Multiwan with OpenVPN and source based routing



  • Hi there,

    I'm trying to set up a network with a pfsense router VM and a normal router.

    What I want to achieve is the following:
    I want the normal router to take care of internet for my normal clients, a NAS and a VMWare ESXI server.

    Within the VMWare server I want the PFSense router to set up an openVPN connection. My normal clients don't need it, it's for some of the other VMs.

    The idea is to just have to add a VM to the PFSense's network and it will get the OpenVPN as internet.

    Now this all works "perfectly" .. except for one thing.. I want to manage the VMs from the internet and NOT the OpenVPN connection. So basically:
    if I access, say .. ssh .. I will do so via my internet which comes through my router .. forwarded to my pfsense router .. which in term forwards it to the needed machine

    hard example: internet to my home IP port 65533 -> normal router forwards this to the pfsense machine 65533 -> pfsense machine forwards it to the VM "A" port 22

    Now I have a trouble with the return path. I tried setting up policy based routing, but it completely ignores what I want.. and I'm kinda lost in settings here.

    Added to that. For the VM I'm not 100% sure how to set it up. Right now I have 3 interfaces:
    OPT1 -> The actual LAN in which my internet router resides, gave this IP: 192.168.34.x
    LAN -> The private network I want the VMs to be in. IP: 192.168.55.x
    WAN -> I tried using DHCP .. but this ofc gives the same IP as the OPT1 network (192.168.34.x) .. which will probably mess up routes even more (not 100% sure here) So I currently gave this a hard IP of 192.168.44.x and gave it a static route

    And ofc the OpenVPN interface.

    I'd be eternally grateful if anyone could help me out.


  • LAYER 8 Netgate

    Going to need a better picture of what you are actually going but you probably need a WAN interface on pfSense with your "normal router" as its gateway.

    Then a LAN interface with your VMs behind it. Policy route connections from the VMs into OpenVPN using rules on LAN. This could probably be a vmware "host-only" network if all you are going to put on LAN are VMs on the same host.

    Connections coming into WAN will get reply-to added (because it is a WAN with a gateway on the interface) so reply traffic will go the back the right way instead of being subject to the routing table. Even if you have redirect-gateway def1 enabled on OpenVPN so it is the default route for pfSense.



  • Attached is roughly the setup I want.

    The setup is working. The problem is that I want to SSH VM1 and VM2 from the internet and not the OpenVPN. This I can't get to work.. I think the return route is failing.

    ![2017-06-12 12_21_46-Untitled Diagram.xml - draw.io.png](/public/imported_attachments/1/2017-06-12 12_21_46-Untitled Diagram.xml - draw.io.png)
    ![2017-06-12 12_21_46-Untitled Diagram.xml - draw.io.png_thumb](/public/imported_attachments/1/2017-06-12 12_21_46-Untitled Diagram.xml - draw.io.png_thumb)



  • Ok yeh I went a few steps back. In stead of fancy routing via OPT1 interface I removed that idea and went to WAN. That works.. but now I kinda worry that "if" the VPN goes down it will automatically go for the WAN interface, which I don't want.


  • LAYER 8 Netgate

    Tag the traffic destined for the VPN and block that tag out WAN.

    Search the forum for NO_WAN_EGRESS or see here:

    https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN



  • Ah cool thx. That makes sense.

    A small non related question. Each time I google/see answers on this forum.. I see a completely different UI than the one I have. Is that just version/theme? or is there a branch/spin off that I missed?

    Doesn't affect my ability to apply it tho.. just a thing I noticed..


  • LAYER 8 Netgate

    The gui changed at 2.3.0+ a little over a year ago.


Log in to reply