Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense behind ADSL router

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    11 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Litan
      last edited by

      Hi Everyone,
      I read some old posts about this question but still can't make it works, so want to ask your opinion.
      This is a small business however it requires VPN to connect site office to main office.

      The main office has ADSL service so there is a ADSL modem being used (192.168.0.1/255.255.255.0). Due to budget consideration and they have a very old school phone system still connecting to this ADSL modem, we want to keep the ADSL router so we set up a pfSense box (Dell core2 machine with 2 NICs) behind the ADSL router, pfSense box is getting ip 192.168.0.4/24 so this is set as WAN port. We then set up 10.1.1.1/16 as LAN and connect PCs, printer and the application server to LAN - so machines are now getting IP 10.1.1.x/16
      I followed guide ( https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-pfsense-and-viscosity/) to set up OpenVPN but it is now showing error:

      There were error(s) loading the rules: /tmp/rules.debug:141: unknown protocol udp4 - The line in question reads [141]: pass in quick on $WAN reply-to ( em0 192.168.0.1 ) inet proto udp4 from any to 192.168.0.4 tracker 1523073990 keep state label "USER_RULE: OpenVPN Remote User wizard"
      @ 2018-04-07 17:25:22

      The things we have tried so far -
      1 - Added 192.168.0.4 with UDP port 1194 as Virtual Server (because this router doesn't have port forwarding feature) on ADSL router
      2 - Tried adding 192.168.0.4 as DMZ host on ADSL server
      3 - Reviewed other articles online but still no luck
      4 - Enabled OpenVPN log level to highest but still getting the same error
      5 - Tried both Android and Windows and still getting the same

      If you need other information regarding the setting please let me know.

      thanks again.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Looks like this. https://redmine.pfsense.org/issues/8391

        The fix there should correct both TCP and UDP.

        You should be able to edit the WAN rule, select IPv4 and UDP, and save.

        The problem is inet proto udp4 should be inet proto udp

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • L
          Litan
          last edited by

          @Derelict:

          Looks like this. https://redmine.pfsense.org/issues/8391

          The fix there should correct both TCP and UDP.

          You should be able to edit the WAN rule, select IPv4 and UDP, and save.

          The problem is inet proto udp4 should be inet proto udp

          Hi Derelict,
          Thanks for your help, I followed your suggestion then re-generate the Windows client, I can now connect and receive IP 5.5.5.2.
          Just one more question if you don't mind, I tried to ping 10.1.1.28 (a LAN machine) but failed, is something easy fix?
          However pinging 10.1.1.1 - pfsense is okay

          Getting the following in OpeVPN client

          Sat Apr 07 20:26:25 2018 TAP-WIN32 device [Ethernet] opened: \.\Global{9ECAB1D9-5202-48DA-989A-1A61C9FA851B}.tap
          Sat Apr 07 20:26:25 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 5.5.5.0/5.5.5.2/255.255.255.0 [SUCCEEDED]
          Sat Apr 07 20:26:25 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 5.5.5.2/255.255.255.0 on interface {9ECAB1D9-5202-48DA-989A-1A61C9FA851B} [DHCP-serv: 5.5.5.254, lease-time: 31536000]
          Sat Apr 07 20:26:25 2018 Successful ARP Flush on interface [22] {9ECAB1D9-5202-48DA-989A-1A61C9FA851B}
          Sat Apr 07 20:26:25 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
          Sat Apr 07 20:26:30 2018 ROUTE: route addition failed using service: The parameter is incorrect.  [status=87 if_index=22]
          Sat Apr 07 20:26:30 2018 Initialization Sequence Completed

          1 Reply Last reply Reply Quote 0
          • L
            Litan
            last edited by

            Thanks Derelict.
            All good now. :)

            1 Reply Last reply Reply Quote 0
            • S
              shoggy
              last edited by

              Hi guys,
              I was in the same scenario as Litan, so thanks Derelict, that fixed my issue as well.

              Litan, how did you resolve pinging the machine on LAN? i can also ping my PFsense LAN interface but not machines on the network.
              I feel like i am missing a rule.

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                @shoggy:

                Litan, how did you resolve pinging the machine on LAN? i can also ping my PFsense LAN interface but not machines on the network.
                I feel like i am missing a rule.

                Ping from where ?
                From pfSense (console access - option 7, or option 8) or a host from LAN ?
                Both are possible without adding or changing any rules on any interfaces.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • S
                  shoggy
                  last edited by

                  Gertjan, I apologize for not being clear.

                  pfsense WAN - 10.0.1.1
                  pfsense LAN - 10.0.2.1
                  internal computer - 10.0.2.6
                  remote computer VPN address - 10.0.1.2

                  Using pfsense diagnostic tool, i can ping both internal (10.0.2.6) and remote (10.0.1.2)
                  from remote computer, i can ping 10.0.2.1 (pfsense LAN interface) but cannot ping 10.0.2.6

                  Hope that clarifies it a little. Thanks.

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan
                    last edited by

                    @shoggy:

                    pfsense WAN - 10.0.1.1
                    pfsense LAN - 10.0.2.1
                    internal computer - 10.0.2.6

                    WAN is 10.0.1.1/what ? /8 ? /16 ? /24 ?
                    And LAN ?

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • S
                      shoggy
                      last edited by

                      All the listed subnets are /24

                      and LAN is 10.0.2.0/24

                      1 Reply Last reply Reply Quote 0
                      • S
                        shoggy
                        last edited by

                        I was able to resolve this by recreating the firewall rule to pass traffic for the openvpn, beats me why it didnt work before.
                        I am not able to connect to the VPN and traffic flows both ways. I appreciate the effort Gertjan

                        1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan
                          last edited by

                          @shoggy:

                          I was able to resolve this by recreating the firewall rule to pass traffic for the openvpn, beats me why it didnt work before.

                          When you use the OPENVPN Wizard, it ends up setting an automatically generated  firewall rule on your WAN interface that lets VPN traffic in. See image.
                          It's a simple rule that lets UDP (I choosed UDP) traffic in on port 1194 (because that's my VPN port) on my WAN.

                          @shoggy:

                          I am not able to connect to the VPN and traffic flows both ways. I appreciate the effort Gertjan

                          You said it was resolved.
                          You are not able to connect, … and traffic flows both ways, which means you are connected.
                          I don't understand.

                          edit : what are your firewall rules on the Firewall => Rules => OpenVPN tab ?

                          edit again : I 'checked' https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-pfsense-and-viscosity/
                          It will work, but why including "8.8.8.8" as a DNS still puzzles me.
                          You saw this part :

                          19. Now accept the default firewall rules by checking both the Firewall Rule and OpenVPN rule boxes and clicking Next. These rules will allow your client to connect to the OpenVPN server and allow VPN traffic between the client and server.

                          and

                          Firewall

                          Firewall settings are generated automatically by the wizard. However, depending on your firewall setup and version, you may have to check the setting the wizard has created. First, navigate to Firewall -> Rules and select WAN. You should see a firewall rule permitting IPv4 traffic incoming through the WAN via the OpenVPN port. This will allow clients to connect to the VPN via the external WAN interface.

                          If you are having issues routing traffic through the VPN, navigate to Firewall -> Nat, select Outbound and ensure the Mode is set to "Automatic outbound NAT rule generation. (IPsec passthrough included)".

                          openvpndefault.PNG
                          openvpndefault.PNG_thumb

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.