Confused about ISP setup
-
So you want openvpn to listen on 1 of the vips?
Why not just have openvpn listen on your actual wan IP which is the IP you used in your transit /30
but getting the traffic to route to the device itself goes nowhere.
What traffic to route to what IP... Im a bit confused, are you asking about something on the public hitting your openvpn server?
Not sure exactly what devices you have using these /28 IPs you have - but the other option is to just actually route them and put them on a network behind pfsense... Then all you need to do is normal firewall rules to allow stuff.
Do your other locations run stuff that needs to be open to the internet on public or rfc1918 space?
-
Maybe I should have left the other stuff out of my initial post... I guess my real question to start with is this...
When using a transit /30.. is the correct way to set things up to assign all of the /28s usable addresses as vips?
Am I supposed to configure the /28 on a seperate interface?
-
Depends on what you wanting to accomplish exactly.. You can do it either way.. You sure don't need to create all of the /28 as vips if you don't want to.. You could just use 1 or 2 of them if that is all you currently have use for.
Or since the /28 is actually routed to you - then you could yeah just fire up that public /28 behind pfsense.
you could split that to 2 /29 and use 1 for vips and the other as behind pfsense.
-
OK thanks, I just wanted to rule out some initial configuration problems. It must be a problem with the firewall then as to why the openvpn can't be reached.
It is configured to use one of the vips in the openvpn server setup and the firewall rule to allow the traffic, it just can't be reached.
I will add that there is no internet on the transit network, it is only able to communicate with the ISP router. We have to outbound nat to get any traffic out, my assumption was then I would need to use the vip for the inbound traffic to openvpn as well (thats how it's configured on the palos for global protect at other sites as well).
It must just be something silly, I just wanted to make sure using vips wasn't the wrong approach. Thanks for the extremely quick response.
-
Ah they are using rfc1918 transit? Ok that make sense to why you can not just listen..
So your other vips are working for your other stuff, but your saying you just can not connect to openvpn server running.. Did you sniff on your wan and validate the traffic even gets to you?
What your wan firewall rules for the openvpn, the wizard should of created them for you... But maybe you have something above blocking. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
-
They don't use rfc1918 address space, they just don't allow the traffic from source IP in the /30 anywhere but internal to them. I haven't the slightest idea why they do that but it's been the way they configure it since the beginning... we always have to be from a source IP in our block.
Yes, all of the other vips for SSH, HTTP(s), etc route correctly to the device its forwarded to. (currently using 9 to support legacy web applications that don't support SNI).
I let the wizard add the rule, its currently almost at the top, should be no rules above it conflicting. I also tried to allow ssh to hit the pfsense box from off the subnet also. Everything seems to work except where the external traffic needs to hit the pfsense box.
I have not done any traffic inspection on the WAN side..... that may be my next step.
-
Your going to have to setup pfsense to use one of its vips for checking for updates and packages then as well in your outbound nat vs the default wan IP.
To be honest if your not going to put the /28 behind pfsense, there is little reason for it to be routed.. And have no use of the transit network.. You could just be directly attached to the /28..
What type of vip did you create? IP Alias I assume, what are you outbound nats, did you include the loopback for your outbound natting?
-
I did IP Alias as you guessed. I do not think I have the loopback in the outbound nat, I'm not right in front of the box right now to verify.
I did add outbound nat for pfsense, and can confirm it worked because update checks seem to work and I downloaded a package successfully.
-
Yes. You can do whatever you like with the routed subnet so it is, in general, better than having it on the WAN interface itself.
You will need an IP Alias type VIP on the firewall itself to bind listening services like the OpenVPN server to.
You could also bind the OpenVPN server to localhost and forward the ip_address:1194 to 127.0.0.1:1194. In your situation that is probably what I would do.
Generally one outbound NATs to the interface address for connections from the firewall itself. You will have to choose an address for those connections. That will almost certainly also require a VIP on the firewall somewhere. It could be on Localhost. You will probably need something like an outbound NAT rule for source any as the last rule to catch everything that is not already translated to a different address. That is almost never a good idea but in your case you will probably need something like it.
-
@Derelict said in Confused about ISP setup:
You could also bind the OpenVPN server to localhost and forward the ip_address:1194 to 127.0.0.1:1194. In your situation that is probably what I would do.
Doh! I don't know why I didn't think of this.. it sounds perfect! I'll give that a shot tomorrow....