Phone not accessing the internet after rule to avoid the router VPN

Dicmo

Hi

I am new to pfSense. I have set it up as a VM in my home server. I have also set up a WLAN bridged with the LAN, and set up access to the internet through a VPN. Everything is working fine, all devices can access other LAN devices and go to the internet through the VPN.

The only issue I have is with my phone accessing the Internet avoiding the router VPN, so I do not double VPN.

My phone connects to a different VPN server on its own, as expected. Since I do not yet have a managed switch at home (it will come) I have gone for a 'guetho' solution. I have given my phone a static IP address and I have created a rule so all the traffic coming from the phone static IP address, which destination is not local, is assigned to the WAN gateway.

This rule is before the rule that grabs all the traffic which destination is not local and assigns it to the VPN_WAN gateway.

(Any advice on how to do this better without VLAN's is welcomed, VLAN's will come when I get a managed switch).

The phone always connects right to the wifi, but when the rule is active, the phone says that it does not have access to the internet. To test, I have added the rule to the log, I have disabled it so the phone things the wifi has internet access, then I have enabled it again and tried to access a webpage from the phone. I can see in the logs that the rule is being triggered when I do this, so that traffic towards my phone VPN server should go through the WAN. But the phone ends up timing out without being able to stablish a connection.

Any idea what could be happening? (or how to do this in a better way)

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

I can see in the logs that the rule is being triggered when I do this, so that traffic towards my phone VPN server should go through the WAN. But the phone ends up timing out without being able to stablish a connection.

When you say the rule was "triggered" you are saying that the log shows that traffic was allowed to pass or was it blocked?

Without seeing your rules, DCHP settings and phone setup it's a guess....but it seems like the phone can't resolve the FQDN of the VPN's server to route it out the WAN to then establish the connection. What is your phone using for it's DNS? When you can't establish the connection can you ping from the phone to 8.8.8.8? How about to www.google.com? If yes to 8.8.8.8 and no to www.google.com then it's definitely a DNS issue. If no to both then it's something in your setup.

Another way to check if it's a DNS issue is to lookup the IP of the FQDN of the VPN provider's server and enter that IP address in the phone's VPN client as the endpoint for the VPN. If it connects that way then it was a DNS issue.

Dicmo

@dma_pf said in Phone not accessing the internet after rule to avoid the router VPN:

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

I can see in the logs that the rule is being triggered when I do this, so that traffic towards my phone VPN server should go through the WAN. But the phone ends up timing out without being able to stablish a connection.

When you say the rule was "triggered" you are saying that the log shows that traffic was allowed to pass or was it blocked?

Yes, the rule in the firewall is defined as pass anything with address different than local addresses coming from the specific IP of the phone and route it through the WAN gateway. This rule gets triggered, I can see it in the logs, but the phone seems to not have access to the internet. The webpage loading times out. I see nothing else in the logs being blocked.

Without seeing your rules, DCHP settings and phone setup it's a guess....but it seems like the phone can't resolve the FQDN of the VPN's server to route it out the WAN to then establish the connection. What is your phone using for it's DNS? When you can't establish the connection can you ping from the phone to 8.8.8.8? How about to www.google.com? If yes to 8.8.8.8 and no to www.google.com then it's definitely a DNS issue. If no to both then it's something in your setup.

Another way to check if it's a DNS issue is to lookup the IP of the FQDN of the VPN provider's server and enter that IP address in the phone's VPN client as the endpoint for the VPN. If it connects that way then it was a DNS issue.

I doubt it is the DNS. pfSense is running the DNS resolver and it works fine. Laptop and another phone connect to the WIFI and get the pfSense DNS resolver from the DHCP server and are able to resolve fine and connect to the internet fine. Even the same phone connects well when that rule is disabled, without and with its own VPN. Plus, when the pass rule gets trigered I can see the IP of the phone asking to connect to an internet IP. It could not do that without the IP being resolved. So I highly doubt it is the DNS.

