Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Specifying 1 network on 1 interface tunnels the whole network

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 607 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      silverhoof
      last edited by

      Hello so this is my delema. I have a linode server outside of Canada (Florida to be specific) now due to my ISP double NAT I beloved this might be a possible chance to bypass such an issue with the network I want to make available to the world (ie. My DMZ) now I have 4 networks on 4 seperate ports. My wan interface (192.168.0.0) my standard home usage for family (192.168.1.0) my dmz(192.168.2.0) and finaly my direct access for maintenance port via console (192.168.3.0) I have applied the rules to assure these networks cannot speak to each other and as a added step my layer 3 switch has each of these networks (if using) on seperate vlans. The vpn successfully works with open vpn, the configurations all work and the handshake goes withought a hitch. However even though I specify the 2.0 network in the remote ipv4 section it tunnels the entire network. This is an issue due to online services that block vpn and antiblock connections or software. So my question is, is there an option or section I have missed that is doing this? Or is it a error in pfsense that specifying the network to tunnel doesn't actually matter and will run me the entire network regardless

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "I have applied the rules to assure these networks cannot speak to each other and as a added step my layer 3 switch has each of these networks (if using) on seperate vlans."

        Huh.. pfsense would have nothing to do with controlling traffic between segments if you have a downstream layer 3 doing the routing.  What is your transit network between pfsense and this L3 (router)?

        So your pfsense has wan has rfc1918 address, so what does your pfsense plug into?  Some ISP router that nats a public to 192.168.0?  Or you saying ISP is also doing carrier grade nat and your router in front of pfsense has a another rfc1918 on its wan?

        But your goal is to have a vpn from your pfsense to your vpn server you run on a vps - and users access this vps public IP get forwarded down the tunnel to your box sitting on your dmz?  That sounds like it is your goal..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          silverhoof
          last edited by

          the over all final goal is that my isp uses 4G LTE with double nating and combining users to 1 dynamic ip (ie. 500 customers have the same public ip address). in turn i cannot access my servers properly without headache and instability. so my thought was to create a VPN access server with linode using debian 8 and connect my pfsense machine with a tunnel BUT… only send DMZ server network threw the vpn instead of all of it. i have tried modifying the NAT ruling on my side to try and send the LAN threw the original wan and the dmz network threw the OpenVPN port. but it seems no matter what i try, the OpenVPN virtual port will take full control of the WAN port and not allow anything threw (ie. when the modified rule is applied my dmz network indeed goes threw the vpn, but my lan network gets completely blocked)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Are you pulling default routes from your vpn server your running.. Then yeah it would route all traffic through your vpn..

            If you want your dmz machines to use the tunnel and your other machines to use your that is basic policy routing.. Just send the dmz or any IP you want out your gateway you created for the vpn connection.  Let your other clients just the normal routing of pfsense which should send it out your wan, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.