Interface Route to local IP
-
Sorry about that - meant to say LAN3
I thought using numbers instead of my assigned names would make it easier for everyone, but instead its just got me confused.
From now on in all my posts (hopefully not many more :)…) I will refer to them by the assigned names so I don't get confused and muck up everything...again.
LAN1 = SIF
LAN2 = THOR
LAN3 = LOKII seem to be having lots of problems with SIF since I changed it from 192.168.1.x to 192.168.4.x as I was doubled-NAT'd. I've since removed that other NAT device and now single NAT'd with pfSense. Therefore, I've set SIF back to 192.168.1.x, but it still seems to be messed up.
The DHCP service on SIF is not talking to anyone. I've posted a message in the HDCP/DNS forum asking for help as I cannot seem to get it working now
https://forum.pfsense.org/index.php?topic=121772.0Maybe once I get that sorted out, my route from LOKI to 192.168.1.4 (Wormhole) will work.
I'm also building a new Wormhole to test with because I can't even PING the old Wormhole no matter what Interface I put it on (if different than the Ping Sender's)
https://forum.pfsense.org/index.php?topic=121748.0Ugh, what I mess I've made…I really do very much appreciate everyone's help!
-
What are you doing dude.. Completely agree with you here
"Ugh, what I mess I've made.."
Do you understand the hairpining that would be going on in this network?? So in going to the internet. Follow your path..
lanPC
To
langw
outlan3gw
Inwormhole
Outwormhole
inlan3gwHow does your traffic expect to get back now?? Because if you don't go through your wormhole its asymmetrical and your firewall will kill any states it sees not traffic on once it hits is timeout, etc..
So yeah what a mess..
Lets try this again - if you actually explain what you want to accomplish we can go over the options of doing it is whatever it is your wanting to do.. Without a borked up pile of crap!!
-
So, two steps forward, one step backwards
My Pi VPN/SSL Client in working on 192.168.1.4 and connects to the VPN/SSL Server just fine.
But…you knew there'd be a 'but'...When I enable the Policy Route and Upstream Gateway, it (the Pi) cannot connect to the VPN/SSL Server anymore.
It just initiates, and then gets a soft reset, and tries again - infinitely...So here's how I implemented Derelict's instructions (the Route was Enabled before when I did the test, as was the upstream gateway):
What did I screw up this time??
-
johnpoz,
I have a WiFi AP (192.168.3.2) on Loki Interface (192.168.3.1)
Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
That data is sent to the OpenVPN/SSL Server somewhere 'out there'My issue is getting Loki WiFi AP connections to the OpenVPN/SSL Client.
That's it in a nutshell
-
Ok, I googled around and found this web site that talks about pretty much what I'm trying to do. They set up the VPN Gateway on the same subnet as all the clients (I didn't think you could do that!)
http://ozcan.com/blog/en/setting-up-vpn-gateway-with-raspberry-piSo I put my Pi on Loki (192.168.3.x) and set it as follows:
IP Address: 192.168.3.3/24
Gateway: 192.168.3.1I set this up in iptables:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEWhile the above web site does not mention the second iptables setting, if I don't include it, the PI randomly aborts the SSH connection.
I then SSH'd into my Pi while on the Loki Interface and verified that the VPN Client was connecting to the VPN Server and working properly (it was)
So then I tried to set up the Pi as the new Gateway for Loki using the following setting in pfSense:
However, now with all that in place, when I'm connected on the Loki Interface, I cannot get to the VPN Server - regular Web Sites don't work either. The Web Browser just reports "No Internet Connection".
I feel like I'm really close. Its probably some setting not right in pfSense.
Thank you all for sticking with me on this - I really do appreciate it!!
Any ideas/suggestions on what I've mis-configured is greatly welcome!!!
-
Anyone who connects on that Wifi AP should be sent to the OpenVPN/SSL Client.
That data is sent to the OpenVPN/SSL Server somewhere 'out there'So you want your traffic to go to a vpn?? Why would you not just setup this vpn connection in pfsense??? Openvpn client, Policy route = done!! 2 freaking minutes. No asymmetrical routing, no hairpinning, no other boxes/devices needed..
Then you could route any of your segments to this vpn, you could route just specific hosts, you could route just specific dest traffic…
You keep saying openvpn/ssl - and you brought up stunnel in your other thread?? So is this vpn connection a openvpn one or stunnel based? Stunnel will run on pfsense.. Your going down the WRONG PATH trying to setup devices to route to a host on their own network or different local network.. The proper way to do this sort of stuff is at the edge of your network, not internally. if done on some internal box you either end up with a messy hairpins best case or hairpins and asymmetrical routing at best. Even when you do this on a transit network to remove the asymmetrical routing issues you end up hairpinning..
Why can you not just do this the simple easy less complex way by running the vpn connection on pfsense and then policy routing the devices on your network you want to use this vpn connection??
If you have more than 1 public IP you could run it on some other box via a transit network connection to pfsense without hairpin..
-
I'll say it again: OpenVPN over SSL. I don't know how much clearer I can be. Google it.
So, no, its not just 'boom' done in pfSense as there is no web interface for stunnel.
I took the 192.168.3.3 ip address out of the Loki_VPNHost Rule and I am not able to get to the VPN Server from clients connected on that Interface (Loki/192.168.3.x)
I have some DNS issues to address, but it's almost there!
Hopefully you'll never have to hear from me again (ha. fat chance)
-
Well, there are two issues:
-
the VPN won't connect if the LOKI_VPNHOST Rule is active. Once VPN is connected, then I can active that Rule. But if the VPN link goes down, it can't reconnect.
-
The Traffic over LOKI is redirected through the VPN, but the DNS lookup is not. So I need to be able to set the DNS Resolver to go through the VPN link
-
-
I think I have it all working now!!!
I disabled the Gateway rule and just set the gateway for Loki on the DHCP Loki Interface.
I also set the specific DNS servers on that page as well.
The Pi likes it too - no more failed connecting.
Awesome!!!Thanks everyone again for all your help!!!
-
"its not just 'boom' done in pfSense as there is no web interface for stunnel. "
So you seem to be able to do iptables via config file - but stunnel is too hard??
Working as a asymmetrical hairpinning nightmare.. Have fun with that mess!! WTF..
Simple search and here looks to be instructions on bringing up stunnel on pfsense inbound
https://forum.pfsense.org/index.php?topic=109873.0I show newer version here http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/stunnel-5.37,1.txz vs the one in that thread.
Tell you for sure the time need to create this sort of connection would of be a fraction of the mess you have!!