I am lost as to why could be happening. The funny thing is that the next rule, the immediate next rule is very similar and works fine: it says that anything coming from the LAN network destination an IP that it is not local should pass and routed through the VPN_WAN. This is how I route the rest of the traffic through the VPN. But the previous one that is the same rule, just specifying that the origin is only the IP address of the phone and the gateway is the WAN, gets triggered but blocks the phone.

dma_pf

@dicmo Can you please post a screen shot of the firewall rules that you have set up? Also, can the phone connect to the VPN server and access the internet via the VPN server over cellular networks?

Dicmo

@dma_pf The phone can connect to the VPN all the ways except when that rule is active. It can connect to the VPN through the celular network, it can connecct to the VPN through the WIFI (without the rule active) which I am guessing it is double VPN'ing (have not traceroute'd it). The only time the phone can not connect is when the rule is active (and I know it gets triggered because I have added the rule to the log and I see it in the logs).

This is the screenshot of the rules of the LAN (there are no more rules after what you see in the screenshot):

login-to-view

LAN is a bridge than bridges ELAN (Ethernet LAN) and WLAN (Wifi LAN), the other I think are obvious, but I will answer and try anything. Thanks for your time.

dma_pf

@dicmo try inverting these 2 rules

login-to-view

then on this rule
login-to-view
Change the Source to the IP Address of the phone and change the destination to Any. Let me know if that works.

Also, what is in the alias Local_Networks?

Dicmo

@dma_pf

Local_Networks is 10.10.10.0/24 (ips of the LAN) and 192.168.1.0/24 (these are the ips of the ISP router and the NIC that connects the pfSense to the ISP router). The real important addresses are 10.10.10.0/24.

Not sure how making those changes would help. Can you explain?

EDIT:

I think it will help if I describe the network a bit.

Internet --- ISP Router (192.168.1.1) ----- (192.168.1.102) pfSense router (10.10.10.1) ---- LAN network with phone @10.10.10.200 .

Hope that helps. Anything else please ask.

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

Not sure how making those changes would help. Can you explain?

Sure. If you look at this rule

login-to-view

It's saying that any Traffic on the LAN interface that is coming from a LAN Address (10.10.10.0/24) and is headed to any address other than 192.168.1.0/24 or 10.10.10.0/24 should be allowed into the firewall and routed out the VPN. This would also include the phone (10.10.10.200) as it is part of the LAN (10.10.10.0/24). So when your phone hits that rule it will always policy route out to the VPN gateway if the destination is anything other than a 10.10.10.0/24 or 192.168.1.0/24 address.

Note that on this rule (below) there are 0 States Open and 0 Traffic hitting the rule (0/0 B) That clearly shows that nothing is hitting the rule.
login-to-view

Using the same logic as we did on the previous rule, the rule above is saying that any Traffic on the LAN interface that is coming form a LAN Address (10.10.10.0/24) and is headed only to 192.168.1.1 should be allowed into the firewall and routed out the WAN. Your phone would therefore never get to the internet (including to the VPN endpoint) using this rule as any internet address (Destination) would be something other than 192.168.1.1. In pfSense rules are evaluated from the top down. Once a rule applies that's it, nothing below will be evaluated. So, by inverting the rules, and only having the phone's IP address as the Source in this rule, and Any as the Destination, only your phone will go out the WAN and nothing else. Then the other rule will policy route everything else out the VPN.

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

192.168.1.0/24 (these are the ips of the ISP router and the NIC that connects the pfSense to the ISP router)

I'm curious, why does the ISP router assign a 192.168.1.0/24 address? Can't it be put in bridge mode so the WAN address of pfSense is the IP assigned by your ISP?

Dicmo

@dma_pf said in Phone not accessing the internet after rule to avoid the router VPN:

I'm curious, why does the ISP router assign a 192.168.1.0/24 address? Can't it be put in bridge mode so the WAN address of pfSense is the IP assigned by your ISP?

I have to put the ISP router in bridge mode, I just have not gotten around to. I am still setting up the whole system. But you are right, it should be.

