Multi VPN and incoming traffic



  • Hi,

    I've got the following configuration :

    Server 1 –---- LAN  ----- pfSense ---- DMZ ---router (GW1 - IP Public 1)-------
                                              |
                                              +------------------VPN1 (GW2 - IP Public 2) -------        (Internet)
                                              |                                           
                                              -------------------VPN2 (GW3 - IP Public 3) ------–

    Traffic from Server1 to Internet is load balanced beetween GW2 and GW3. This work correctly.
    Some services on Servers 1 are published on Internet through GW1, This work correctely.

    But now, I need to publish some other services on Service A through VPN (with Public IP address 2 ou 3).

    I've done different kind of rules with floating rules and gateway but without success.

    Something that I've noticed, when I ping GW2 or GW3, echo request is accepted, but echo reply go through GW1 (and source natted with GW1 of course), so, it doesn't work.

    My question is : it is possible to enforce all traffic coming to a VPN interface to outgoing from the same interface and how ?

    Thank you very much.

    Kindest regards,


  • LAYER 8 Netgate

    Assign interfaces to your OpenVPN instances and connections arriving into those interfaces will gain pf reply-to goodness and solve your problems.



  • Each VPN have dedicated interface (used by gateway group for outgoing traffic).

    I've added floating rules like this for first VPN :

    Proto : ICMP All
    Source : Any
    Port : Any
    Destination : Any
    Port : Any
    Gateway : VPN1
    Direction : In

    These rule match.

    Proto : ICMP All
    Source : Any
    Port : Any
    Destination : Any
    Port : Any
    Gateway : VPN1
    Direction : Out
    (seem not used)

    tcpdump on interface VPN1

    [2.3.3-RELEASE][root@pfSense]/root: tcpdump -i ovpnc9 icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ovpnc9, link-type NULL (BSD loopback), capture size 65535 bytes
    17:04:44.116887 IP TEST > VPN1: ICMP echo request, id 24976, seq 37, length 64
    17:04:45.115681 IP TEST > VPN1: ICMP echo request, id 24976, seq 38, length 64
    17:04:46.115721 IP TEST > VPN1: ICMP echo request, id 24976, seq 39, length 64
    
    

    tcpdump on interface WAN

    [2.3.3-RELEASE][root@pfSense]/root: tcpdump icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
    17:08:24.601686 IP VPN1 > IP_TEST: ICMP echo reply, id 25241, seq 1, length 64
    17:08:25.021830 IP VPN1 > IP_TEST: ICMP echo reply, id 25203, seq 38, length 64
    17:08:26.019603 IP VPN1 > IP_TEST: ICMP echo reply, id 25203, seq 39, length 64

    Thank you,


  • LAYER 8 Netgate

    Remove the gateway from the in rule and delete the out rule. To ping inbound you just need normal pass rules on the OpenVPN interfaces.

    There is no reason to mess around with floating rules.

    Also make sure your rules on the OpenVPN tab DO NOT match the traffic in question or you will not get the benefit of reply-to and see reply traffic go out according to the routing table instead. When you use OpenVPN assigned interfaces a good practice is to just delete or disable all rules on the OpenVPN tab unless you understand all of the ramifications of traffic matching there.



  • Thank you very much, it's work !  :)


Log in to reply