Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Selective Remote Access

    Scheduled Pinned Locked Moved OpenVPN
    42 Posts 2 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      NasKar
      last edited by

      @viragomann:

      Are the routes on the client set correctly?
      Please post the clients routing table.

      Here is the output of the diagnostic/routes :opvns4 is the Plex2 VPN

      IPv4 Routes
      Destination	Gateway	Flags	Use	Mtu	Netif	Expire
      0.0.0.0/1	172.21.92.1	UGS	137	1500	ovpnc1	
      default	x.x.x.1	UGS	18	1500	em3	
      81.171.110.67/32	x.x.x.1	UGS	169422	1500	em3	
      x.x.x.0/24	link#4	U	99628	1500	em3	
      x.x.x.x	link#4	UHS	0	16384	lo0	
      127.0.0.1	link#9	UH	676122	16384	lo0	
      128.0.0.0/1	172.21.92.1	UGS	18201	1500	ovpnc1	
      172.16.2.0/24	172.16.2.2	UGS	5139	1500	ovpns4	
      172.16.2.1	link#14	UHS	199412	16384	lo0	
      172.16.2.2	link#14	UH	0	1500	ovpns4	
      172.21.92.0/23	172.21.92.1	UGS	0	1500	ovpnc1	
      172.21.92.1	link#15	UH	99536	1500	ovpnc1	
      172.21.92.42	link#15	UHS	0	16384	lo0	
      192.168.0.0/24	link#3	U	0	1500	em2	
      192.168.0.1	link#3	UHS	0	16384	lo0	
      192.168.1.0/24	link#1	U	32974135	1500	em0	
      192.168.1.1	link#1	UHS	0	16384	lo0	
      192.168.10.0/24	link#10	U	0	1500	em2_vlan10	
      192.168.10.1	link#10	UHS	0	16384	lo0	
      192.168.20.0/24	link#11	U	0	1500	em2_vlan20	
      192.168.20.1	link#11	UHS	0	16384	lo0	
      192.168.30.0/24	link#12	U	0	1500	em2_vlan30	
      192.168.30.1	link#12	UHS	0	16384	lo0	
      192.168.40.0/24	link#13	U	0	1500	em2_vlan40	
      192.168.40.1	link#13	UHS	0	16384	lo0	
      192.168.60.0/24	link#2	U	35513	1500	em1	
      192.168.60.1	link#2	UHS	0	16384	lo0
      

      and the openvpn status routing table

      ![Routing Table.jpg](/public/imported_attachments/1/Routing Table.jpg)
      ![Routing Table.jpg_thumb](/public/imported_attachments/1/Routing Table.jpg_thumb)

      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
      2 CPUs: 1 package(s) x 2 core(s)
      AES-NI CPU Crypto: No
      2 Gigs Ram
      SSD with ver 2.4.0
      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        I asked for the routing table of the clients computer.

        1 Reply Last reply Reply Quote 0
        • N Offline
          NasKar
          last edited by

          Sorry. I use my iphone. Any tips on how to get it from the openvpn app?

          Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
          2 CPUs: 1 package(s) x 2 core(s)
          AES-NI CPU Crypto: No
          2 Gigs Ram
          SSD with ver 2.4.0
          IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann
            last edited by

            Don't know.

            Check if you're able to access a public hosts by its IP address. Maybe the iPhone just can't access the DNS while vpn is connected.

            On pfSense you can do packet capture (Diagnostic menu) while you're trying to access a internet IP to check if the traffic is routed over the vpn.
            To do so, select the PLEX2 interface, to avoid noise you can select a particular protocol and port. At host enter the destination IP and start the capture. Then try to access the destination IP with the iphon. Stop the capture to see the result.
            If you can see packets, select the WAN interface and repeat the capture.
            Post the results, please.

            1 Reply Last reply Reply Quote 0
            • N Offline
              NasKar
              last edited by

              @viragomann:

              Check if you're able to access a public hosts by its IP address. Maybe the iPhone just can't access the DNS while vpn is connected.

              https://81.171.110.67/ is the IP that is in the packet capture and I can't get to that site on my windows browser (nothing happens).  Googling apple.com IP gives https://81.171.110.52/
              which also doesn't connect but apple.com does. On iPhone I get forbidden error, you do not have permission to access this server

              @viragomann:

              On pfSense you can do packet capture (Diagnostic menu) while you're trying to access a internet IP to check if the traffic is routed over the vpn.
              To do so, select the PLEX2 interface, to avoid noise you can select a particular protocol and port. At host enter the destination IP and start the capture. Then try to access the destination IP with the iphon. Stop the capture to see the result.
              If you can see packets, select the WAN interface and repeat the capture.
              Post the results, please.

