Routing OpenVPN to LAN
-
@jarhead said in Routing OpenVPN to LAN:
@irondog
Change the wifi router to be an access point only.
If it doesn't have an AP mode, just turn off the dhcp server, set the IP to an unused IP on the pfSense LAN, and plug it into one of the switchports (might be labeled LAN) instead of the internet port (might be labeled WAN). <- This is all done on the wifi router.Hi, I have tried to do as suggested (wifi router has been moved to AP mode, connected pfSense and wifi router with a LAN port instead of WAN) however this was not successfull, the wifi router didn't get any access to the internet from the pfSense resulting in a useless system. I had to restore everything. I suspect there is some sort of DHCP conflict.
As of now, the ISP router has its own DHCP activated, pfSsense also (I suppose), what is the right configuration to make it functioning? thanks! -
@irondog Ok, as I read it you have pfsense set up pretty much default in this regard, which means DHCP is active.
-
Connected to your pfsense, log in and go to Services > DHCP Server and look for the item called Range.
Check that it reads something like 192.168.1.100 and 192.168.1.199
This means that you can use anything outside of that range for any devices that you want to have a Static IP (like your wifirouter). -
Now connect to and log in to your wifirouter (what model is it btw?), and find the basic Network settings where you see the IP address you used in the web browser to log in.
2.1 First, check again to make sure the DHCP Server is turned off. It should be greyed out or empty. If not turn it off...
2.2. Now change the IP address of the router to 192.168.1.10 or something where the last number is unique and not 1 since that is owned by pfsense now. Click save and the router will likely reboot automatically. -
Make sure the LAN cable goes from pfsense LAN > wifi router LAN (not WAN). And connect your PC to any of the other LAN ports on the wifi router. To simplify things, you could place a switch in between so you don't have to move cables around. Connect pfsense LAN > switch and then connect both your PC and wifi router (LAN port) to that switch.
-
You should now be able to log in to pfsense using 192.168.1.1 AND to your wifi router on 192.168.1.10.
-
-
@irondog said in Routing OpenVPN to LAN:
@jarhead said in Routing OpenVPN to LAN:
@irondog
Change the wifi router to be an access point only.
If it doesn't have an AP mode, just turn off the dhcp server, set the IP to an unused IP on the pfSense LAN, and plug it into one of the switchports (might be labeled LAN) instead of the internet port (might be labeled WAN). <- This is all done on the wifi router.Hi, I have tried to do as suggested (wifi router has been moved to AP mode, connected pfSense and wifi router with a LAN port instead of WAN) however this was not successfull, the wifi router didn't get any access to the internet from the pfSense resulting in a useless system. I had to restore everything. I suspect there is some sort of DHCP conflict.
As of now, the ISP router has its own DHCP activated, pfSsense also (I suppose), what is the right configuration to make it functioning? thanks!So you are back on the setup of your initial port, I assume.
To make things easy, simply add a static route to pfSense for the network behind the wifi router.
Go to System > Routing > Gateways and add a new gateway. Select LAN interface, state a name of your choice and enter the wifi routers WAN IP. Save it.
Go to the Static Routes tab, add a new one. At network enter 192.168.0.0/24 (wifi subnet) and select the gateway you have added in the step above, state a description and save it.
Your wifi devices should be reachable from the VPN then (from the point of pfSense).But consider that you may have to allow the access also on the wifi router (other than in AP mode) and that the devices may block access from outside. So you will habe to allow the access on the wifi devices as well or configure masquerading on the wifi router.
-
@viragomann said in Routing OpenVPN to LAN:
So you are back on the setup of your initial port, I assume.
To make things easy, simply add a static route to pfSense for the network behind the wifi router.
Go to System > Routing > Gateways and add a new gateway. Select LAN interface, state a name of your choice and enter the wifi routers WAN IP. Save it.
Go to the Static Routes tab, add a new one. At network enter 192.168.0.0/24 (wifi subnet) and select the gateway you have added in the step above, state a description and save it.
Your wifi devices should be reachable from the VPN then (from the point of pfSense).But consider that you may have to allow the access also on the wifi router (other than in AP mode) and that the devices may block access from outside. So you will habe to allow the access on the wifi devices as well or configure masquerading on the wifi router.
I don't think that is the issue. The first post clearly indicates that the VPN tunnel works as expected, since the 192.168.1.0/24 network (pfsense) is available. The issue is that the wifi-router was connected (as a router) via it's WAN port, to that same network. There is no way to get through that way.
So the suggestion is to make the wifi-router into a simple AP, only using it's switching and wifi capabilities. -
@gblenn
No, in his first post, which I referred to, he mentioned, the wifi is connected to pfSense LAN.Anyway, also if the wifi was connected to WAN it would be possible. Same way, but masquerading on pfSense would be necessary.
But yeah, I agree that setting the wifi into AP mode is best practice to achieve what he intend, but sadly he has obviously trouble setting that up properly.
