Cleanly separate WiFi and LAN using OpenVPN
-
Hello
I want to separate LAN and WiFi subnets.
Here is what I have:LAN interface
Subnet 192.168.90.0 (with DHCP)
WIFI interface
Subnet 192.168.70.0 (with DHCP)Alias
Private_IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Private IPv4 rangesRules
https://snag.gy/6cJnO1.jpgAt this point everything seems to work, WiFi clients can use internet but have no access to LAN hosts.
Now I want to use OpenVPN to enable WiFi clients be able to access LAN hosts. And with the current rule, of cause, I can't connect to my OpenVPN server.
What would be good way to accomplish this?
Thx
-
Put a rule above your ! private IPv4 alias that allows access to your vpn port on pfsense wifi net interface IP.
Rules are evaluated top down, inbound into that interface from that network, first rule to trigger wins, no other rules are evaluated.
-
Thanks for quick reply !
I must be missing something, this did not work so far https://snag.gy/XwS5WE.jpg
-
that rule is set for TCP.. 1194 on openvpn is the default UDP port - so not going to work no, don't even see any hits to it the 0/0
-
Stupid me :(
Corrected, but still no love
https://snag.gy/KXsxWl.jpg -
what rules do you have above that rule? Is openvpn listening on that interface, what are you pointing your client to - name or IP, etc.
I see hits to that rule.. So seems maybe you have pfsense not listening on interface your hitting, or you using some name that is not resolving correctly to the correct IP, etc.
If you hit your openvpn are you allowing access to your lan, etc.
-
Here is what I know (maybe not all what you are asking)
My OpenVPN server is on port 1194https://snag.gy/JF4Hbc.jpg
it's using DDNS not IP
When I use rules like !LAN net (https://snag.gy/gcnU5z.jpg) it seems working fine, restricting access to LAN and allows to connect to OpenVPN server
However, when I enable rules like this https://snag.gy/RumEDX.jpg, I can connect from other WiFi's and connect to OpenVPN, but from my WiFi i have not internet access and no OpenVPN connect.
-
What interface is that openvpn running on?
In your client config what are you pointing them too in your export of the config?
If you want your wifi clients to use the vpn, then it should be listening on your wifi interface of pfsense, and NOT your wan..