              WAN IP capture

              15:48:34.274662 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
              15:48:34.275654 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 113
              15:48:34.275693 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 209
              15:48:34.275717 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 273
              15:48:34.283405 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 113
              15:48:34.283528 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 129
              15:48:34.283737 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:34.283781 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 609
              15:48:34.291524 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:34.292272 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 257
              15:48:34.292602 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 161
              15:48:34.293847 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 161
              15:48:34.293875 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 161
              15:48:34.293904 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:34.297145 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 241
              15:48:34.298144 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
              15:48:34.298473 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:34.302017 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:34.302025 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 145
              15:48:34.322702 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
              15:48:34.342695 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:34.345616 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:34.452554 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:34.456553 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:34.953592 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:34.960886 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:35.454624 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:35.461223 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:35.960584 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:35.965556 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:36.461627 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:36.465892 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:36.895894 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 129
              15:48:36.922474 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
              15:48:36.962547 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:36.970350 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:37.464638 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:37.470561 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:37.966576 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:37.971022 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:38.468652 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:38.474981 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:38.969589 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:38.973443 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 129
              15:48:38.973790 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:38.976065 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:38.986435 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:39.470586 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:39.475903 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:39.972605 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:39.980111 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:40.203479 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 353
              15:48:40.203510 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.209728 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:40.209852 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 145
              15:48:40.250434 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:40.365267 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 689
              15:48:40.365275 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 145
              15:48:40.365611 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:40.473600 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:40.480572 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:40.578933 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.578950 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.578965 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.578980 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.586261 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 161
              15:48:40.586506 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.587884 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
              15:48:40.588119 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.637106 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
              15:48:40.647512 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.647559 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.656345 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 161
              15:48:40.674960 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
              15:48:40.679560 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.730177 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
              15:48:40.737581 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.737631 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.746043 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 161
              15:48:40.786647 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 161
              15:48:40.786811 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.821500 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
              15:48:40.821640 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
              15:48:40.826996 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 145
              15:48:40.846111 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
              15:48:40.855365 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
              15:48:40.862065 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
              15:48:40.874189 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 129
              15:48:40.874248 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 113
              15:48:40.892584 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 177
              15:48:40.895565 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:40.924940 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
              15:48:40.975709 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:40.981283 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:41.004573 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 145
              15:48:41.067360 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
              15:48:41.097216 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 225
              15:48:41.476634 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              15:48:41.481368 IP 81.171.110.67.1194 > x.x.x.x.30054: UDP, length 97
              15:48:41.977559 IP x.x.x.x.30054 > 81.171.110.67.1194: UDP, length 97
              
              

              Plex2 Capture Host address gives nothing without it gives

              16:04:02.925538 IP 172.16.2.248.55794 > 192.168.1.149.80: tcp 0
              16:04:03.901359 IP 172.16.2.248.55794 > 192.168.1.149.80: tcp 0
              16:04:04.909655 IP 172.16.2.248.55794 > 192.168.1.149.80: tcp 0
              16:04:05.781252 IP 172.16.2.248.55376 > 208.67.222.222.53: UDP, length 42
              16:04:05.933556 IP 172.16.2.248.55794 > 192.168.1.149.80: tcp 0
              16:04:07.790472 IP 172.16.2.248.55376 > 208.67.222.222.53: UDP, length 42
              16:04:11.782673 IP 172.16.2.248.55376 > 208.67.220.220.53: UDP, length 42
              

              Why is 81.171.110.67.1194 on my WAN and not 81.171.110.67.1195 as my VPN sever in on port 1195?

              My settings for Plex2 Capture

              ![Plex2 Capture Settings.jpg](/public/imported_attachments/1/Plex2 Capture Settings.jpg)
              ![Plex2 Capture Settings.jpg_thumb](/public/imported_attachments/1/Plex2 Capture Settings.jpg_thumb)

              Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
              2 CPUs: 1 package(s) x 2 core(s)
              AES-NI CPU Crypto: No
              2 Gigs Ram
              SSD with ver 2.4.0
              IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

              1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann
                last edited by

                @NasKar:

                https://81.171.110.67/ is the IP that is in the packet capture and I can't get to that site on my windows browser (nothing happens).  Googling apple.com IP gives https://81.171.110.52/
                which also doesn't connect but apple.com does. On iPhone I get forbidden error, you do not have permission to access this server

                ???

                Resolving apple.com gives me 17.142.160.59

                81.171.110.67 seems to be your own public IP. The WAN capture shows a connection to port 1194.
                You're running multiple vpn servers. So this might be a connection to another server.

