Cannot connect with RDP via openVPN

johnpoz · Sep 15, 2023, 1:24 PM

@IrixOS looks like your actual internet is down, ie your wan_pppoe so not sure how internet would work??

And your default gateway for pfsense is your LAN, so its pointing to the switch to go anywhere.. So not sure how that would work either.

IrixOS · Sep 15, 2023, 1:27 PM

@johnpoz I know that. When I connect my PC straight with the pfsense with a slash 30, I can access the net even despite of the red mark. How can that be?

johnpoz · Sep 15, 2023, 3:41 PM

@IrixOS not sure - it is possible to set interface to be up even when the monitoring says its down.

But looking at what you posted those 2 things jumped out at me, your default gateway is set to the gateway you setup for the lan.. That can be problematic, and monitoring is showing your pppoe connection is down..

So when you created the route to this downstream network, that should of auto updated the acls for unbound. But it might need to be restarted for those to talk effect. or you would want to create your own acl listing.. You can view what unbound has for acls here

[23.05.1-RELEASE][root@sg4860.local.lan]/: cat /var/unbound/access_lists.conf 
#snoop
access-control: 2001:470:snipped:9::/64 allow_snoop
access-control: 192.168.0.0/16 allow_snoop
access-control: 127.0.0.0/8 allow_snoop
access-control: ::1/128 allow_snoop
access-control: 172.16.0.0/12 allow_snoop
access-control: 10.0.0.0/8 allow_snoop
[23.05.1-RELEASE][root@sg4860.local.lan]/:

Just do a simple dns query to pfsense IP using your fav dns tool..

user@i9-win:~$ dig @192.168.9.253 google.com

; <<>> DiG 9.18.18-1+ubuntu22.04.1+isc+1-Ubuntu <<>> @192.168.9.253 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33568
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             594     IN      A       142.250.191.238

;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253) (UDP)
;; WHEN: Fri Sep 15 10:38:26 CDT 2023
;; MSG SIZE  rcvd: 55

user@i9-win:~$ nslookup
> server 192.168.9.253
Default server: 192.168.9.253
Address: 192.168.9.253#53
> www.google.com
Server:         192.168.9.253
Address:        192.168.9.253#53

Non-authoritative answer:
Name:   www.google.com
Address: 142.250.190.100
Name:   www.google.com
Address: 2607:f8b0:4009:80b::2004

user@i9-win:~$ host www.google.com 192.168.9.253
Using domain server:
Name: 192.168.9.253
Address: 192.168.9.253#53
Aliases:

www.google.com has address 142.250.190.100
www.google.com has IPv6 address 2607:f8b0:4009:80b::2004
user@i9-win:~$

IrixOS · Dec 30, 2023, 3:41 AM

@johnpoz

I am configuring and refitting my network with new hardware to avoid all previous problems,
Got a chinese Micro Firewall and is running pfsense+ and a bunch of 1Gb and 10Gb cisco material.
No I struggle with a new problem.

I'm having a problem, I followed the NetGate manual in setting up interfaces in a lagg configuration and the 'Migrate LAN to a LAGG' section.

It says:

Navigate to Interfaces > Assignments, change the assignment of LAN to the newly created LAGG interface (lagg0)

Click Save

From then on things go wrong.

As soon as I tap 'Save', I lose my connection to the LAN interface.

There is a similar post from someone who has the same problem, but it appears that the topic is seriously deviated from, so the solution is not clear.

So,

I have a link 10.216.64.16/30 between the laptop and the LAN interface of pfsense currently.
And two links connected between the switch and two other ports on the pfsense Micro firewall.
LACP is configured correctly on the switch side,etherchannel is up and blinking. I can ping the etherchannel ip from the switch 10.216.64.21 to 10.216.64.22 but that doesn't mean that NAT is working over the port channel, unless I can unite the LAN and LAGG ports, that's what the manual says you have to do.

igc1 -> LAN 10.216.64.18
igc2,3 -> lagg0 and put it into OPT and configured an ip 10.216.64.21/30

So have two links, the LAN (10.216.64.17/30-10.216.64.18/30) and the LAGG (10.216.64.21/30-10.216.64.22/30)
The above from the handbook does not work.
How do I connect igc1 with igc2,igc3 without losing connection and how can I be sure that the data flow comes over both the LAN interface and the lagg ports?

I would like to have those lagg ports and the LAN port over 1 Layer 3 port-channel.
And then with static routing over the Layer 3 port-channel, I can transit to the cisco internal network.

I posted my question on this forum and waited a couple of days to see if there is a reaction. No one seems to answer.
Other than a few paragraphs in the manual regarding lagg, there isn't much info available.

Can you help me?

johnpoz · Dec 30, 2023, 3:49 AM

@IrixOS said in Cannot connect with RDP via openVPN:

followed the NetGate manual in setting up interfaces in a lagg configuration and the 'Migrate LAN to a LAGG' section.

But you missed the big warning at the top of the page?

https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html#warnings-precautions

It is best to perform this change from an interface that is not involved, such as a secondary LAN, DMZ, OPT port, perhaps WAN or VPN.

I would connect to pfsense on some other interface that your not playing with.. And also connection to the switch that is not via the ports your going to be working with.. Make sure they all come up how you want, etc.

