Wake on Lan over VPN/subnets



  • Hi there, first off I love pfSense - I use OpenVPN to link between home and work (a small business that I manage the IT). It works flawlessly. I typically am using the latest snapshot 2.0 RC2 at both ends.

    One think I want to do, is to be able to be able to Wake on Lan computers at the other location from where I am. I have WOL configured on the relevant PCs and it works fine when I am on the same subnet. The problem comes when I want to WOL over the VPN/difference subnets.

    I am using WakeOnLAN v1.0 from MATCODE Software. This allows you to specify a TCP/IP address for the magic packet so that in theory you can have the packet routed across subnets. You also need to specify the MAC address. In this example the remote target machine to wake has an ip address of 10.0.0.10 and the pfsense box on this subnet is 10.0.0.1.

    1. First example - directing to the machines ip address.
      If I shut down the target machine to wake, and then quickly send a WOL packet to 10.0.0.10 to the remote subnet the computer wakes as expected because the ARP entry for 10.0.0.10 is still cached by the pfSense box. If I wait a bit longer, pfSense has flushed the ARP entry for 10.0.0.10 and proceeds to broadcast ARP requests on the remote subnet. As the machine is asleep this never gets responded to, and the WOL packet never gets transmitted on the remote network.

    2. Second example - directing to the remote subnet broadcast address.
      To get around the ARP problems above, you can instead direct the WOL packet to the broadcast address of the remote subnet, in this example 10.0.0.255. I have done packet traces in this instance and the packet makes it to the remote pfSense boxes OpenVPN tunnel adapter. But pfSense does not route this packet to the remote LAN. I believe this is because pfSense does not route broadcast messages? I am not sure on this. I have checked my firewall rules and for the OpenVPN adapter there is one rule that is to pass everything, so I don't believe the WOL packet it getting blocked by the firewall.

    Here's what I think about these cases:

    1. A possible solution here is to add a static arp entry to pfSense for the remote computer. But I cannot find a way to do this from the pfSense user interface. There is an option under Services -> DHCP server -> Static ARP. But this does not provide an answer. It does create static ARP entries but does not allow anything else to connected to the machine - which isn't suitable for our environment.

    2. Is there a way to get pfSense to route the broadcast WOL packet?

    If anyone has any ideas I'd greatly appreciate hearing them.

    Cheers,
    Ian.


  • Netgate Administrator

    Can you not use the WOL service built into pfSense?

    Steve



  • @stephenw10:

    Can you not use the WOL service built into pfSense?

    Sorry yes, I should have mentioned this. The WOL service built into pfSense works fine. The problem is that I need to give access to people that I don't want to have access to the pfSense interface. Also I would like to automate it as part of connecting to the VPN for them so it's quicker to use - I can do that using the mc-wol.exe program.



  • It might get a bit tedious repeatedly connecting to the pfSense GUI and entering the details so another option would be be to (for example) create a shell script on the pfSense box in the office to issue the appropriate wol command and then invoke it by ssh from home. (Might need to do this under a user other than admin.)

    On the pfSense box you could add static arp entries by shell command but they will disappear on pfSense reboot. I believe the pfSense config file can include shell commands to be executed at startup (see the Shellcmd package and the discussion in, for example http://forum.pfsense.org/index.php/topic,34391.0.html ).


Log in to reply