Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Torguard - Open VPN client - How do you split traffic by network interface?

    OpenVPN
    1
    8
    2693
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dmaj last edited by

      Hello,

      I am new to pfsense and have some understanding about networking firewalls and routing. However I am hoping someone could help me to understand how I would setup Pfsense to split traffic at a network interface level where interface LAN1 would route through WAN but where LAN2 would route through the Open VPN client. Is this even possible?

      I'd rather not setup complicated routing or firewall rules etc. My idea was each LAN interface would share the same DHCP pool (though happy to split this up) but then each LAN interface would connect to separate switches.

      This sounds plausible as then any device connected to either switch would have its traffic routed automatically either out through WAN or via the Open VPN client.  The idea here is one side of the network would cover smart TV's/streaming boxes and some (maybe) wireless devices (AP point connected to switch) while the other side could cover PC's VOIP etc..

      I saw a post https://forum.pfsense.org/index.php?topic=113136.msg629634#msg629634 where I think they are talking about this kind of setup however it appears to be routed by firewall rules? Am I mad? Is what I'd like to do possible?

      I have opened a support case with TorGuard so am waiting for a reply from them but I don't feel this is their area of expertise nor there responsibility. They do have a post covering how to setup OPEN VPN client https://torguard.net/knowledgebase.php?action=displayarticle&id=208 .

      Thanks for anyone taking the time to read this post, if you do have any advice It would be very welcome.

      Kind regards,

      DMAj

      P.S. sorry if I am lacking details in this post I only just installed the software today! My Pfsense is running on a laptop but hopefully I can grow my setup into something special :)

      1 Reply Last reply Reply Quote 0
      • D
        Dmaj last edited by

        Update:

        So Torguard have advised the following

        Thank you for contacting us, please use this guide https://torguard.net/knowledgebase.php?action=displayarticle&id=208 to setup VPN on pfsense, in "Server host or address" input your streaming IP and on NAT Settings section when you add the rules for source select your source LAN subnet or interface.

        Let us know if you have any further questions.

        Regards

        TorGuard Advanced Support

        This appears to confirm what I'd like to do as possible. I am waiting on a Lan express card to arrive to test this out so will post an update soon.

        1 Reply Last reply Reply Quote 0
        • D
          Dmaj last edited by

          So It appears that in addition to the instructions from Torguard you need to manually force DNS IP's at the DHCP service for interface LAN. Also In my case despite their instructions:

          "when you add the rules for source select your source LAN subnet or interface."

          It was not possible for me to set a interface as source. However I think that it will be possible to set a new DHCP on an interface so my setup would be as follows:

          LAN > DHCP > 192.168.0.0/24
          OPT1 > DHCP > 192.168.1.0/24

          This would allow me to set 192.0.1.0 as the source "network". However I am seeing an error  when trying to enable DHCP on OPT1:

          "The specified range lies outside of the current subnet."

          I have set the new DHCP as follows:

          Subnet: 192.168.1.0
          Subnet mask: 255.255.255.255
          Available range: 192.168.1.1 - 192.168.0.255
          Range: 192.168.1.1 > 192.168.1.254
          DNS servers:
          104.223.91.194
          104.223.91.210

          Am I doing somthing wrong? or is this a bug?

          1 Reply Last reply Reply Quote 0
          • D
            Dmaj last edited by

            OK I'm thinking this was my error? Anyway I was able to use a subnet calculator online to provide an available range

            Subnet:172.16.0.0
            Subnet mask: 255.255.0.0
            Available range: 172.16.0.1 - 172.16.255.254
            Range: 172.16.0.10 > 172.16.255.254

            Will post back update if my setup works.

            1 Reply Last reply Reply Quote 0
            • D
              Dmaj last edited by

              I actually think I got this to work. I will try and post my setup. Thanks to all the people in this forum who have posted their attempts and those who wrote guides online. I'll do my best to give back.

              1 Reply Last reply Reply Quote 0
              • D
                Dmaj last edited by

                Though I would add my network layout for now while I gather instructions.

