Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cleanly separate WiFi and LAN using OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak
      last edited by

      Hello

      I want to separate LAN and WiFi subnets.
      Here is what I have:

      LAN interface 
        Subnet 192.168.90.0 (with DHCP)
      WIFI interface
        Subnet 192.168.70.0 (with DHCP)

      Alias
        Private_IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Private IPv4 ranges

      Rules
        https://snag.gy/6cJnO1.jpg

      At this point everything seems to work, WiFi clients can use internet but have no access to LAN hosts.

      Now I want to use OpenVPN to enable WiFi clients be able to access LAN hosts.  And with the current rule, of cause, I can't connect to my OpenVPN server.

      What would be good way to accomplish this?

      Thx
      rule.jpg
      rule.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Put a rule above your ! private IPv4 alias that allows access to your vpn port on pfsense wifi net interface IP.

        Rules are evaluated top down, inbound into that interface from that network, first rule to trigger wins, no other rules are evaluated.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • chudakC
          chudak
          last edited by

          Thanks for quick reply !

          I must be missing something, this did not work so far https://snag.gy/XwS5WE.jpg

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            that rule is set for TCP.. 1194 on openvpn is the default UDP port - so not going to work no, don't even see any hits to it the 0/0

            TCP.png
            TCP.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • chudakC
              chudak
              last edited by

              Stupid me  :(

              Corrected, but still no love
              https://snag.gy/KXsxWl.jpg

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                what rules do you have above that rule?  Is openvpn listening on that interface, what are you pointing your client to - name or IP, etc.

                I see hits to that rule.. So seems maybe you have pfsense not listening on interface your hitting, or you using some name that is not resolving correctly to the correct IP, etc.

                If you hit your openvpn are you allowing access to your lan, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • chudakC
                  chudak
                  last edited by

                  Here is what I know (maybe not all what you are asking)
                  My OpenVPN server is on port 1194

                  https://snag.gy/JF4Hbc.jpg

                  it's using DDNS not IP

                  When I use rules like !LAN net (https://snag.gy/gcnU5z.jpg) it seems working fine, restricting access to LAN and allows to connect to OpenVPN server

                  However, when I enable rules like this https://snag.gy/RumEDX.jpg, I can connect from other WiFi's and connect to OpenVPN, but from my WiFi i have not internet access and no OpenVPN connect.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    What interface is that openvpn running on?

                    In your client config what are you pointing them too in your export of the config?

                    If you want your wifi clients to use the vpn, then it should be listening on your wifi interface of pfsense, and NOT your wan..

                    vpn.png
                    vpn.png_thumb
                    address.png
                    address.png_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.