                This capture is cannot help to resolve the issue in any way.

                1 Reply Last reply Reply Quote 0
                • N Offline
                  NasKar
                  last edited by

                  I have a VPN client running to change my IP address.  Didn't recognize the IP address. If I turn off the VPN client I can access the internet while connected to the remote VPN server.  Is it possible to run the VPN Client and Remote VPN server and still access the internet?  Sorry for the confusion I didn't realize it was an issue.

                  Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                  2 CPUs: 1 package(s) x 2 core(s)
                  AES-NI CPU Crypto: No
                  2 Gigs Ram
                  SSD with ver 2.4.0
                  IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                  1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann
                    last edited by

                    Yes, that's possible. But you've to clarify how the upstream traffic from PLEX2 should be routed out. To the VPN server or to the WAN gateway.
                    Now, since you haven't specified a gateway in the firewall rule, the traffic is routed to the vpn server. But since you haven't set an outbound NAT rule for this, you get no connection.

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      NasKar
                      last edited by

                      @viragomann:

                      Yes, that's possible. But you've to clarify how the upstream traffic from PLEX2 should be routed out. To the VPN server or to the WAN gateway.
                      Now, since you haven't specified a gateway in the firewall rule, the traffic is routed to the vpn server. But since you haven't set an outbound NAT rule for this, you get no connection.

                      Thanks for hanging in there with me.
                      I created a rule on the PLEX2 interface, source =any, dst =any, and Gateway = WAN_DHCP Gateway then
                      Outbound rule- PLEX2 interface, protocol any, network 172.16.2.0/24, dst any, translation Interface Address.
                      Rebooted and doesn't work.  Any idea on what I did incorrectly?

                      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                      2 CPUs: 1 package(s) x 2 core(s)
                      AES-NI CPU Crypto: No
                      2 Gigs Ram
                      SSD with ver 2.4.0
                      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                      1 Reply Last reply Reply Quote 0
                      • V Offline
                        viragomann
                        last edited by

                        Man, Outbound NAT rules have to be set on that interface where the packets go out!
                        So if you want to go out on WAN the interface has to be set to WAN.
                        The necessary rule was already set as shown in this post: https://forum.pfsense.org/index.php?topic=132341.msg729392#msg729392

                        1 Reply Last reply Reply Quote 0
                        • N Offline
                          NasKar
                          last edited by

                          @viragomann:

                          Man, Outbound NAT rules have to be set on that interface where the packets go out!
                          So if you want to go out on WAN the interface has to be set to WAN.
                          The necessary rule was already set as shown in this post: https://forum.pfsense.org/index.php?topic=132341.msg729392#msg729392

                          I have everything setup with the Plex2 rule having the WAN gateway but still packet capture still show trying to go out the 1194 client VPN instead of the WAN gateway. I even changed all 3 Plex2 rules to use the WAN gateway without success.  If the WAN gateway is the default and the rule is set to use the default why does it need to be specified?

                          Plex2_rules.jpg
                          Plex2_rules.jpg_thumb
                          WAN_rules.jpg
                          WAN_rules.jpg_thumb
                          Outbound_rules.jpg
                          Outbound_rules.jpg_thumb

                          Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                          2 CPUs: 1 package(s) x 2 core(s)
                          AES-NI CPU Crypto: No
                          2 Gigs Ram
                          SSD with ver 2.4.0
                          IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                          1 Reply Last reply Reply Quote 0
                          • V Offline
                            viragomann
                            last edited by

                            I've wrote above that you've to clarify where you want to route out the upstream traffic from PLEX2 client. If you haven't specified a gateway, the traffic is routed to the default gateway and this is obviously the vpn client if it's connected. So the packets are routed to the vpn client, but in fact you've no outbound NAT rule that, so the packets get dropped there, cause there is no route back for that source.

                            If you want the traffic route out to WAN while the vpn client is the default gateway, you've to specify the WAN gateway in the rule.
                            If you want to go out to the default gateway there's no need to specify a gateway in the rule, but you've to add an outbound NAT rule for that.

                            1 Reply Last reply Reply Quote 0
                            • N Offline
                              NasKar
                              last edited by

                              @viragomann:

                              I've wrote above that you've to clarify where you want to route out the upstream traffic from PLEX2 client. If you haven't specified a gateway, the traffic is routed to the default gateway and this is obviously the vpn client if it's connected. So the packets are routed to the vpn client, but in fact you've no outbound NAT rule that, so the packets get dropped there, cause there is no route back for that source.

                              If you want the traffic route out to WAN while the vpn client is the default gateway, you've to specify the WAN gateway in the rule.
                              If you want to go out to the default gateway there's no need to specify a gateway in the rule, but you've to add an outbound NAT rule for that.

