Confused about ISP setup
I've never used a pfsense device before but just inherited a small satellite office that has one in place. As part of our acquisition of this company a new internet service has been provisioned from our partner. It's the same configuration I have in all of our other offices but I am having trouble figuring out exactly how pfSense wants this to be setup (we use palo alto devices everywhere else).
The ISP provides us a /30 transit network as well as our usable routed subnet (in this case a /28). I currently guessed at the config using the documentation. I setup the WAN IP as one of the /30 and used the ISP gateway. I then setup the routed subnet as virtual IPs, changed the outbound nat to be manual and set that up specific internal subnets/devices to use IP's in the public block. Also setup port forwards as needed and all seems well.
I also setup a site to site IPsec tunnel and that appears to be working as well.
Here is where I am stuck... I attempted to setup OpenVPN on this box but for the life of me no matter what I do I cannot get traffic on the routed subnet to hit the firewall itself... any IP on the LAN sure... but getting the traffic to route to the device itself goes nowhere.
I'm wondering if assigning the public block to virtuals is not the right way to do it. Can anyone tell me where/if I went wrong? I welcome the opportunity to learn if I have made mistakes.
So you want openvpn to listen on 1 of the vips?
Why not just have openvpn listen on your actual wan IP which is the IP you used in your transit /30
but getting the traffic to route to the device itself goes nowhere.
What traffic to route to what IP... Im a bit confused, are you asking about something on the public hitting your openvpn server?
Not sure exactly what devices you have using these /28 IPs you have - but the other option is to just actually route them and put them on a network behind pfsense... Then all you need to do is normal firewall rules to allow stuff.
Do your other locations run stuff that needs to be open to the internet on public or rfc1918 space?
Maybe I should have left the other stuff out of my initial post... I guess my real question to start with is this...
When using a transit /30.. is the correct way to set things up to assign all of the /28s usable addresses as vips?
Am I supposed to configure the /28 on a seperate interface?
Depends on what you wanting to accomplish exactly.. You can do it either way.. You sure don't need to create all of the /28 as vips if you don't want to.. You could just use 1 or 2 of them if that is all you currently have use for.
Or since the /28 is actually routed to you - then you could yeah just fire up that public /28 behind pfsense.
you could split that to 2 /29 and use 1 for vips and the other as behind pfsense.
OK thanks, I just wanted to rule out some initial configuration problems. It must be a problem with the firewall then as to why the openvpn can't be reached.
It is configured to use one of the vips in the openvpn server setup and the firewall rule to allow the traffic, it just can't be reached.
I will add that there is no internet on the transit network, it is only able to communicate with the ISP router. We have to outbound nat to get any traffic out, my assumption was then I would need to use the vip for the inbound traffic to openvpn as well (thats how it's configured on the palos for global protect at other sites as well).
It must just be something silly, I just wanted to make sure using vips wasn't the wrong approach. Thanks for the extremely quick response.
Ah they are using rfc1918 transit? Ok that make sense to why you can not just listen..
So your other vips are working for your other stuff, but your saying you just can not connect to openvpn server running.. Did you sniff on your wan and validate the traffic even gets to you?
What your wan firewall rules for the openvpn, the wizard should of created them for you... But maybe you have something above blocking. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
They don't use rfc1918 address space, they just don't allow the traffic from source IP in the /30 anywhere but internal to them. I haven't the slightest idea why they do that but it's been the way they configure it since the beginning... we always have to be from a source IP in our block.
Yes, all of the other vips for SSH, HTTP(s), etc route correctly to the device its forwarded to. (currently using 9 to support legacy web applications that don't support SNI).
I let the wizard add the rule, its currently almost at the top, should be no rules above it conflicting. I also tried to allow ssh to hit the pfsense box from off the subnet also. Everything seems to work except where the external traffic needs to hit the pfsense box.
I have not done any traffic inspection on the WAN side..... that may be my next step.
Your going to have to setup pfsense to use one of its vips for checking for updates and packages then as well in your outbound nat vs the default wan IP.
To be honest if your not going to put the /28 behind pfsense, there is little reason for it to be routed.. And have no use of the transit network.. You could just be directly attached to the /28..
What type of vip did you create? IP Alias I assume, what are you outbound nats, did you include the loopback for your outbound natting?
I did IP Alias as you guessed. I do not think I have the loopback in the outbound nat, I'm not right in front of the box right now to verify.
I did add outbound nat for pfsense, and can confirm it worked because update checks seem to work and I downloaded a package successfully.
Yes. You can do whatever you like with the routed subnet so it is, in general, better than having it on the WAN interface itself.
You will need an IP Alias type VIP on the firewall itself to bind listening services like the OpenVPN server to.
You could also bind the OpenVPN server to localhost and forward the ip_address:1194 to 127.0.0.1:1194. In your situation that is probably what I would do.
Generally one outbound NATs to the interface address for connections from the firewall itself. You will have to choose an address for those connections. That will almost certainly also require a VIP on the firewall somewhere. It could be on Localhost. You will probably need something like an outbound NAT rule for source any as the last rule to catch everything that is not already translated to a different address. That is almost never a good idea but in your case you will probably need something like it.