Newbie pfSense user - configuration using DMZ

ydderf2426 · Sep 10, 2024, 11:55 PM

hi all, hope you are fine.

I have been working with pfSense since last week to try make it work using DMZ IP in WAN interface.

I am doing this like that because my ISP just give me an IP public and they make the redirection to the DMZ IP with all ports open.

I installed pfsense in a virtual machine in hyperv, with two adapters WAN adapter where the DMZ is configured and LAN adapter with a random virtual switch generated in hyper v.

Knowing that how can I configure Open VPN in pfsense to make it work? Is it possible? I am not a network expert.

What I tried till this point did not work.

stephenw10 · Sep 11, 2024, 2:35 AM

So you are forwarding all traffic to the pfSense WAN IP in your ISP router?

If so you should be able to run an OpenVPN server there.

What did you try? How did it fail?

Steve

ydderf2426 · Sep 11, 2024, 3:53 AM

@stephenw10 Hi, my ISP gave me a DMZ IP 192.168.100.200 255.255.255.0 192.168.100.1, and that DMZ IP receive all traffic from my public IP with no port restriction.

Installed pfsense 2.7 in hyper v with two network adapters WAN(internet) and LAN(hyper v virtual switch).
Configured WAN interface in pfsense dashboard with DMZ IP with subnet, gateway and corresponding dns.
Configured LAN interface with random network range(this will be the one another virtual machines will use).
Created OpenVPN server using wizard:

select type of server local user access.
create new Authority CA for server.
create server certificate.
server setup, select protocol TCP IPv4 and IPv6 on all interfaces, Interface WAN, local port 1194, tunnel settings IPv4 tunnel network I use 10.0.8.0/24, IPv4 local network 192.168.1.0/24 and rest of settings by default.
select and create both firewall traffic rules from clients to server and from clients through VPN.
create new user, selecting the internal certificate authority previously created.

Created client export leaving selected option hostname resolution with interface IP address value and rest of options with default values.
Installed config file in a remote computer and got the following:

Tue Sep 10 20:26:07 2024 OpenVPN 2.6.12 [git:v2.6.12/038a94bae57a446c] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jul 18 2024
Tue Sep 10 20:26:07 2024 Windows version 10.0 (Windows 10 or greater), amd64 executable
Tue Sep 10 20:26:07 2024 library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10
Tue Sep 10 20:26:07 2024 DCO version: 1.2.1
Tue Sep 10 20:26:12 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.100.200:1194
Tue Sep 10 20:26:12 2024 Attempting to establish TCP connection with [AF_INET]192.168.100.200:1194
Tue Sep 10 20:28:13 2024 TCP: connect to [AF_INET]192.168.100.200:1194 failed: Unknown error

The client is trying to connect using DMZ IP and that is bad because there we need to point to public IP, because I am trying outside my local network.

Do you know what can I done different to make it work as I need?

I have an update, I force the public IP in the openvpn config file and in that way I got soemthing different but with errors:

2024-09-11 00:25:25 OpenVPN 2.6.12 [git:v2.6.12/038a94bae57a446c] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jul 18 2024
2024-09-11 00:25:25 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-09-11 00:25:25 library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10
2024-09-11 00:25:25 DCO version: 1.2.1
2024-09-11 00:25:27 TCP/UDP: Preserving recently used remote address: [AF_INET]PUBLICIP:1194
2024-09-11 00:25:27 Attempting to establish TCP connection with [AF_INET]PUBLICIP:1194
2024-09-11 00:27:28 TCP: connect to [AF_INET]PUBLICIP:1194 failed: Unknown error
2024-09-11 00:27:28 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2024-09-11 00:27:29 TCP/UDP: Preserving recently used remote address: [AF_INET]PUBLICIP:1194
2024-09-11 00:27:29 Attempting to establish TCP connection with [AF_INET]PUBLICIP:1194
2024-09-11 00:27:29 TCP connection established with [AF_INET]PUBLICIP:1194
2024-09-11 00:27:29 TCPv4_CLIENT link local: (not bound)
2024-09-11 00:27:29 TCPv4_CLIENT link remote: [AF_INET]PUBLICIP:1194
2024-09-11 00:27:29 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-09-11 00:27:30 [VPN_SERVER_CA] Peer Connection Initiated with [AF_INET]PUBLICIP:1194
2024-09-11 00:27:31 open_tun
2024-09-11 00:27:31 tap-windows6 device [OpenVPN TAP-Windows6] opened
2024-09-11 00:27:31 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.8.0/10.0.8.2/255.255.255.0 [SUCCEEDED]
2024-09-11 00:27:31 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.2/255.255.255.0 on interface {B446BA71-F626-4465-8A5A-A021DE7F3F4F} [DHCP-serv: 10.0.8.0, lease-time: 31536000]
2024-09-11 00:27:31 TUN: Setting IPv4 mtu failed: Access is denied. [status=5 if_index=57]
2024-09-11 00:27:36 ERROR: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=57]
2024-09-11 00:27:36 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
2024-09-11 00:27:36 ERROR: Windows route add command failed [adaptive]: returned error code 1
2024-09-11 00:27:36 Initialization Sequence Completed

Still needing some help :(.

New update, now it is working, for some reason in the client machine I was needing to run OpenVPN as administrator, after that I tried again to connect and it was completed successfully.

Thanks for your answer anyways Stephen, now I will play more.

stephenw10 · Sep 11, 2024, 4:55 AM

@ydderf2426 said in Newbie pfSense user - configuration using DMZ:

Created client export leaving selected option hostname resolution with interface IP address value

Yes you need to specify the external IP address for server resolution there. Or an FQDN if you have a real host/domain setup.