Looking for advice
-
Looking for a bit of advice I live in a country with rather restricted internet, and they just beefed up their DPI to cover OpenVPN. My current setup is (WAN –> pfsense --> Unifi Switch) I route everything through an OpenVPN server except for a few VM/dockers on an Unraid server which currently I just group in aliases and push to the WAN.
But with the recent blocking of OpenVPN, I have turned to IPsec which works just fine. But I need to selectively route those few machines over WAN so I started with a fresh install of pfSense and setup the following.
Turning IPsec on, breaks LAN to LAN traffic (same result with Vlans) meaning no communication between subnets. So, I’m looking for some kind of a solution either software or hardware.
-
Hi swingline,
I don't think I am fully comprehending what you are trying to accomplish. So, you will need to correct me if I am wrong.
From what I gleam from your post, you have a server that you want to access remotely however you have security concerns on having open ports. You wanted to use OpenVPN but it is blocked in your country. You tried to use IPsec as a replacement and it is not working.
So, I am fairly certain that Mobile IPSec is pretty much broken in pfSense. I had a client that had an abhorrent POS Avaya IP phone system that only supported Mobile IPSec. Spent hours on it, googled it high and far, found 0 answers. Couldn't get it to route.
I have a similar situation, where my wife volunteers 2 Sundays a month and I go with her, but I usually just sit around for two hours on my laptop. Their public wifi only allows TCP 80 and 443. They literally block all other ports. So 1194 UDP is out. Another abhorrently stupid POS Aruba wifi system that they got at 99% off because thats the only reason someone with half a brain would every buy an aruba system. What I ended up doing was setting up OpenVPN on port 443 TCP and then it looks just like any other SSL webtraffic. You might want to try that. If your ISP blocks 80 and 443 inbound to your IP address you can try any other SSL-based normal port, like 465, 587 or 993 or even get creative. It's highly doubtful they can just scan a packet signature and find out its VPN, they are probably just blocking a port.
Now if its also illegal, well any VPN could get you in trouble and you can always try something like just opening the ports and using Snort/Suricata and pfBlockerNG to make sure you have security covering those open ports.
-
From what I gleam from your post, you have a server that you want to access remotely however you have security concerns on having open ports. You wanted to use OpenVPN but it is blocked in your country. You tried to use IPsec as a replacement and it is not working.
I run all of my LAN Traffic through VPN client on Pfsense, except for one server that I route through WAN so it won't eat up bandwidth on the VPN connection. VPN use isn't illegal they just make it very hard to access, until recently ISP would only throttle OpenVPN traffic, now all OpenVPN traffic is being blocked. So I switched to using IPsec which I know doesn't allow for policy-based routing on pfsense currently. So I'm am looking for solutions to allow me to route LAN traffic over IPsec and keep the server on the WAN. I'm willing to buy new hardware if there is something out there at the enterprise level that will allow for this kind of thing. I didn't want to start blindly buying things, I hope I have made the picture a little clearer.
Thanks