Trouble getting my access point to work on with my VPN



  • I have a SG-4860 running the latest 2.4.0.RC and I connect to Nord over OpenVPN. The AP I recently bought is an Ubiquiti UAP AC PRO and is on the latest firmware. I've been running OpenVPN for a long time so there is no issue with that configuration. My plan here is to stop using my Apple Airport Extreme in bridge mode for wifi and use this AP because I can mount it in a better location (and maybe get a second one). My end goal is wireless access to the web via the VPN through this new AP.

    Following another forum thread (https://forum.pfsense.org/index.php?topic=119574.0) I've made some progress:

    • Created an interface for the AP (I call it WIFI) and assigned it a static IP (192.168.2.1)

    • Under Firewall / Rules / WIFI I created a Pass rule with WIFI as the interface, and the Source as "WIFI net". They were clear on that other thread to not create the rule on LAN where my my VPN rule is.

    • Under Services / DHCP Server / WIFI I enabled "Enable DHCP server on WIFI interface" and set an IP range.

    • Under Firewall / NAT / Outbound I was on a "Manual Outbound NAT rule generation" configuration but per that thread I linked, I went to Hybrid and then back to Manual but the rules that were automatically generated are now in my Manual listing. (see attachment)

    • Via the UniFi iOS app I'm able to set the SSID/password and validate that the AP is assigned an IP address e.g. 192.168.2.2.

    • I'm able about to see that I am indeed connected to the AP via the list of connected clients and I can resolve domains while connected to the AP.

    Here is my problem: I'm not behind my VPN while connected to the AP.

    At first I thought (A) maybe under Firewall / NAT / Outbound I need to modify the Mappings for 192.168.2.0 and change the interface to INT534 (my OpenVPN interface) but that didn't work. Then I started wondering if (B) I needed to modify the default Gateway on the Firewall rule I have under WIFI. THEN I got to wondering if (C) I need to Bridge my WIFI and INT534 interfaces.

    Any pointers would be greatly appreciated!
    ![Screen Shot 2017-09-23 at 7.57.13 PM.png](/public/imported_attachments/1/Screen Shot 2017-09-23 at 7.57.13 PM.png)
    ![Screen Shot 2017-09-23 at 7.57.13 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-09-23 at 7.57.13 PM.png_thumb)



  • See attached screenshot.

    1.  The extra ISAKMP rules aren't needed, so I just delete them to get rid of some clutter.
    2.  Renamed one for clarity.  Something like "LAN to OpenVPN" or "LAN to Nord VPN"

    You'll need to create two new entries:

    3.  This allows your pfSense box itself to communicate out over the VPN too.

    Interface:  INT534
    Source:  127.0.0.0/8
    Source Port:  *
    Destination:  *
    Destination Port:  *
    NAT Address:  INT534 address
    Description:  "localhost to OpenVPN" or "localhost to Nord VPN"

    4.  This one's important and the main reason for your issue.  This allows your WIFI interface to communicate out over the VPN.

    Interface:  INT534
    Source:  192.168.2.0/24
    Source Port:  *
    Destination:  *
    Destination Port:  *
    NAT Address:  INT534 address
    Description:  "WIFI to OpenVPN" or "WIFI to Nord VPN"

    5.  Optional:  Rename the INT534 interface to something more clear like "NordVPN".  (This is done by going to the "Interfaces" menu up top.)




  • Thanks for the help! I'm online and behind my VPN (according to Nord, DNSleaktest, etc.) via the AP. Image attached.

    Oddly, I cannot access PFSense via 192.168.1.1 while on wireless… Quite strange. EDIT: That's because the AP is 192.168.2.1 :D

    ![Screen Shot 2017-09-24 at 1.18.23 PM.png](/public/imported_attachments/1/Screen Shot 2017-09-24 at 1.18.23 PM.png)
    ![Screen Shot 2017-09-24 at 1.18.23 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-09-24 at 1.18.23 PM.png_thumb)


Log in to reply