                ![Network Diagram.PNG](/public/imported_attachments/1/Network Diagram.PNG)
                ![Network Diagram.PNG_thumb](/public/imported_attachments/1/Network Diagram.PNG_thumb)

                1 Reply Last reply Reply Quote 0
                • D
                  Dmaj last edited by

                  Big thank you to Torguard team and Tai Toh. It’s worth saying that I am not a network technician and my guide is hardly complete, however I hope it might help someone nonetheless.

                  Resources:
                  The links below provide instructions on how to setup openVPN and setting up Openvpn for specific devices. My instructions builds upon these guides and I assume you have already setup Openvpn, NAT and basic Firewall rules.

                  https://pixelsandwidgets.com/2014/10/setup-pfsense-openvpn-client-specific-devices/
                  https://torguard.net/knowledgebase.php?action=displayarticle&id=208

                  Version
                  2.3.2-RELEASE-p1 (i386)
                  built on Tue Sep 27 12:13:32 CDT 2016
                  FreeBSD 10.3-RELEASE-p9

                  Step 1 - Log into pfsense webConfigurator

                  • https://[RouterIP]/index.php
                  • http://[RouterIP]/index.php

                  Step 2 - Setup New Interface

                  Go to:

                  • Interfaces > (Assign)

                  Here you will see "Available network ports:" in my case my USB Ethernet adapter was using the
                  network Port 'ue0'. Select the '+ Add' Button, to add this network port to your router as a physical interface. After adding this network port to my router I had the interface name "OPT1".

                  Next you want to Select the interface name 'OPT1', this should bring you to 'General configuration'
                  Select the following options:

                  • IPv4 Configuration Type > Static IPv4
                  • IPv6 Configuration Type > None
                  • MAC Address > Leave as default
                  • MTU > Leave as default
                  • MSS > Leave as default
                  • Speed and Duplex > Leave as default
                  • IPv4 Address > 192.168.0.97/27 (or set this to your preference )
                  • IPv4 Upstream gateway > None
                  • Block private networks and loopback addresses > Leave unticked
                  • Block bogon networks > Leave unticked
                  • Select 'Save'

                  Step 3 - Setup DHCP

                  Go to:

                  • Services > DHCP Server > OPT1

                  Select the following options:

                  • Enable > Ticked
                  • Deny unknown clients > unticked
                  • Ignore denied clients > unticked
                  • Range 192.168.0.99 > 192.168.0.126
                  • DNS servers > (I used my VPN providers DNS this I understand is to stop DNS leaks)

                  All other settings should be blank or unticked

                  • Select 'Save'

                  Step 4 - Setup Firewall rules

                  Go to:

                  • Firewall > Rules > OPT1

                  You should already have a rule allowing all ipv4 traffic from source 'OPT1 net'. All we are going to do is edit this rule.

                  • Select the pencil icon for your IPv4 rule

                  This will take you to 'Edit Firewall Rule'. Here you want to scroll to the bottom and select 'Display Advanced' look for 'Gateway'. You need to Select your Open VPN interface. In my case this was 'TGINTERFACE_VPNV4 x.x.x.x - INTERFACE_VPNV4 Gateway'.

                  • Save

                  This is now tunnelling only your OPT1 traffic towards your OPENVPN Client. The steps are the same to route your other network segment towards your ISP.

                  Go to:

                  • Firewall > Rules > LAN

                  Find the rule 'Default allow LAN to any rule'.

                  • Select the pencil icon for this IPv4 rule
                  • Select 'Display Advanced'
                  • Gateway > WANGW - x.x.x.x - WAN Gateway
                  • Save

                  That's all. I had to reboot my router before my firewall rules worked.

                  1 Reply Last reply Reply Quote 0
                  • D
                    Dmaj last edited by

                    UPDATE:

                    I notice odd things happening (like local pings being routed outside my network) with my network after routing each Interface down different gateways. I have since  improved my firewall rules so that ONLY protocols like DNS and HTTP are allowed to route directly out through its assigned gateway. I've included an example rule list picture. Note that I setup the same rules as in the image on the OPT1 interface.

                    I also had to set a network bridge between the OPT1 and LAN interfaces.

                    Now me and the kids can play minecraft on the local network again!!!

                    ![Firewall Rules.PNG_thumb](/public/imported_attachments/1/Firewall Rules.PNG_thumb)
                    ![Firewall Rules.PNG](/public/imported_attachments/1/Firewall Rules.PNG)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post