection??  That makes NO Sense at all - please link to such a guide or howto..



  • i did a ago because:

    …on the remote machine where multiple virtual machines. all had 192.168.17.x  at example
    did a bridge with 192.168.17.1 , bind openvpn in bridging mode to the bridge, and all vms to the bride.
    so all vm´s where reachable over the bridge.....

    maybe this is wrong way. i will try your suggested way.



  • ok, viragoman / johnpoz

    i reset box to new.
    Now i interface re2 as LAN talking with cable modem, can ping addresses outside in www.

    i have added both openvpn connections, and they are shown as "up".

    On Interface re1 ( i labeled it LAN2 ) i connected one of the wlan access points.
    I dont get it work, that the accesspoint get in contact with openvpn connection #1

    i am not really sure how to do this. On "assign interafces" i can put the openvpn connections to interface OPT1… do i have to do this?
    And, do i have to use "add a route" or NAT to get my goal?

    thanks for any help

    marko



  • Does your WLAN work basically?
    pfSense do DHCP for the WLAN and is the default gateway?

    If so, there is no need for adding further routes. You just need a firewall rule on the interface where the AP is connected to to permit access.

    Can you ping the VMs from pfSense?



  • Hi,
    yes the wlan access point works. with the bridged setup it was able to reach the vpn net.
    (the accesspoint is doing dhcp for the client, not the pfsense)

    the accesspoint is on LAN2 ( re1) , do i have to set an ip on the interface? (re1)
    or do i set "none"?

    it dont work for me, shall i do screenshots from settings?


  • Rebel Alliance Global Moderator

    "Now i interface re2 as LAN talking with cable modem"

    Again WTF… Lan interfaces do not talk to your ISP device...

    Pfsense WAN!! is what should connect to your isp, cable modem, router, etc..  Lan interfaces are where your wifi would go..



  • @markoweber:

    (the accesspoint is doing dhcp for the client, not the pfsense)

    The AP does DHCP in AP mode  :o  That means it doesn't care if there is another DHCP working in the network?
    Maybe, I don't know.

    @markoweber:

    the accesspoint is on LAN2 ( re1) , do i have to set an ip on the interface? (re1)
    or do i set "none"?

    Of course there must be assigned an IP to the interface and this IP has to be the (default) gateway for the WLAN clients and has to be entered in the DHCP config.



  • hi johnpoz,

    it would be much easier if you stop bashing me as professional.
    IT DOESNT MATTER how i name re1 re2 re0 i could also name ding dong dang… ok?
    Maybe its easier for you if i name them re1 (ding) re2 (dong) re0 (dang).......

    and yes!!!  the FritzBOX talks with the ISP!  It´s a MUST.
    at the LAN Ports (ok, Lan is a bad word for you i noticed)....... , at the Ethernet Ports i connected the pfsense alix board to.

    Its ALL ok, maybe i choose bad interface names out of your sight....maybe, sorry that.
    hints how i get this working would help me more.....

    i thought to find help in this forum here.............

    maybe you are now in mood to help constructive to solve this.....would be great, seems you are more pro in network.

    in old pfsense config all worked. with the bridged setup. you told me, boy its wrong do it other way.
    help me to do it correct way, i would like to learn and do it right.

    ok ?

    hope it´s ok for you



  • hey viragoman,

    it did now your way…..
    the one port of pfsense alix board, i set 192.168.17.5,  the wlan access point is 192.168.17.150,  -> with gateway 192.168.17.5
    the AP do dhcp 192.168.17.100 - 192.168.17.110 to clients, with gateway 192.168.17.5

    BUT, in "status systemlogs > FIREWALL" i dont see anything blocked i can set as "pass" rule.
    when i connect to AP i get 192.168.17.110 as client, BUT cant ping anything in the world, also NOT an existing VM (192.168.17.17).....

    do you have google hangouts? i cant shorten the way of help maybe

    marko


  • Rebel Alliance Global Moderator

    There is one huge language barrier here.. I would suggest you get help in your language..

    AP do not do dhcp…  Do you have a wifi router double nattting??

    What exactly are you trying to do??  I can not even understand what you want from your drawing any use of the same network everywhere.. And 1 big giant bridge???

    So you have two network behind pfsense?  And you want pfsense to connect to vpn as a client..  And you want either of your networks behind pfsense to connect to these vpns via policy based routing??

    Is that what you want...  What does it matter what the vpn tunnel networks are as long as they are different than your local networks behind pfsense?  Or your setting up site to site?? And your trying to reflect what their networks are not the tunnel networks?

    What I would suggest you do is get your network behind pfsense working correclty no freaking bridging.. your to local networks with your wifi.  Using the internet, and then we will throw vpn into the mix..

    So do you have this working?  See attached.  Your "cablemodem" is natting even..That on some 192.168.2 network it seems.. This is basic 2 segment setup.  Whatever your using for your "AP" are not the gateway to any devices, and do not do dhcp.  If they are repurposed old wifi routers then give them an IP on the network your connecting them to.  Turn off their dhcp servers and connect them to that network via 1 of their lan ports.

    Your devices on both of these networks should be able to talk to each other and use the internet.  The actual networks do not matter, in my example I used first 3 in 192.168 range.  Do you have this setup and working??  Once you have this then we can get your vpn working.. But this is basic setup that needs to be working first..




  • AP do not do dhcp…

    Well, manufacturers tend to confuse terminology here. There are devices that are clearly access points with just one ethernet port but they still have an option to turn them to NATing routers with DHCP server for the wireless LAN side.


  • Rebel Alliance Global Moderator

    Sorry but if it does natting its not an AP… No matter what the manf might call it.. I agree they don't use the right terms.. calling shit modems that also do nat..  Its either a modem, a router or a gateway.  If its a gateway use assume its a modem/router combo.

    Need to understand what the OP is wanting to do..  I doubt he wants to double nat to his wifi clients..  From what it looks like that would be a triple nat to the internet.