-
@gblenn said in Routing OpenVPN to LAN:
So the suggestion is to make the wifi-router into a simple AP, only using it's switching and wifi capabilities.
as he described in his 1st post
A wifi router is connected to the pfSense LAN itnerface to which all the home devices are connected in.
the suggestion ist TRUE turn that "wifi router" into an dumb access point served by everything on the IP side needed by pfS (DNS / Gateway / NTP / IP /) and let everything else handle pfS for the clients (dhcp / DNS )
-
@viragomann said in Routing OpenVPN to LAN:
@gblenn
No, in his first post, which I referred to, he mentioned, the wifi is connected to pfSense LAN.Anyway, also if the wifi was connected to WAN it would be possible. Same way, but masquerading on pfSense would be necessary.
But yeah, I agree that setting the wifi into AP mode is best practice to achieve what he intend, but sadly he has obviously trouble setting that up properly.
Precisely, the wifi-router is and should be connected to pfsense LAN. I suppose the whole idea with pfsense here, was to take that step up in the world, away from a simple wifi-router...
BUT the cable shouldn't go to the wifi-routers WAN port, it should go into the LAN port. Just that DHCP needs to be disabled on the wifi-router and the LAN IP needs to be changed on it as well.
-
yep should do the trick ...
set wifi thing (tha router) to dhcp and disable router function)
turn dhcp on pfS on
cable from lan pfS to lan wifi thing (if there is no LAN port use WAN but disable router function first) -
@gblenn said in Routing OpenVPN to LAN:
@irondog Ok, as I read it you have pfsense set up pretty much default in this regard, which means DHCP is active.
-
Connected to your pfsense, log in and go to Services > DHCP Server and look for the item called Range.
Check that it reads something like 192.168.1.100 and 192.168.1.199
This means that you can use anything outside of that range for any devices that you want to have a Static IP (like your wifirouter). -
Now connect to and log in to your wifirouter (what model is it btw?), and find the basic Network settings where you see the IP address you used in the web browser to log in.
2.1 First, check again to make sure the DHCP Server is turned off. It should be greyed out or empty. If not turn it off...
2.2. Now change the IP address of the router to 192.168.1.10 or something where the last number is unique and not 1 since that is owned by pfsense now. Click save and the router will likely reboot automatically. -
Make sure the LAN cable goes from pfsense LAN > wifi router LAN (not WAN). And connect your PC to any of the other LAN ports on the wifi router. To simplify things, you could place a switch in between so you don't have to move cables around. Connect pfsense LAN > switch and then connect both your PC and wifi router (LAN port) to that switch.
-
You should now be able to log in to pfsense using 192.168.1.1 AND to your wifi router on 192.168.1.10.
Thanks I will try this evening. What about the ISP modem router? it also has DHCP.... wifi router is the TP LINK AX50. Thanks again!
-
-
ISP Modem delivers dhcp to your pfS wan interface
Do not use the same ip Adress range on your Lan pfS interface
Worst case you got 2x NAT for starters but everything will work out of the box
-
@irondog If the ISP modem has the ability to do "bridging" then I suggest you set it up like that. This means that it will simply pass thru the WAN to one (probably specific) LAN port. Check the manual for that, but that would be your best option.
Alternatively, as @noplan said, set a different IP (192.168.10.1) on it, so that the WAN on pfsense is different. The next thing could be to make sure pfsense is getting a Static IP (also set in the ISP device). Finally, find a setting under NAT, Security or Firewall which is called DMZ and set the IP to point at pfsense. This will open up the ISP router so it interferes as little as possible.
-
@irondog said in Routing OpenVPN to LAN:
wifi router is the TP LINK AX50. Thanks again!
First, to disable the DHCP server go to Advanced > Network > DHCP and uncheck the box
Second, to change the IP on the LAN side, go to Advanced > Network > LAN
Type in the IP as in my instructions and click Save. That should do it... -
@gblenn thanks will try during the weekend and let you know!
-
Dear all, tried this weekend and everything is working perfectly!
Only one thing was not working correctly was the pfSense WAN IPv4 configuration type that for some reason was set to none (I had no internet from the wifi router LAN) but figured out by myself how to fix putting DHCP.
Thanks everyone for the the help, very much appreciated! -
cool !
-
Hi guys, one thing I noticed (maybe was present also on the previous setup but I did not notice) is that the new configuration takes some time to start loading the webpages (any webpage) and then it is super fast to present the content as usual (I have a 2.5G fiber). My little network understanding is that this delay can be caused by the DNS resolving the IP not in the right way. How can I check if this is the case and what is the best configuration of the DNS in my setup? My pfSense is basically stock... thanks!
-
@irondog As default, pfsense is using the resolver, under Services > DNS Resolver. It makes it's requests towards root servers which will likely be slower than using e.g. google or cloudflare's DNS servers.
If that is a concern, or you want to use DNS Servers which provide safeguards against malicious sites or block certain site categories, you need to change it to use forwarder mode. There's a tick box under DNS Resolver where you activate this. The servers it will then use are the one's you list under System > General Setup > DNS Servers.
-
@irondog said in Routing OpenVPN to LAN:
DNS in my setup
please open another topic !
gonna be a lot of people to help u yout with dns issuesbr NP
