Difference between Interface subnet and 192.168.2.0/24
-
doktornotor - Currently I'm lost…
I'd probably need a drawing of this to know what is going on.Basically something like this. But with client connected not from LAN, but via OVPN.
-
I'll just watch and see how this goes… Thanks.
-
doktornotor - Currently I'm lost…
I'd probably need a drawing of this to know what is going on.
WAN (ISP) –-- pfsense ---- LAN
So, pfsense has 2 physical interfaces: LAN & WAN. WAN has a public IP; LAN is 192.168.1.0/24 (pfsense is 192.168.1.1).
Then I setup pfsense as client to AirVPN (a VPN service provider) so all my traffic is sent via VPN. Here's my NAT scheme:
Then, I want to use my laptop with maximum security, so I setup a roadwarrior conf with pfsense acting as an OpenVPN server (tunnel is 192.168.2.0/24).
Then, to prevent DNS leaks and LAN clients using Internet when AirVPN is down, I setup 2 floating rules:
where MY_DNS_ADDRESSES is an alias to my favorite DNS servers (OpenNIC).
Now I'm experimenting with firewall rules because, as far as I know, now my "exposed" interface is OpenVPN (because all my Internet traffic comes from there).
-
Wasn't my question. Let me ask again:
If you check the "Topology" checkbox, do both work (i.e., OPT3 subnet being the same as /24)?
-
Wasn't my question. Let me ask again:
If you check the "Topology" checkbox, do both work (i.e., OPT3 subnet being the same as /24)?
There's only 1 (roadwarrior) client and it has 192.168.2.6 address.
-
The question still remains the same. See the OpenVPN docs on net30 for the reason I'm asking.
-
Yes, now checking that, the first rule works… so... why?
-
Well, because /30 is not /24 :P
net30 – Use a point-to-point topology, by allocating one /30 subnet per client.
subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local IP address and subnet maskDocumentation. Also comparing the ifconfig output for both modes should be pretty much enlightening.
-
OK - So, your pfsense is a client to a vpn service and then your pfsense is also running an openvpn server to which your laptop/computer is a client while inside your own LAN? Do I have this wrong?
-
Look in /tmp/rules.debug - down the end you will see the user rules generated from the Firewall Rules tabs. You will be able to see exactly what rules it generates for OPT3. I suspect it gets a different idea about OPT3 Subnet depending if it is set to topology or not. One way may treat it as a /30 and the other as the full tunnel network range.
-
Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?
I understand this IF topology is net30, so is a peer-to-peer like connection.
But the previous scheme was ALL /24. Why this doesn't work?
-
Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?
Please, type ifconfig to console. For both modes. Compare the OPT3/ovpns? output.
-
OK - So, your pfsense is a client to a vpn service and then your pfsense is also running an openvpn server to which your laptop/computer is a client while inside your own LAN? Do I have this wrong?
laptop/computer is a client while I'm out (for eg. at a Strabucks coffee).
-
OK - I see.
When you VPN into your pfsense from your laptop when you are out does all that traffic then go out over the VPN pfsense is client too?
-
OK - I see.
When you VPN into your pfsense from your laptop when you are out does all that traffic then go out over the VPN pfsense is client too?
Yes.
-
haha - I see where this is going… Good one.
I take it AirVPN doesn't have a bandwidth usage cap?
-
Oh, yes, I understand that. But my question was: why does OPT subnet and 192.168.2.0/24 was not the same?
Please, type ifconfig to console. For both modes. Compare the OPT3/ovpns? output.
with net30
ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::a00:27ff:fe7f:875d%ovpns2 prefixlen 64 scopeid 0x8
inet 192.168.2.1 –> 192.168.2.1 netmask 0xffffff00without inet30
ovpns2: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
options=80000 <linkstate>inet6 fe80::a00:27ff:fe7f:875d%ovpns2 prefixlen 64 scopeid 0x8
inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>Opened by PID 15822</performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></linkstate></up,pointopoint,running,multicast> -
haha - I see where this is going… Good one.
I take it AirVPN doesn't have a bandwidth usage cap?
no limitations as I know
-
Yeah. So, see:
netmask 0xffffffff = /32 (really just the OVPN IP itself, does not include any client, 192.168.2.6 certainly out)
netmask 0xffffff00 = /24 (the configured subnet) -
Yeah. So, see:
netmask 0xffffffff = /32 (really just the OVPN IP itself, does not include any client, 192.168.2.6 certainly out)
netmask 0xffffff00 = /24 (the configured subnet)why inet 192.168.2.1 –> 192.168.2.1
