Multi VPN and incoming traffic

daviddst

Hi,

I've got the following configuration :

Server 1 –---- LAN  ----- pfSense ---- DMZ ---router (GW1 - IP Public 1)-------
                                          |
                                          +------------------VPN1 (GW2 - IP Public 2) -------        (Internet)
                                          |                                           
                                          -------------------VPN2 (GW3 - IP Public 3) ------–

Traffic from Server1 to Internet is load balanced beetween GW2 and GW3. This work correctly.
Some services on Servers 1 are published on Internet through GW1, This work correctely.

But now, I need to publish some other services on Service A through VPN (with Public IP address 2 ou 3).

I've done different kind of rules with floating rules and gateway but without success.

Something that I've noticed, when I ping GW2 or GW3, echo request is accepted, but echo reply go through GW1 (and source natted with GW1 of course), so, it doesn't work.

My question is : it is possible to enforce all traffic coming to a VPN interface to outgoing from the same interface and how ?

Thank you very much.

Kindest regards,

Derelict

Assign interfaces to your OpenVPN instances and connections arriving into those interfaces will gain pf reply-to goodness and solve your problems.

daviddst

Each VPN have dedicated interface (used by gateway group for outgoing traffic).

I've added floating rules like this for first VPN :

Proto : ICMP All
Source : Any
Port : Any
Destination : Any
Port : Any
Gateway : VPN1
Direction : In

These rule match.

Proto : ICMP All
Source : Any
Port : Any
Destination : Any
Port : Any
Gateway : VPN1
Direction : Out
(seem not used)

tcpdump on interface VPN1

[2.3.3-RELEASE][root@pfSense]/root: tcpdump -i ovpnc9 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ovpnc9, link-type NULL (BSD loopback), capture size 65535 bytes
17:04:44.116887 IP TEST > VPN1: ICMP echo request, id 24976, seq 37, length 64
17:04:45.115681 IP TEST > VPN1: ICMP echo request, id 24976, seq 38, length 64
17:04:46.115721 IP TEST > VPN1: ICMP echo request, id 24976, seq 39, length 64

tcpdump on interface WAN

[2.3.3-RELEASE][root@pfSense]/root: tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:08:24.601686 IP VPN1 > IP_TEST: ICMP echo reply, id 25241, seq 1, length 64
17:08:25.021830 IP VPN1 > IP_TEST: ICMP echo reply, id 25203, seq 38, length 64
17:08:26.019603 IP VPN1 > IP_TEST: ICMP echo reply, id 25203, seq 39, length 64

Thank you,

Derelict

Remove the gateway from the in rule and delete the out rule. To ping inbound you just need normal pass rules on the OpenVPN interfaces.

There is no reason to mess around with floating rules.

Also make sure your rules on the OpenVPN tab DO NOT match the traffic in question or you will not get the benefit of reply-to and see reply traffic go out according to the routing table instead. When you use OpenVPN assigned interfaces a good practice is to just delete or disable all rules on the OpenVPN tab unless you understand all of the ramifications of traffic matching there.

daviddst

Thank you very much, it's work !  :)