Torguard - Open VPN client - How do you split traffic by network interface?

Dmaj

Hello,

I am new to pfsense and have some understanding about networking firewalls and routing. However I am hoping someone could help me to understand how I would setup Pfsense to split traffic at a network interface level where interface LAN1 would route through WAN but where LAN2 would route through the Open VPN client. Is this even possible?

I'd rather not setup complicated routing or firewall rules etc. My idea was each LAN interface would share the same DHCP pool (though happy to split this up) but then each LAN interface would connect to separate switches.

This sounds plausible as then any device connected to either switch would have its traffic routed automatically either out through WAN or via the Open VPN client.  The idea here is one side of the network would cover smart TV's/streaming boxes and some (maybe) wireless devices (AP point connected to switch) while the other side could cover PC's VOIP etc..

I saw a post https://forum.pfsense.org/index.php?topic=113136.msg629634#msg629634 where I think they are talking about this kind of setup however it appears to be routed by firewall rules? Am I mad? Is what I'd like to do possible?

I have opened a support case with TorGuard so am waiting for a reply from them but I don't feel this is their area of expertise nor there responsibility. They do have a post covering how to setup OPEN VPN client https://torguard.net/knowledgebase.php?action=displayarticle&id=208 .

Thanks for anyone taking the time to read this post, if you do have any advice It would be very welcome.

Kind regards,

DMAj

P.S. sorry if I am lacking details in this post I only just installed the software today! My Pfsense is running on a laptop but hopefully I can grow my setup into something special :)

Dmaj

Update:

So Torguard have advised the following

Thank you for contacting us, please use this guide https://torguard.net/knowledgebase.php?action=displayarticle&id=208 to setup VPN on pfsense, in "Server host or address" input your streaming IP and on NAT Settings section when you add the rules for source select your source LAN subnet or interface.

Let us know if you have any further questions.

Regards

TorGuard Advanced Support

This appears to confirm what I'd like to do as possible. I am waiting on a Lan express card to arrive to test this out so will post an update soon.

Dmaj

So It appears that in addition to the instructions from Torguard you need to manually force DNS IP's at the DHCP service for interface LAN. Also In my case despite their instructions:

"when you add the rules for source select your source LAN subnet or interface."

It was not possible for me to set a interface as source. However I think that it will be possible to set a new DHCP on an interface so my setup would be as follows:

LAN > DHCP > 192.168.0.0/24
OPT1 > DHCP > 192.168.1.0/24

This would allow me to set 192.0.1.0 as the source "network". However I am seeing an error  when trying to enable DHCP on OPT1:

"The specified range lies outside of the current subnet."

I have set the new DHCP as follows:

Subnet: 192.168.1.0
Subnet mask: 255.255.255.255
Available range: 192.168.1.1 - 192.168.0.255
Range: 192.168.1.1 > 192.168.1.254
DNS servers:
104.223.91.194
104.223.91.210

Am I doing somthing wrong? or is this a bug?

Dmaj

OK I'm thinking this was my error? Anyway I was able to use a subnet calculator online to provide an available range

Subnet:172.16.0.0
Subnet mask: 255.255.0.0
Available range: 172.16.0.1 - 172.16.255.254
Range: 172.16.0.10 > 172.16.255.254

Will post back update if my setup works.

Dmaj

I actually think I got this to work. I will try and post my setup. Thanks to all the people in this forum who have posted their attempts and those who wrote guides online. I'll do my best to give back.

Dmaj

Though I would add my network layout for now while I gather instructions.


Dmaj

Big thank you to Torguard team and Tai Toh. It’s worth saying that I am not a network technician and my guide is hardly complete, however I hope it might help someone nonetheless.

Resources:
The links below provide instructions on how to setup openVPN and setting up Openvpn for specific devices. My instructions builds upon these guides and I assume you have already setup Openvpn, NAT and basic Firewall rules.

https://pixelsandwidgets.com/2014/10/setup-pfsense-openvpn-client-specific-devices/
https://torguard.net/knowledgebase.php?action=displayarticle&id=208

Version
2.3.2-RELEASE-p1 (i386)
built on Tue Sep 27 12:13:32 CDT 2016
FreeBSD 10.3-RELEASE-p9

Step 1 - Log into pfsense webConfigurator

• https://[RouterIP]/index.php
• http://[RouterIP]/index.php

Step 2 - Setup New Interface

Go to:

• Interfaces > (Assign)

Here you will see "Available network ports:" in my case my USB Ethernet adapter was using the
network Port 'ue0'. Select the '+ Add' Button, to add this network port to your router as a physical interface. After adding this network port to my router I had the interface name "OPT1".

Next you want to Select the interface name 'OPT1', this should bring you to 'General configuration'
Select the following options:

• IPv4 Configuration Type > Static IPv4
• IPv6 Configuration Type > None
• MAC Address > Leave as default
• MTU > Leave as default
• MSS > Leave as default
• Speed and Duplex > Leave as default
• IPv4 Address > 192.168.0.97/27 (or set this to your preference )
• IPv4 Upstream gateway > None
• Block private networks and loopback addresses > Leave unticked
• Block bogon networks > Leave unticked
• Select 'Save'

Step 3 - Setup DHCP

Go to:

• Services > DHCP Server > OPT1

Select the following options:

• Enable > Ticked
• Deny unknown clients > unticked
• Ignore denied clients > unticked
• Range 192.168.0.99 > 192.168.0.126
• DNS servers > (I used my VPN providers DNS this I understand is to stop DNS leaks)

All other settings should be blank or unticked

• Select 'Save'

Step 4 - Setup Firewall rules

Go to:

• Firewall > Rules > OPT1

You should already have a rule allowing all ipv4 traffic from source 'OPT1 net'. All we are going to do is edit this rule.

• Select the pencil icon for your IPv4 rule

This will take you to 'Edit Firewall Rule'. Here you want to scroll to the bottom and select 'Display Advanced' look for 'Gateway'. You need to Select your Open VPN interface. In my case this was 'TGINTERFACE_VPNV4 x.x.x.x - INTERFACE_VPNV4 Gateway'.

• Save

This is now tunnelling only your OPT1 traffic towards your OPENVPN Client. The steps are the same to route your other network segment towards your ISP.

Go to:

• Firewall > Rules > LAN

Find the rule 'Default allow LAN to any rule'.

• Select the pencil icon for this IPv4 rule
• Select 'Display Advanced'
• Gateway > WANGW - x.x.x.x - WAN Gateway
• Save

That's all. I had to reboot my router before my firewall rules worked.

Dmaj

UPDATE:

I notice odd things happening (like local pings being routed outside my network) with my network after routing each Interface down different gateways. I have since  improved my firewall rules so that ONLY protocols like DNS and HTTP are allowed to route directly out through its assigned gateway. I've included an example rule list picture. Note that I setup the same rules as in the image on the OPT1 interface.

I also had to set a network bridge between the OPT1 and LAN interfaces.

Now me and the kids can play minecraft on the local network again!!!