Layer 2 connection issue with Android to PC app
-
@sessh Hmm, the split tunnel may not cover 192.168.0 network, only the 192.168.1 that the PC actually knows about. So what happens if you disable the VPN completely on the PC? I have that exact problem with my work PC...
-
@sessh said in Layer 2 connection issue with Android to PC app:
So provided there's no issues with that, I will try creating that NAT rule to open a port for Sweech.
you don't need a port forward for something on your lan talking to your wireless device.. But yeah a vpn on that device would mess that access.
Also if your going to create a port forward from your wifi to your lan behind pfsense, the vpn on the device on your lan would still mess with that.. And you would have to access your 192.168.0.x IP of pfsense wan that you forward to the 192.168.1.x on your pfsense lan.
-
@sessh said in Layer 2 connection issue with Android to PC app:
Ok wait.. just to clarify something before going further. When you say:
@johnpoz Or doing some sort of policy routing where your sending traffic on your pfsense lan out some vpn or something.
.. are you referring to having a VPN installed on the 1100 or having one involved at all on any of the devices connected to the 1100 LAN? I assumed it was the former, but there is one on the PC and one the phone (on 192.168.0). However, I have both Sweech and one of the browsers on the PC in split tunneling mode, so it shouldn't be affecting anything when using that browser? Is that wrong? I just verified that the one browser is using my real IP with the correct location. Even using that one, I still can't connect to 192.168.0.39.
If you are able to edit the settings for the VPN, then on the phone, you might need to add the 192.168.1.0/24 network to the IP range to EXCLUDE from VPN. And on the PC you definitely have to do the same, but here it is 192.168.0.0/24 network that should be excluded.
But a quicker way to test is from the PC where you simply disable the VPN and then try to log on to the Arris. -
@Gblenn said
Hmm, the split tunnel may not cover 192.168.0 network, only the 192.168.1 that the PC actually knows about. So what happens if you disable the VPN completely on the PC? I have that exact problem with my work PC...
This was correct. When i disable the VPN and try to access the Arris or Sweech, it allows me to do it from the PC. I use NordVPN and unfortunately, they don't seem to have made it easy to whitelist IP addresses at least on Windows. (I'm not yet on to Linux, but soon!) I might just switch VPN providers, I've kinda been looking for a reason anyway. It seems other VPNs make this a lot easier to do.
At any rate, I'm glad you guys were able to help me at least find out why this is happening even if I can't fix it via VPN whitelisting. Networking has always been a hole in my tech knowledge base, so perhaps it's time to improve on that. :)
-
@sessh and if you moved your wifi behind pfsense, you could just easy setup your vpn on pfsense, and then route whatever traffic/devices you want out the vpn via simple policy route. And not have any issues with your device talking to each other for stuff like this app, or any other thing. Unless you wanted to put them on different networks and actually firewall what they can do between your networks via firewall rules on pfsense.
-
@johnpoz I was considering that, but I would then lose the per-app split tunneling if I took it off the PC/Phone.
I will move the wifi behind pfsense when I get a chance. For a small home network, is there anything you (or anyone else here) would suggest AP wise?
If I put the VPN on the 1100, you're saying I could use simple policy routes to have full control over which devices used the VPN and which would be excluded from it? Kinda like tunneling? Would I even be able to select IP ranges to exclude like what was suggested above via the VPN?
-
@sessh said in Layer 2 connection issue with Android to PC app:
I will move the wifi behind pfsense when I get a chance. For a small home network, is there anything you (or anyone else here) would suggest AP wise?
@sessh What type and I guess "size" of AP depends a bit on what your home looks like, size and number of floors? And whether or not you have ethernet cabling anywhere?
You will get the best coverage and quality by doing some planning, and perhaps use more than one AP. Like opposite corners of the house and perhaps different floors, and that sort of thing.I use TPLink Omada AP's at home and Unifi at our vacation home. They seem pretty equal from a radio perspective, but I do think the Omada is slightly easier to manage.
Unifi on the other hand has a much more active community and forum's. You can host the controller SW for both systems on a VM or a and Raspberry Pi.
Like johnpoz suggested earlier, get a managed switch (Omada or Unifi) and perhaps with PoE, since that will give you more flexibility towards adding VLAN's and of course power your AP's.I don't like mesh systems, but perhaps the very latest and more expensive one's are ok.
I have never used NordVPN but their website sais they have Route Based Split Tunnel... So on Windows you should go to Settings, Split Tunnel and then Select Type. If that allows you to add an IP range, you could try to add the 192.168.0.0/24 network and see if things work. On Android you can select which apps to exclude, like the Sweech app...
-
@sessh said in Layer 2 connection issue with Android to PC app:
Would I even be able to select IP ranges to exclude like what was suggested above via the VPN?
Yes.. what uses or doesn't use the vpn would be simple firewall rules on pfsense.