                              1. I have specified the WAN gateway in the PLEX2 rule so have I satisfied the "you've to specify the WAN gateway in the rule"?
                              2. If I have satisfied #1 then the problem is not specifying a outbound NAT rule.  Can you give me an example of outbound rule that would work?  There are not many options after Interface, Source address. Interface must be WAN, the Source is my 172.16.2.0/24 the VPN tunnel network, destination is any as it could be anywhere on the internet.

                              Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                              2 CPUs: 1 package(s) x 2 core(s)
                              AES-NI CPU Crypto: No
                              2 Gigs Ram
                              SSD with ver 2.4.0
                              IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                              1 Reply Last reply Reply Quote 0
                              • V Offline
                                viragomann
                                last edited by

                                @NasKar:

                                1. I have specified the WAN gateway in the PLEX2 rule so have I satisfied the "you've to specify the WAN gateway in the rule"?

                                If you intend, that PLEX2 upstream traffic goes out on the WAN interface independently from the vpn client connection, that's okay.

                                @NasKar:

                                1. If I have satisfied #1 then the problem is not specifying a outbound NAT rule.  Can you give me an example of outbound rule that would work?  There are not many options after Interface, Source address. Interface must be WAN, the Source is my 172.16.2.0/24 the VPN tunnel network, destination is any as it could be anywhere on the internet.

                                Again, you've already set an outbound NAT rule for PLEX2 on WAN interface. The first rule shown in the picture here: https://forum.pfsense.org/index.php?topic=132341.msg729392#msg729392

                                Outbound NAT:
                                When a packet go out to WAN, the packets source address has to be translated to one of your public addresses, mostly the WAN (interface) address. Cause only public addresses are known in the internet, which is necessary to route back the responses to you.
                                So you have to set in the rule:
                                interface: WAN
                                source: here the tunnel subnet 172.16.2.0/24
                                All other options may be stay on their defaults. So the protocol and destination is any and the translation address is "interface address" which is your WAN address.

                                Is this really as hard?

                                1 Reply Last reply Reply Quote 0
                                • N Offline
                                  NasKar
                                  last edited by

                                  I have the outbound rule as, Intereface WAN, source 172.16.2.0/24 all other options at default.

                                  If I have a rule on the Plex2 interface, source any, destination any, gateway default I can access my local LAN servers but not the internet. If I change the default gateway to the WAN I can access the internet but not any of the LAN servers.

                                  Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                                  2 CPUs: 1 package(s) x 2 core(s)
                                  AES-NI CPU Crypto: No
                                  2 Gigs Ram
                                  SSD with ver 2.4.0
                                  IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                                  1 Reply Last reply Reply Quote 0
                                  • N Offline
                                    NasKar
                                    last edited by

                                    @viragomann:

                                    If you intend, that PLEX2 upstream traffic goes out on the WAN interface independently from the vpn client connection, that's okay.

                                    If I change the gateway on the Plex2 rule from WAN to default I can't get out to the internet. Not sure why default doesn't work but it still works with the gateway as WAN.

                                    Had to add a path back to the LAN when I connect as the USER so I could access the other servers. All others in the Plex only alias can only connect to the Plex Server and internet through the WAN gateway.

                                    Here is the final Plex2 rules.  Thanks again for your help.

                                    ![Final Plex2.jpg](/public/imported_attachments/1/Final Plex2.jpg)
                                    ![Final Plex2.jpg_thumb](/public/imported_attachments/1/Final Plex2.jpg_thumb)

                                    Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
                                    2 CPUs: 1 package(s) x 2 core(s)
                                    AES-NI CPU Crypto: No
                                    2 Gigs Ram
                                    SSD with ver 2.4.0
                                    IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

                                    1 Reply Last reply Reply Quote 0
                                    • V Offline
                                      viragomann
                                      last edited by

                                      @NasKar:

                                      If I change the gateway on the Plex2 rule from WAN to default I can't get out to the internet. Not sure why default doesn't work but it still works with the gateway as WAN.

                                      I've mentioned that behaviour and the solution alreade twice.
                                      here: https://forum.pfsense.org/index.php?topic=132341.msg733209#msg733209
                                      and here: https://forum.pfsense.org/index.php?topic=132341.msg732814#msg732814

                                      So what are the troubles with that?

                                      If your vpn client connection is up, the packets go out this connection, when there's no gateway specified in the appropriate rule. So you also need to add an outbound NAT rule for this traffic (on the vpn clients interface!). How to do, I've described here: https://forum.pfsense.org/index.php?topic=132341.msg733440#msg733440

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.