As for the rules, I think you misread. The rule that is supposed to send the traffic from the phone to the WAN instead of the VPN_WAN is disabled in the screenshot I posted and it is before the rule that sends all the internet traffic to the VPN_WAN. If you check, the disabled rule says source PhoneStaticIP, destination !Local_Networks and the description says LAN: Phone avoid double VPN. I have it disabled because otherwise the phone can not access the Internet when connected to the wifi. But if I activated, it gets triggered when the phone tries to connect to the internet.

The last rule before the default reject rules, the one you are asking me to put on top, only redirects the traffic from LAN to the ISP router (destination 192.168.1.1, probably should make it an alias) through the WAN so a LAN can access the ISP router, although my ISP router does not like it and refuses the connection, my guess is because it does not come from the same local address as the ISP router.

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

As for the rules, I think you misread

On brother! I did miss that disabled rule. Sorry about that. Nonetheless, that disable rule should accomplish what I outlined above. I'm wondering if this could be a NAT issue, especially since pfsense is sending packets out the WAN with RFC1918. Mind posting your NAT rules?

Dicmo

@dma_pf said in Phone not accessing the internet after rule to avoid the router VPN:

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

I'm wondering if this could be a NAT issue, especially since pfsense is sending packets out the WAN with RFC1918. Mind posting your NAT rules?

Actually yeah, the rule to access the ISP router should work too as the NAT should be changing the address and the ISP router should be seeing the 192.168.1.102 address. I assume it was the ISP router rejecting it, but it seems that both rules that have the WAN as gateway are getting triggered but they do not get a response back or something else, the connection through there just does not work. So it is probable the router rule and the phone rule both suffer from the same problem.

This is the NAT:

login-to-view

dma_pf

@dicmo I really think this is a Double NAT issue. pfSense is NATing traffic that is then being NATed again by the router. Somewhere in that process the routing is getting lost. Unfortunately, I have no experience working on that issue so my help is limited here.

I think the easiest thing to do is set the router to bridge mode....probably just the flick a switch. This will put all of the routing on pfsense which is certain to be more robust than on a commercial router. At that point your NAT rules should work.

If that's not an option you might want to check the pfSense docs here. There's also a pfSense Hangout that might be useful here. Then of course there's always searching around these forums and google for "Double NAT".

I'm sorry I can't shed more light on fixing the issue but please let me know how you resolve it. I'm really curious to know what fixes the issue.

Dicmo

@dma_pf hey, thanks for taking the time to look into this. At least, it gives me confidence that my rules make some sense. Since I am new to pfSense I was not so sure.

I will set the IPS Router in bridge mode in the next days, as I am busy right now trying to fix a couple other issues in the new system, as setting it in bridge mode was in the TODO list anyways. When I do I will report back. Hopefully it solves the issue, but what makes me not very hopeful is that accessing the ISP router was not working either and that is only one NAT. We will see. Again, thanks for your time.

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

Hopefully it solves the issue, but what makes me not very hopeful is that accessing the ISP router was not working either and that is only one NAT.

Double NAT to the web is a different issue than the router issue. Here's how to access the router correctly:

https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html

Dicmo

@dma_pf ok, so I am ready to set access to the router and set the router in bridge mode, but I have some doubts that I was hoping you could resolve before I do.

First, I have read the instructions of the last link you have posted, but the issue is that I do not have a PPPOE interface. The interface talking with the ISP router is defined as a normal WAN. So I can not create another interface to do the NAT to the ISP router like the link says.

Also, I am wondering if I need to set up a PPPOE interfacce to put the router in bridge mode. I have been reading quite a bit on the internet and I can not fully undestand how the bridge mode works. For what I understand the ISP modem will keep having the 192.168.1.1 address (some people say there is a need to change it, others do not), and the pfsense interface facing the ISP router has to be listening for the DHCP server of the ISP (not from the ISP router in my house, from the ISP server) to assign an internet IP just like it would assign to the ISP router when not in bridge mode. Set up this way, the ISP router will just pass all the traffic with the internet IP's from the ISP server to the pfSense router, and only will react when he sees a packet for 192.168.1.1.

Can you please correct the misunderstandings that I might have and clarify the process? Thank you.

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

The interface talking with the ISP router is defined as a normal WAN. So I can not create another interface to do the NAT to the ISP router like the link says.

