OpenVPN client (VPN Gateway) routing

  • Right now the home internet gateway is a PFsense 2.1 FreeBsd firewall/router/proxy/VPN EXSi VM. So, I had everything working correctly in the following configuration.

    Client A, B, or C –> Wireless Router/AP (also serves as DHCP/DNS server (DNSCrypt with opendns)) --> PFsense VM (Firewall-->Squid Cache Proxy-->HAVP Parent Proxy (socket virus scanner to help prevent viruses before they hit your network)-->WAN))

    I had everything in the above scenario working successful to include NAT port forwards coming back in, Squid Proxy set to transparent mode, the only one I am going to have to remove from the picture (do not want to) is HAVP because it works once the VM is started after the initial package install, but after a restart the service will not stay up steady (further research shows the latest HAVP package has issues with the PFsense 2.1 version)

    So the next step I would like to take this is the following scenarios if even technically possible with the listed components.

    1. Client A:
      a. Client A port 80/443 -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->VPN)
      b. Client A all other ports and protocols -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->WAN)

    2. Client B all traffic-->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->VPN)

    3. Client C (Chromecast or Roku Streaming Device)-->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->WAN)

    But this is what I have gotten when I tried this with VPN, note WAN interface is set as default gateway and VPN interface just as a normal gateway.

    1. Client A, B, or C all traffic -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->VPN) with standard interface firewall rules and transparent mode enabled on squid.

    2. Client A, B, or C all traffic -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->WAN) with standard interface firewall rules and transparent mode disabled on squid.

    3. Client A, B, or C all traffic -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->VPN) with interface firewall rules change to pass traffic to the VPN gateway, the VPN gateway set to default,  and transparent mode disabled on squid.

    Configuration 3’s settings above are the least ideal as I would like squid in transparent mode and the WAN as the default gateway.  In configurations 1 and 2 I tried using Floating firewall rules which are supposed to be parsed before interface rules to pass data from the LAN interface under given desired scenarios to the appropriate gateway with no success. As I understand it PFsense firewall rules are just iptable routes on the backend BSD. Also as I understand squid proxy when install sets up “blind” invisible rules in the background, when transparent mode is enable it automatically routes all HTTP/s traffic on the LAN to its local port and passes it up to the upstream interface and when not enabled static rules have to be defined which could be a lot. From testing in transparent mode it seems squid overrides firewall rules, but maybe that is inaccurate since it has its own rules in the background. I may have to get rid of squid to route everything the way I want to or maybe I just need to setup floating rules that pass specific LAN traffic to the Squid port and then have a subsequent rule that passes it from the squid port to the WAN or VPN gateways.

    If I could get the above to work what would be really cool is if I was able to define somehow on the IPtables if one of the routes/rules to the VPN Gateway loses connection it automatically falls back to the WAN gateway.

    Any ideas? Thanks