Pfsense behind ADSL router



  • Hi Everyone,
    I read some old posts about this question but still can't make it works, so want to ask your opinion.
    This is a small business however it requires VPN to connect site office to main office.

    The main office has ADSL service so there is a ADSL modem being used (192.168.0.1/255.255.255.0). Due to budget consideration and they have a very old school phone system still connecting to this ADSL modem, we want to keep the ADSL router so we set up a pfSense box (Dell core2 machine with 2 NICs) behind the ADSL router, pfSense box is getting ip 192.168.0.4/24 so this is set as WAN port. We then set up 10.1.1.1/16 as LAN and connect PCs, printer and the application server to LAN - so machines are now getting IP 10.1.1.x/16
    I followed guide ( https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-pfsense-and-viscosity/) to set up OpenVPN but it is now showing error:

    There were error(s) loading the rules: /tmp/rules.debug:141: unknown protocol udp4 - The line in question reads [141]: pass in quick on $WAN reply-to ( em0 192.168.0.1 ) inet proto udp4 from any to 192.168.0.4 tracker 1523073990 keep state label "USER_RULE: OpenVPN Remote User wizard"
    @ 2018-04-07 17:25:22

    The things we have tried so far -
    1 - Added 192.168.0.4 with UDP port 1194 as Virtual Server (because this router doesn't have port forwarding feature) on ADSL router
    2 - Tried adding 192.168.0.4 as DMZ host on ADSL server
    3 - Reviewed other articles online but still no luck
    4 - Enabled OpenVPN log level to highest but still getting the same error
    5 - Tried both Android and Windows and still getting the same

    If you need other information regarding the setting please let me know.

    thanks again.


  • Netgate

    Looks like this. https://redmine.pfsense.org/issues/8391

    The fix there should correct both TCP and UDP.

    You should be able to edit the WAN rule, select IPv4 and UDP, and save.

    The problem is inet proto udp4 should be inet proto udp



  • @Derelict:

    Looks like this. https://redmine.pfsense.org/issues/8391

    The fix there should correct both TCP and UDP.

    You should be able to edit the WAN rule, select IPv4 and UDP, and save.

    The problem is inet proto udp4 should be inet proto udp

    Hi Derelict,
    Thanks for your help, I followed your suggestion then re-generate the Windows client, I can now connect and receive IP 5.5.5.2.
    Just one more question if you don't mind, I tried to ping 10.1.1.28 (a LAN machine) but failed, is something easy fix?
    However pinging 10.1.1.1 - pfsense is okay

    Getting the following in OpeVPN client

    Sat Apr 07 20:26:25 2018 TAP-WIN32 device [Ethernet] opened: \.\Global{9ECAB1D9-5202-48DA-989A-1A61C9FA851B}.tap
    Sat Apr 07 20:26:25 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 5.5.5.0/5.5.5.2/255.255.255.0 [SUCCEEDED]
    Sat Apr 07 20:26:25 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 5.5.5.2/255.255.255.0 on interface {9ECAB1D9-5202-48DA-989A-1A61C9FA851B} [DHCP-serv: 5.5.5.254, lease-time: 31536000]
    Sat Apr 07 20:26:25 2018 Successful ARP Flush on interface [22] {9ECAB1D9-5202-48DA-989A-1A61C9FA851B}
    Sat Apr 07 20:26:25 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Sat Apr 07 20:26:30 2018 ROUTE: route addition failed using service: The parameter is incorrect.  [status=87 if_index=22]
    Sat Apr 07 20:26:30 2018 Initialization Sequence Completed



  • Thanks Derelict.
    All good now. :)



  • Hi guys,
    I was in the same scenario as Litan, so thanks Derelict, that fixed my issue as well.

    Litan, how did you resolve pinging the machine on LAN? i can also ping my PFsense LAN interface but not machines on the network.
    I feel like i am missing a rule.



  • @shoggy:

    Litan, how did you resolve pinging the machine on LAN? i can also ping my PFsense LAN interface but not machines on the network.
    I feel like i am missing a rule.

    Ping from where ?
    From pfSense (console access - option 7, or option 8) or a host from LAN ?
    Both are possible without adding or changing any rules on any interfaces.



  • Gertjan, I apologize for not being clear.

    pfsense WAN - 10.0.1.1
    pfsense LAN - 10.0.2.1
    internal computer - 10.0.2.6
    remote computer VPN address - 10.0.1.2

    Using pfsense diagnostic tool, i can ping both internal (10.0.2.6) and remote (10.0.1.2)
    from remote computer, i can ping 10.0.2.1 (pfsense LAN interface) but cannot ping 10.0.2.6

    Hope that clarifies it a little. Thanks.



  • @shoggy:

    pfsense WAN - 10.0.1.1
    pfsense LAN - 10.0.2.1
    internal computer - 10.0.2.6

    WAN is 10.0.1.1/what ? /8 ? /16 ? /24 ?
    And LAN ?



  • All the listed subnets are /24

    and LAN is 10.0.2.0/24



  • I was able to resolve this by recreating the firewall rule to pass traffic for the openvpn, beats me why it didnt work before.
    I am not able to connect to the VPN and traffic flows both ways. I appreciate the effort Gertjan



  • @shoggy:

    I was able to resolve this by recreating the firewall rule to pass traffic for the openvpn, beats me why it didnt work before.

    When you use the OPENVPN Wizard, it ends up setting an automatically generated  firewall rule on your WAN interface that lets VPN traffic in. See image.
    It's a simple rule that lets UDP (I choosed UDP) traffic in on port 1194 (because that's my VPN port) on my WAN.

    @shoggy:

    I am not able to connect to the VPN and traffic flows both ways. I appreciate the effort Gertjan

    You said it was resolved.
    You are not able to connect, … and traffic flows both ways, which means you are connected.
    I don't understand.

    edit : what are your firewall rules on the Firewall => Rules => OpenVPN tab ?

    edit again : I 'checked' https://www.sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-pfsense-and-viscosity/
    It will work, but why including "8.8.8.8" as a DNS still puzzles me.
    You saw this part :

    19. Now accept the default firewall rules by checking both the Firewall Rule and OpenVPN rule boxes and clicking Next. These rules will allow your client to connect to the OpenVPN server and allow VPN traffic between the client and server.

    and

    Firewall

    Firewall settings are generated automatically by the wizard. However, depending on your firewall setup and version, you may have to check the setting the wizard has created. First, navigate to Firewall -> Rules and select WAN. You should see a firewall rule permitting IPv4 traffic incoming through the WAN via the OpenVPN port. This will allow clients to connect to the VPN via the external WAN interface.

    If you are having issues routing traffic through the VPN, navigate to Firewall -> Nat, select Outbound and ensure the Mode is set to "Automatic outbound NAT rule generation. (IPsec passthrough included)".