Need help setting up firewall rule for VPN

jim.thornton

I've setup my desktop to use an external VPN service. However, now I cannot access the computers on a different subnet (within my network) when the VPN is connected. Here is my setup:

192.168.1.1 - pfSense
192.168.1.100 - desktop
192.168.2.150 - mailserver
192.168.3.1 - now unused
192.168.4.20 - management IP for ESXi host.

My VPN is connected on 192.168.100 which is giving me a US IP address. However, I cannot access my mailserver (192.168.2.150) when the VPN is connected. I tried pinging 192.168.1.1 and 8.8.8.8, both were successful. I tried pinging 192.168.2.150 and it timed out.

So… I thought maybe setting up a NAT/Firewall rule would help. I setup the following:
ID - <blank>Proto - *
Source - LAN net
Port - *
Destination - *
Port - *
Gateway - *
Queue - none
Schedule - <blank>Description - Allow VPN on SERVERVLAN2

I don't know what I'm doing here and would appreciate it if someone can help me figure this out.</blank></blank>

phil.davis

192.168.1.1 - pfSense
192.168.1.100 - desktop
192.168.2.150 - mailserver
192.168.3.1 - now unused
192.168.4.20 - management IP for ESXi host.

I am assuming that you have 4 "/24" LAN subnets on your pfSense:
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
and that the VPN tunnel is using:
192.168.100.0/24
please post the subnets that you have, what is each subnet mask and what pfSense interface each is on - that will make it easier to imagine what might be a problem.
and let us know which interface/s you put rules on.
My first thought is, if you have set an option on your VPN tunnel to push everything through the tunnel then:

traffic locally within 192.168.1.0/24 will be fine (doesn't go through pfSense)
real traffic to the public internet will be fine - routed out the VPN
traffic that should go to 192.1668.2.0/24 etc is being routed out the VPN to the public internet, not what you want.
What settings did you do to direct traffic out the VPN?

jim.thornton

Please treat me as a complete noob with regards to anything VPN. I really don't understand much.

I do not have control over the VPN, I have subscribed to a service so that I can get a U.S. ip address. So as far as what their subnet settings are, I don't have a clue. I'm assigned a dynamic IP when I connect to the VPN.

As far as my setup goes, all the interfaces are as you said (/24 subnets).

I use them as follows:
192.168.1.0/24 - LAN
192.168.2.0/24 - vLAN2: Only used for the mail server, that's it.
192.168.3.0/24 - No longer used
192.168.4.0/24 - Only used for the management IP to connect to ESXi host.

All subnet masks are 255.255.255.0

As far as the rules that I have setup all I did was go to Firewall > Rules > Add. Here is a screenshot of what's in there

Screenshot-1.png_thumb

phil.davis

The firewall rules on each tab are for packets coming IN to the interface. So on your screen shot of the SERVERVLAN2 rules, the 2nd rule allowing source LAN net actually does nothing, because there will not be any packets generated on SERVERVLAN2 that have a source IP in LAN net.
There are rules for every interface (each of the tabs across that Firewall:Rules page). The ones for LAN would be interesting to see, as that is where you are having trouble pinging from. A rule there might be directing all traffic to the OpenVPN.

jim.thornton

Okay… Initially when I posted I couldn't remember what my IP addresses were for the server and other computers on the network. The IP address for the mail server is 192.168.2.50

Interesting: You mentioned something about me going through OpenVPN? I don't have OpenVPN setup at the router level. I have it setup as a client on my desktop (192.168.1.166 is the actual IP address).

So, when my desktop is connected to the VPN, nothing else on the network is and I CAN ping anything within 192.168.1.X but I cannot ping anything in 192.168.X.X. If I turn off the VPN on my desktop, I can ping everything.

Here is the screenshot of LAN.

Screenshot-1.png_thumb

phil.davis

Interesting: You mentioned something about me going through OpenVPN? I don't have OpenVPN setup at the router level. I have it setup as a client on my desktop (192.168.1.166 is the actual IP address).

OK - now the misunderstanding is cleared up! I thought you had an OpenVPN client setup on pfSense that connected your whole networks out the VPN.
Normally your default gateway is the pfSense - all traffic for outside your LAN is handed to pfSense. pfSense knows what traffic needs to go to other local LANs and what needs to go to the public internet, so it sorts that out.
When you start your VPN client, it redefines the default gateway on your PC to be the VPN tunnel. And so it "grabs" any packets that are not for your directly-connected local LAN. It doesn't know about the other LANs nearby - 192.168.2.0/24 etc.
On Windows you can see the routes it knows about with:

> route print

and you can add routes to tell it stuff it does not know:

route add 192.168.2.0 mask 255.255.255.0 192.168.1.1

This will tell it that you get to 192.168.2.0/24 by sending to 192.168.1.1 - a couple of these "route add" for each subnet should do the trick.
Then you have to find some way of making that stick in your PC when it reboots:)

jim.thornton

Okay… How would I add those routes with Linux? I'm running Linux Mint (based on Ubuntu).

jim.thornton

Okay… I added a route in linux with the following command:

sudo route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1 dev eth0

The problem is that it created DNS leaks. Well, actually, that command specifically didn't create DNS leaks, the DNS leaks were already there. I had to remove the route to 192.168.1.0 in order to remove the leaks completely. Now, I cannot connect to anything on my network in the same subnet or outside that subnet.

Any other ideas on how I can accomplish what I'm trying to get?

phil.davis

Add a route for each subnet that is off your local LAN:

sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0
sudo route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0
sudo route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0
...

Then you don't mess up local LAN connectivity.

jim.thornton

Will it still cause DNS leaks?

By doing this, am I telling the computer to use the VPN on everything EXCEPT for when it is in one of those subnets?

phil.davis

By doing this, am I telling the computer to use the VPN on everything EXCEPT for when it is in one of those subnets?

Yes. When the VPN comes up, it sets the default route to itself. All packets for destinations that are not on a directly connected subnet and do not have an explicit route, will go to the VPN.

Will it still cause DNS leaks?

I guess the DNS is another issue. When you first connect to the local LAN, pfSense DHCP gives you an IP address and gives itself as the DNS server (that is thee default behaviour). So your PC will have DNS pointing to pfSensse. Because pfSense is on your local network, your PC will happily send DNS lookups there, and the pfSense DNS forwarder will do the lookup for you out the pfSense WAN. I guess you don't want that to happen - the DNS should go over the VPN also.
Someone else could give some advice here - how to make the OpenVPN client replace the DNS server?