Difference between Interface subnet and 192.168.2.0/24



  • Testing 2 firewall rules: the first one has for source the OPT3 subnet (net for OPT3 is 192.168.2.0/24) and DOESN'T work.

    The second one - source 192.168.2.0/24 - is ok.

    Why?


  • Banned

    What's OPT3? Some OpeVPN? Why's it even assigned as interface? Not enough information here, and "doesn't work" is never a useful description of a problem.



  • They should both work (or not work) the same, as far as I know if the OPT3 subnet is 192.168.2.0/24.

    But yeah - I don't get the reference to OpenVPN in the description either…



  • @doktornotor:

    What's OPT3? Some OpeVPN? Why's it even assigned as interface? Not enough information here, and "doesn't work" is never a useful description of a problem.

    OPT3 is a VPN. The client has (been) assigned IP 192.168.2.6. "doesn't work" means that the first rule doesn't allow traffic through OPT3 interface, the second one allows it. But I can't understand why!


  • Banned

    With pfS being the openvpn server? Then again, why's this  even assigned as interface? Please describe exactly what you are doing and how things are set up, waste of time so far.



  • Hmmmm - Thats odd.

    Not to beat a dead horse, but describe the VPN that is on OPT3?

    Is it a separate piece of hardware?

    (I might have an answer for why those rules behave differently.  I notice to the left, there is a purple "i" meaning there is some advanced setting.  Perhaps those are not the same on both rules?)



  • OPT3 OpenVPN is a roadwarrior VPN. I use it to tunnel my laptop traffic to pfsense, then out to the Internet with a VPN provider.

    I've assigned it an Interface to filter and NAT that connection.

    It works flawlessly only with the second rule…  :(



  • I'm not sure why this would work at all.  I've never seen anyone do this.
    My immediate thought is that you should not be doing this.

    I would like to be able to have multiple instances of pfsense produce multiple firewall tabs that I could manipulate seperately, but I've not seen that ever happen and I have never seen anyone do what you are doing either.

    I think that if I had additional rules to add, I'd be adding them under the OpenVPN Firewall Tab, not a seperate tab.
    How did that tab even get there?  is that a physical interface?



  • @kejianshi:

    I'm not sure why this would work at all.  I've never seen anyone do this.
    My immediate thought is that you should not be doing this.

    Why?

    My scheme is:

    1. first OpenVPN is pfsense as client to AirVPN. This allows me to tunnel all the traffic leaving pfsense (LAN, etc.) through a VPN provider.

    2. second OpenVPN is a roadwarrior VPN with pfsense acting as server. It assigns 192.168.2.0/24 addresses and tunnels all the traffic generated by my laptop through the VPN server and then outside pfsense to the Internet through AirVPN client.

    What am I doing wrong???  ::)


  • Banned

    @panz:

    It works flawlessly only with the second rule…  :(

    If you check the "Topology" checkbox, do both work?



  • doktornotor - Currently I'm lost…

    I'd probably need a drawing of this to know what is going on.


  • Banned

    @kejianshi:

    doktornotor - Currently I'm lost…
    I'd probably need a drawing of this to know what is going on.

    Basically something like this. But with client connected not from LAN, but via OVPN.



  • I'll just watch and see how this goes…  Thanks.



  • @kejianshi:

    doktornotor - Currently I'm lost…

    I'd probably need a drawing of this to know what is going on.

    WAN (ISP) –-- pfsense ---- LAN

    So, pfsense has 2 physical interfaces: LAN & WAN. WAN has a public IP; LAN is 192.168.1.0/24 (pfsense is 192.168.1.1).

    Then I setup pfsense as client to AirVPN (a VPN service provider) so all my traffic is sent via VPN. Here's my NAT scheme:

    Then, I want to use my laptop with maximum security, so I setup a roadwarrior conf with pfsense acting as an OpenVPN server (tunnel is 192.168.2.0/24).

    Then, to prevent DNS leaks and LAN clients using Internet when AirVPN is down, I setup 2 floating rules:

    where MY_DNS_ADDRESSES is an alias to my favorite DNS servers (OpenNIC).

    Now I'm experimenting with firewall rules because, as far as I know, now my "exposed" interface is OpenVPN (because all my Internet traffic comes from there).


  • Banned

    Wasn't my question. Let me ask again:

    If you check the "Topology" checkbox, do both work (i.e., OPT3 subnet being the same as /24)?



  • @doktornotor:

    Wasn't my question. Let me ask again:

    If you check the "Topology" checkbox, do both work (i.e., OPT3 subnet being the same as /24)?

    There's only 1 (roadwarrior) client and it has 192.168.2.6 address.


  • Banned

    The question still remains the same. See the OpenVPN docs on net30 for the reason I'm asking.



  • Yes, now checking that, the first rule works… so... why?


  • Banned

    Well, because /30 is not /24  :P

    net30 – Use a point-to-point topology, by allocating one /30 subnet per client.
    subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet mask

    Documentation. Also comparing the ifconfig output for both modes should be pretty much enlightening.