Sorry about that. You'll have to create a vLAN first, then assign that vLAN to the same interface as the WAN. Then you can set the NAT Rules. Like this:

login-to-view

login-to-view

login-to-view

That should let you access the router's GUI.

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

For what I understand the ISP modem will keep having the 192.168.1.1 address (some people say there is a need to change it, others do not), and the pfsense interface facing the ISP router has to be listening for the DHCP server of the ISP (not from the ISP router in my house, from the ISP server) to assign an internet IP just like it would assign to the ISP router when not in bridge mode. Set up this way, the ISP router will just pass all the traffic with the internet IP's from the ISP server to the pfSense router, and only will react when he sees a packet for

The way the router is working now is like this:

ISP -> assigns WAN IP Address To Router - > Router uses DCHP to assign IP addresses to clients - Pfsense (acting as a client to the router) receives an IP (not the WAN IP) from the router 's DHCP server and binds it to the WAN Interface. Pfsense then uses it's DHCP to assign a different IP addresses to it's clients.

In bridge mode the router works like this:

ISP -> assigns WAN IP Address To Router - > Router passes along the WAN IP Address to pfsense who then binds it to the WAN Interface. Pfsense then uses it's DHCP to assign a different IP address to it's clients.

As you can see above, in bridge mode the router is passive. It's just letting the ISP forward the WAN IP address to pfsense which then does all of the DHCP assignments and routing for the internal works. The internal networks then get routed out the pfsense WAN to the the router which passively (No NAT) sends it out to the ISP.

Depending on the protocol used by the ISP, routers can connect to the ISP in different ways. In bridge mode you will have to match that protocol in the WAN interface settings in pfsense by selecting the correct "IPv4 Configuration Type":

login-to-view

Dicmo

@dma_pf Ok, great. Thanks again.

One thing that is confusing me is, in bridge mode, if the ISP Router does not have its own IP, how can you access its web configuration page?

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

One thing that is confusing me is, in bridge mode, if the ISP Router does not have its own IP, how can you access its web configuration page?

The router should have a default IP Address for the GUI from the manufacturer. If the ISP provides the router you should be able to find that info on the ISP's website. If not try googling for it. If it's not provided by the ISP google the make and model of the router.

If you want to take a wild stab at it try 192.168.1.1 ... it's handing out 192.168.1.0/24 addresses so it most likely in that network (192.168.1.1 to 192.168.1.254)

Dicmo

@dma_pf No, that is not the question. I can access the ISP router webconfigurator at 192.168.1.1 right now (if I am on its network obviously) and if I remember correctly the configuration allows to select the ISP router IP.

My doubt comes from this: when you put the router in bridge mode, you explain that the ISP gives an Internet IP to the ISP router and the router then passes that IP to the pfSense router. So the WAN interface of the pfSense has that IP. In that situation, which IP will I be able to use to access the webconfigurator of the ISP router?

dma_pf

@dicmo said in Phone not accessing the internet after rule to avoid the router VPN:

My doubt comes from this: when you put the router in bridge mode, you explain that the ISP gives an Internet IP to the ISP router and the router then passes that IP to the pfSense router. So the WAN interface of the pfSense has that IP. In that situation, which IP will I be able to use to access the webconfigurator of the ISP router?

As I mentioned in my previous post, you'll access the router's GUI by the default IP address of the router provided by the manufacturer. Now, that assumes that the router is in it's default state. If you've changed that IP network yourself and have selected to use the 192.168.1.0/24 network (and it is not the default network) then I'm not quite sure. At that point it would be a matter of whether or not the router will revert back to the default GUI IP address, or if the one you have selected (192.168.1.1) will "stick", when you select bridge mode.

In either case, you'll need to go through the steps I posted above to add another interface to have access to the GUI. The only difference being which network you'll be using for the static IP address in the Interface's settings in pfsense. (see bottom of picture) login-to-view
The static IPv4 IP address has to be in the same network as the GUI network, but not the same IP address as the GUI. So for example, if the GUI is 192.168.1.1, the static needs to be between 192.168.1.2 to 168.168.1.254 (your pick!).