What am I missing? Scratch that… Here is what i WAS missing.. Yeah ME!
-
This may be simple to most here but it stumped me for a couple days (dont judge me lol!!) So I thought I would share.
The issue was that in the client export under host name resolution, I needed to select other and specify my internet IP address instead of the default "Interface IP Address". I typed everything below and when I got to the point where I was going to put some log info in, I noticed that it was trying to hit the 192.168.0.10 address and not the internet facing address. I did need to forward the ports even tho the IP of pFsense was specified in the DMZ on the router. Not sure why that is.
Begin plea for help–--------------------
Here's my setup:
Internet hits my Cable Modem/Router. The internal address space of that router is 192.168.0.0/24
ESX 5.5 Server
NIC1 plugged in to the cable modem router. (WAN Interface)
NIC2 plugged in to internal switch (LAN Interface) which is in the 192.168.1.0/24 space
(Not that you care but NIC 3 is vMotion and NIC 4 is iSCSI)
pFsense is installed in a VM on the ESX host and is working great. Internet and everything works. Interfaces show up and all is goodI have configured the Cable Modem router to have the ip for the pFsense machine in the DMZ. I have also forwarded 1194, 443 and 943 jsut in case lol.
I setup OpenVPN according to the tutorial here for Radius. No good. I tried to dumb it down and used the wiz to setup with auth to the local database. Exported the client for both, ran as admin (windows) and tried the IOS clients. Still no dice
Log stuff:
-
You are on the right track. Many cable modems, ADSL front-end devices… have this setting called "DMZ" which lets you specify an IP address on the inside LAN to forward new connections arriving from the internet. "DMZ" is the wrong name for it, it is really 1:1 port forward, but there is nothing can be done abut this mis-naming nowadays, so many devices have called it "DMZ". I have enabled this "DMZ" on various WiMax and ADSL devices to my pfSense WAN IP. Then put rules on WAN to allow destination WANaddress port OpenVPN.
I use a dynamic DNS name to provide an outside name that points to my current public IP. Then select that when doing the client export. But if you have a static public IP, that should work fine hard-coded in the client export. -
That's a good point. I left that out. I am setting up DDNS as well. =)