  • OK - So, your pfsense is a client to a vpn service and then your pfsense is also running an openvpn server to which your laptop/computer is a client while inside your own LAN?  Do I have this wrong?



  • Look in /tmp/rules.debug - down the end you will see the user rules generated from the Firewall Rules tabs. You will be able to see exactly what rules it generates for OPT3. I suspect it gets a different idea about OPT3 Subnet depending if it is set to topology or not. One way may treat it as a /30 and the other as the full tunnel network range.



  • Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

    I understand this IF topology is net30, so is a peer-to-peer like connection.

    But the previous scheme was ALL /24. Why this doesn't work?


  • Banned

    @panz:

    Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

    Please, type ifconfig to console. For both modes. Compare the OPT3/ovpns? output.



  • @kejianshi:

    OK - So, your pfsense is a client to a vpn service and then your pfsense is also running an openvpn server to which your laptop/computer is a client while inside your own LAN?  Do I have this wrong?

    laptop/computer is a client while I'm out (for eg. at a Strabucks coffee).



  • OK - I see.

    When you VPN into your pfsense from your laptop when you are out does all that traffic then go out over the VPN pfsense is client too?



  • @kejianshi:

    OK - I see.

    When you VPN into your pfsense from your laptop when you are out does all that traffic then go out over the VPN pfsense is client too?

    Yes.



  • haha - I see where this is going…  Good one.

    I take it AirVPN doesn't have a bandwidth usage cap?



  • @doktornotor:

    @panz:

    Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?

    Please, type ifconfig to console. For both modes. Compare the OPT3/ovpns? output.

    with net30

    ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    options=80000 <linkstate>inet6 fe80::a00:27ff:fe7f:875d%ovpns2 prefixlen 64 scopeid 0x8
    inet 192.168.2.1 –> 192.168.2.1 netmask 0xffffff00

    without inet30

    ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
    options=80000 <linkstate>inet6 fe80::a00:27ff:fe7f:875d%ovpns2 prefixlen 64 scopeid 0x8
    inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffffff
    nd6 options=3 <performnud,accept_rtadv>Opened by PID 15822</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></linkstate></up,pointopoint,running,multicast>



  • @kejianshi:

    haha - I see where this is going…  Good one.

    I take it AirVPN doesn't have a bandwidth usage cap?

    no limitations as I know


  • Banned

    Yeah. So, see:

    netmask 0xffffffff = /32 (really just the OVPN IP itself, does not include any client, 192.168.2.6 certainly out)
    netmask 0xffffff00 = /24 (the configured subnet)



  • @doktornotor:

    Yeah. So, see:

    netmask 0xffffffff = /32 (really just the OVPN IP itself, does not include any client, 192.168.2.6 certainly out)
    netmask 0xffffff00 = /24 (the configured subnet)

    why  inet 192.168.2.1 –> 192.168.2.1


  • Banned

    @panz:

    why  inet 192.168.2.1 –> 192.168.2.1

    What's your problem with that, again? The question has been answered already. The tunnel endpoints are the same there.



  • So, anyway - I've not been running pfsense this way before.  I've only done this with a DD-WRT as client to Pfsense/Openvpn and then DD-WRT has its clients…  Similar.

    No one has said yet, but I'm guessing the OPT3 got created auto-magically when you created the OpenVPN client in pfsense?  If so, I'm clear now.

    How well is this working for you?



  • @kejianshi:

    So, anyway - I've not been running pfsense this way before.  I've only done this with a DD-WRT as client to Pfsense/Openvpn and then DD-WRT has its clients…  Similar.

    No one has said yet, but I'm guessing the OPT3 got created auto-magically when you created the OpenVPN client in pfsense?  If so, I'm clear now.

    How well is this working for you?

    Absolutely not, I created the OPT3 to add a roadwarrior after all VPN testing from LAN –> to AirVPN were successful.



  • Yeah - See thats the part I don't understand why you need it.  But if its working for you, I guess I don't need to understand necessarily.
    I have road warriors and I didn't have to create an interface for them - Thats why I'm confused.



  • @kejianshi:

    Yeah - See thats the part I don't understand why you need it.  But if its working for you, I guess I don't need to understand necessarily.

    I need it because the VPN provider is one (= 1 account), but I have to protect at the same time my internal LAN clients AND roadwarrior client(s) under the same umbrella (LAN = home office; roadwarrior = mobile office).



  • Thank you doktornotor, now I understand (yeah!)  8)



  • OK - If it works it works.



  • @kejianshi:

    OK - If it works it works.

    If you're interested, now I'm going to add a Wi-Fi interface!  ;D  ;D  ;D with OpenVPN peers, of course!



  • Its not the adding of physical interfaces that confuses me.

    Or the fact that you can have VPN clients to a pfsense that is running as a client to a VPN its self.

    Or that you can add a wireless interface + its clients to pfsense which is client to a VPN.

    The thing that confuses me is that I've always been able to firewall my pfsense road warriors just fine from the Openvpn firewall tab without the addition of an interface for their subnet.

    So, what I'm wondering is was that interface necessary at all?

    I'm probably just missing something.  Its OK.


Log in to reply