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#policy-routing-configuration
-
@johnpoz said in Layer 2 connection issue with Android to PC app:
@sessh said in Layer 2 connection issue with Android to PC app:
Would I even be able to select IP ranges to exclude like what was suggested above via the VPN?
Yes.. what uses or doesn't use the vpn would be simple firewall rules on pfsense.
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#policy-routing-configuration
I guess the one thing that will prove more challenging is the tunneling per "app" that NordVPN can do when installed in the phone/PC.
Should be possible using pfblockerng to get the server IP's from ASN's to use in the policies. But it is a bit of work and at least I have found it challenging and a bit of hit and miss. But perhaps if one can flip it around and use only for a few applications to be excluded, it could work.
-
Will get TPLink Omada then when I'm ready to do that. Also this PC is still on Win7 (I've had difficulty pulling myself away from it, I love it) and will next be on Linux Mint, so the NordVPN software for WIn7 does not have the route tunneling feature, only app tunneling. Their software for Linux doesn't even have Split Tunneling at all, so I'd have to switch to something like Surfshark maybe. I was seeing people on Win10 posting stuff about how they couldn't figure out how to whitelist with Nord, but maybe that feature was a newer addition to the software. Either way, I see it's now included on Win10 and 11 in the UI.
Wow really? Tunneling per app is actually possible using pfsense? That's interesting. I only have a few things I use the tunneling for though. If that's possible, a killswitch should be workable too.
-
@sessh said in Layer 2 connection issue with Android to PC app:
Tunneling per app is actually possible using pfsense?
No, not sure where you got that Idea - you can policy route on anything you can get a firewall to trigger on, source IP or port, destination IP or port, protocol tcp/udp etc. Any combination of those.
But you can't say hey if chrome browser traffic route out a tunnel.. You could say anything going to 443 route out the tunnel.. But pfsense can't know if that is a browser creating that traffic, or some other app. etc.
You could say anything going to 443 to this IP or network route out the tunnel, etc. Anything else going to 443 don't route out the tunnel, etc.
If your so concerned about your isp seeing where your going, why not just route all traffic out the vpn?
-
@johnpoz I guess it was me who "gave sessh that idea".. talking about the use of pfBlocker, ASN and Alias to route based on destination IP.
Say for example you want to route everything except Netflix and YouTube via the VPN. Then you could exclude any traffic going to their servers. But you need help from pfblocker to figure out all the possible IP's, from their respective ASN's...And in that way you are at least mimicking the ability to "split tunnel" based on application...
-
@Gblenn true, if you know what networks application X wants to talk to - sure you can policy route based on that.
-
Yeah i was referring to the pfBlocker/ASN/Alias thing Gblenn was talking about. My original intention was to do what you guys are suggesting and put the VPN on the Netgate, but I then realized I would lose some of the perks that the desktop/mobile app gave me (Tunneling, Killswitch etc).. but if those are possible to set up using pfBlocker/ASN/Alias, that sounds fun. When/if I decide to go that route, I may tag you in a new thread here and try to get that working.
I would want to exclude some devices from it, but I see that's possible too. I was considering getting SlingTV along with NHL Center Ice and I'd want to have that going through the VPN to get around local blackouts. Knowing all of this is possible was certainly worth it to learn. Really appreciate you guys taking the time to explain things to me.
-
@sessh you mention killswitch, that is also possible in pfsense, where if the vpn goes down - traffic that is suppose to go out the vpn will just die and not go out your normal internet connection.
-
@sessh said in Layer 2 connection issue with Android to PC app:
I would want to exclude some devices from it, but I see that's possible too. I was considering getting SlingTV along with NHL Center Ice and I'd want to have that going through the VPN to get around local blackouts.
It's quite simple as long as it has to do with all traffic related to a device (or it's IP rather). Then it doesn't matter if it's a SlingTV, GoogleTV or a PC even. Policy routing based on it's IP can send all traffic via the VPN, or exclude it from the VPN (if default is to use VPN for the entire home network).
And as johnpoz points out, if the tunnel goes down, traffic can be blocked so that it doesn't "leak"...
The difficult part is when you want to take some of the traffic from one IP, like when it's a PC or even a Google TV but only some selected streaming services and not others.
That's where you need to know the servers they connect to instead, and there can be many IP's... And the task to figure those IP's out can be done by pfblockerng, which can provide Aliases listing all IP's related to the ASN's that you need to provide. Again there can be multiple ASN's for some services even...I have played around a little with this and found it to be quite the challenge, and basically gave up. I wasn't after routing, but rather blocking and there are other simpler tools to use for that... depending on your needs.
-
Man that does sound like a pain. It also doesn't sound possible to really do per app tunneling like a dedicated VPN app can do particularly for things like web browsers whereas with something like Sweech that uses a narrow host address range plus a specific port number, it would be a piece of cake. I suppose I'd have to keep the desktop app for the PC, but the phone should be ok with it since it's just one app that needs to be configured.