Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Cleanly separate WiFi and LAN using OpenVPN

    OpenVPN
    2
    8
    1233
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudak
      chudak last edited by

      Hello

      I want to separate LAN and WiFi subnets.
      Here is what I have:

      LAN interface 
        Subnet 192.168.90.0 (with DHCP)
      WIFI interface
        Subnet 192.168.70.0 (with DHCP)

      Alias
        Private_IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Private IPv4 ranges

      Rules
        https://snag.gy/6cJnO1.jpg

      At this point everything seems to work, WiFi clients can use internet but have no access to LAN hosts.

      Now I want to use OpenVPN to enable WiFi clients be able to access LAN hosts.  And with the current rule, of cause, I can't connect to my OpenVPN server.

      What would be good way to accomplish this?

      Thx

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Put a rule above your ! private IPv4 alias that allows access to your vpn port on pfsense wifi net interface IP.

        Rules are evaluated top down, inbound into that interface from that network, first rule to trigger wins, no other rules are evaluated.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • chudak
          chudak last edited by

          Thanks for quick reply !

          I must be missing something, this did not work so far https://snag.gy/XwS5WE.jpg

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            that rule is set for TCP.. 1194 on openvpn is the default UDP port - so not going to work no, don't even see any hits to it the 0/0


            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • chudak
              chudak last edited by

              Stupid me  :(

              Corrected, but still no love
              https://snag.gy/KXsxWl.jpg

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                what rules do you have above that rule?  Is openvpn listening on that interface, what are you pointing your client to - name or IP, etc.

                I see hits to that rule.. So seems maybe you have pfsense not listening on interface your hitting, or you using some name that is not resolving correctly to the correct IP, etc.

                If you hit your openvpn are you allowing access to your lan, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                1 Reply Last reply Reply Quote 0
                • chudak
                  chudak last edited by

                  Here is what I know (maybe not all what you are asking)
                  My OpenVPN server is on port 1194

                  https://snag.gy/JF4Hbc.jpg

                  it's using DDNS not IP

                  When I use rules like !LAN net (https://snag.gy/gcnU5z.jpg) it seems working fine, restricting access to LAN and allows to connect to OpenVPN server

                  However, when I enable rules like this https://snag.gy/RumEDX.jpg, I can connect from other WiFi's and connect to OpenVPN, but from my WiFi i have not internet access and no OpenVPN connect.

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    What interface is that openvpn running on?

                    In your client config what are you pointing them too in your export of the config?

                    If you want your wifi clients to use the vpn, then it should be listening on your wifi interface of pfsense, and NOT your wan..




                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post