You can for sure run multiple vlans over the lag.. But you need to get it up first before you start doing anything with multiple vlans on it, etc..

IrixOS · Dec 30, 2023, 4:01 AM

@johnpoz

How can I have secondary LAN other than existing one?

The LAGG is currently configured into OPT with an IP 10.216.64.21/30, the port channel works, can ping but I don't know yet if it connects to the internet over the portchannel.

Can you explain further what I must do?

Thank you,

johnpoz · Dec 30, 2023, 4:08 AM

@IrixOS use another interface.. that your not going to put into the lagg.. Are you saying you only have 2 interfaces and you want both of them in the lagg?

As to secondary lan? I have 6 different interfaces I could config it from.. How many interfaces does the device your running pfsense have? Or as mentioned as well come in from the wan interface if you don't have any other lan side interfaces that you don't want in the lagg.

IrixOS · Dec 30, 2023, 1:40 PM

@johnpoz

igc0 -> WAN (ppoe)
igc1-> LAN (10.216.64.16/30 subnet)
igc2,igc3 -> LAGG

johnpoz · Dec 30, 2023, 1:40 PM

@IrixOS so connect on your wan igc0 ? This isn't rocket science..

IrixOS · Dec 30, 2023, 1:53 PM

@johnpoz

Yes? Why?

I know this is not rocket science, the manual says, shuffle around and I did that and it didn't work. First the speak of a free port, then they come up with the LAN interface who is already assigned,...
I want to get over with this, because the most interesting part is yet to come, that is the internal cisco traffic and programming.
There is still over 10 cisco port channels to configure, it is straightforward, but that pfsense stuff is not painless.

Yes, igc0 is the WAN port connected with a VDSL2 modem in bridged mode.

I tried to find what you mentioned another LAN, couldn't find or how to create it.

I want the port channel to get working first.

Can you say exactly what I must do?

johnpoz · Dec 30, 2023, 2:02 PM

@IrixOS connect via your wan interface.. Setup your lagg how you want it, validate its working.. Then reconnect your wan to your internet connection..

If you want put a switch between your wan and your isp device.. Put your laptop on some IP your wan is on.. etc..

Another option, add another nic - if you have no slots for one - use a usb nic, use that to connect to pfsense so you can setup your lagg..

IrixOS · Dec 30, 2023, 2:08 PM

@johnpoz

The ip addressing is not correct but that's not the problem.

Have look at L3 PO2 near the pfsense router, assume one link of the four is the LAN link /30 subnet (10.216.64.17) on the switch and 10.216.64.18 is the interface, the LAN of the pfsense router. (The schema respresents 4 links, in reality it is three, because one is for the WAN connection to the modem so minus -1 is three, well I want all of three (includes the LAN) or at least two links to be part of the lagg0.

johnpoz · Dec 30, 2023, 2:11 PM

@IrixOS none of your routing or how crazy your network is makes any matter..

Connect into the pfsense box on an interface your not putting into the lagg.. Make sure your lagg is up, put your networks you want over lagg on the lagg.. If you need to add an interface, even if usbnic to set it up.. Then do that..

Not sure what else to tell you? But trying to setup a lagg on an interface your wanting to add to the lagg could be problematic if your lagg isn't coming up.. So use another interface.. Either come in over your wan, you might have to take down the wan for internet while you do that, or just use another interface.. If you don't have one - then add one..

JonathanLee · Dec 31, 2023, 2:12 AM

@IrixOS this has your certificate listed you should delete the post with the SSL certificate information that can be copied and pasted into something

johnpoz · Dec 31, 2023, 2:17 AM

@JonathanLee you mean the ones I already snipped big chunks out already, see where it says <snipped by mod> to make that info useless.

JonathanLee · Dec 31, 2023, 2:25 AM

In this discussion post please blank this out, it is the ssl certificate, bad guys can manually copy that info.

@IrixOS said in Cannot connect with RDP via openVPN:

@marvosa

persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
remote rshafw000000001.ddns.net 1194 udp
verify-x509-name "www.rsha.de" name
auth-user-pass
remote-cert-tls server
compress lz4-v2

<ca>
-----BEGIN CERTIFICATE---
Blank this out for please
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blank this out please
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY——-
blank this out please
-----END PRIVATE KEY-----
</key>
<tls-auth>

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
blank this out please
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

johnpoz · Dec 31, 2023, 2:26 AM

@JonathanLee dude I rendered that info useless when he first posted it.. I snipped out big chunks of the data.. All that is there now is what amounts to random characters.

JonathanLee · Dec 31, 2023, 2:30 AM

@johnpoz I didn't notice, I just saw SSL cert and I thought Nooooooooooooooooo don't post it

IrixOS · Dec 31, 2023, 4:16 AM

@JonathanLee

yeah, I have already been criticized for that, I don't think they are no valid no more, got a new box, what do you think? I will delete them later on.

IrixOS · Dec 31, 2023, 5:18 AM

@johnpoz

I think I know what you mean, I have four ports in total, one for WAN, one for LAN and two free ports that I want to add to LAN in lagg, but there is no more port free, because I want all three to be part of the lagg so the manual says you can do it via VPN, so you have to configure the internal kitchen from the outside?
That's the most stupid thing I ever heard in my entire life.