Want to use VPN service as WAN, can't finish setup

  • Hi all,

    I've tried searching, but haven't found help on the set up I want to create, please excuse me if it's been asked before (and direct me to the relevant thread/information).

    I want to have a pfsense installation with only one actual NIC, connected to my LAN. I want to then set up a (client?) connection to a VPN service and use that port as WAN port. Some machines on my LAN will use the pfsense LAN IP as their gateway and it should send all traffic out over the VPN connection (with NAT).

    When I install pfsense, it won't let me get through the setup, as it insists on a WAN interface, which I don't have for it yet.

    What is the best way forward?

    As a note, this will be a vm running on ESXi, so I could create a virtual NIC not connected to anything. If that helps, what would be my steps in configuring? Since the VPN service doesn't have connectivity over IPv6, the connection will go through a NAT router, so I'm leaning towards OpenVPN for the actual VPN connection.


  • LAYER 8 Global Moderator

    What?  You would need 2 interfaces.. pfsense would not connect to vpn through a lan interface.

    So how do you get internet now? Since clearly you will have to go through the internet connection to get to the vpn.

    Can you draw out your network, and where does this esxi box come into play.  How many physical interfaces does it have?  And is this VPN connection only going to be for  VMs or other physical machines?

  • I'll try to answer your questions best I can.

    Internet–---NAT router----LAN

    Connected to the LAN are the ESXi host (with one hardware NIC) as well as some other machines. The NAT router only NATs IPv4, there is also IPv6 with proper public addresses on the LAN, where the NAT router acts as a simple stateful firewall. The NAT router has 1 public IPv4 address and has a /48 IPv6 block of which 1 /64 block is used on the LAN.

    The purpose of pfsense in my scenario is that I want to route traffic to some IPv4 ranges through the VPN connection. (which I cannot set up with the current NAT router, and the NAT router I cannot replace)

    I will set up a static route for those IP ranges pointing to the LAN side of the pfsense box, which should then NAT that over the VPN connection. (the NAT router will send and ICMP redirect to whoever tries to route through it to those IPv4 ranges, which saves me setting up static routes on all boxes) Since the only the traffic the pfsense box will get is destined to go through the VPN, I don't have to specify different ranges, nor would an actual WAN be used. (OpenVPN supposedly works fine through NAT, I can also open up/forward tcp/udp ports if necessary.

    pfsense would need one LAN connection and the VPN connection would work as virtual NIC, as WAN connection. If I need 2 NICs, I could simply add another VMware NIC to the pfsense box and have it connect to the same LAN (neither NIC/address should hand out DHCP). I am unsure how pfsense would treat 2 NICs in the same IP adress range though.

    Am I still making sense?

  • Netgate Administrator

    I don't see why you couldn't so that. The definition of WAN and LAN become blurred  in this sort of setup. Consider that the WAN interface is so named only because it's usually connected to a wider network, in your case forget the interface names.

    Setup the box with only one interface, it will be named WAN because that's the first interface that is configured but just ignore that. Continue to setup your VPN connection. Now you will have two interfaces so you can configure your NAT etc. It might get 'extra fun' at that point.  ;)
    This isn't much different to using pfSense as a VPN server, where it has only one NIC but two interfaces, just in reverse.


  • LAYER 8 Global Moderator

    Sounds like a MESS..  Why can you not replace current router with pfsense?  You can then do policy based routing.

    Sounds like your wanting to some sort of router on a stick or 1 armed bandit sort of setup, etc.

  • thanks for the reactions. I'm one step further, now I just need to enable gui access on the WAN port through the shell account, as, by default, the webgui is not enabled on the WAN port and I have no other port  ;D

    It might no be as clean as having it all handled in pfsense as a router, but because of vlans on the incoming connection I cannot currently connect a pfsense box directly to my providers connection (don't have a dedicated ethernet port available, nor a managed switch).

    I do wonder though, what are "router on a stick" or "1 armed bandit" for kind of setups?

    I am still setting up my eventual system (possibly with pfsense or other software router/firewall as the connection to the outside world) I want to get some familiarity with pfsense and this seemed like a good way to do that.

    My main question though is, where do I edit the rules so I can get access to the webgui through the command line?

  • Netgate Administrator

    If you only add one interface you should be able to get to the webgui on that. There will be a default firewall rule that allows it when you have it setup in 'appliance mode'. However as soon as you add another interface it will go back to being a firewall and blocking everything on WAN so make sure you've set your own rules before that.
    If you've already added and removed another interface I'm not sure what will happen. You can always disable the firewall using:

    pfctl -d

    At the command line.
    After you added a rule to allow yourself to connect re-enable it with:

    pfctl -e

    Router on a stick usually refers to VLANs:


Log in to reply