Unable to Send Traffic Across VPN
I’ve been struggling trying to learn pfSense for days and it seems that very little I try actually works so I’m hoping for some help.
I subscribe to privateinternetaccess.com (PIA) and have configured OpenVPN in pfsense to connect to PIA. According to the status, it connects.
I have two LAN interfaces configured: the default LAN interface with 192.168.1.1 and a second interface with address 192.168.17.1. The goal is to have traffic from the 192.168.1.1 network go out the WAN interface normally. Traffic from 192.168.17.1 network is to go through the PIA VPN.
However, when OpenVPN is connected to PIA, I lose all Internet connectivity so I can’t even begin to tackle the routing problem. I’ve followed a few suggestions in various posts that I’ve managed to find with Google but nothing works. I’ve tried re-configuring from scratch a few times, thinking that I screwed something up but it simply will not work.
A starting point would be to get all traffic going through the VPN. From there, I can try to figure out how to split the traffic.
Any help would be appreciated.
Interface->Assign an interface to the PIA OpenVPN connection. Enable it, with IPv4 and IPv6 none. OPenVPN will deal with the IP addresses automagically. pfSense will make you a PIAGW for free.
Add a policy-routing rule, pass source LAN2net destination any gateway PIAGW.
Then you need NAT to happen for that, otherwise your private LAN2 IP addresses wil go to PIA and it cannot reply. The automatic outbound NAT does not do that for you. Firewall->NAT, Outbound - switch to Manual Outbound NAT. In 2.1 (because of an inconsistency) it will make outbound NAT rules for you on the PIA interface. Just save and go. (Underneath, Automatic Outbound NAT was not making those rules)
Note: From 2.1.1 onwards, the Manual rules generated when switching from Automatic to Manual will be the same as the underlying automatic rules. You will NOT get this little "bonus". You will have to add manual outbound rules yourself.
From 2.2 onwards there will be "hybrid" outbound NAT mode. You can keep the automatic rules generating themselves underneath, and then just add some extra manual rules for cases like this.
As it turns out, the only thing that was wrong was NAT (I already had the PIAGW assigned to LAN2).
I really appreciate the explanation for the NAT situation. I had read somewhere about setting NAT to manual but I didn't understand why. When the rules automatically appeared upon selecting Manual, I assumed that the rules were present in Automatic and if they were present in Automatic, why change to Manual? Since I'm not a NAT expert by any stretch of the imagination, it made sense to go back to Automatic rather than rely on a Manual set of rules.
I've now assigned LAN1 to WANGW an it seems that the two LAN ports are working as I had hoped. There a bunch more functionality I want to learn so I'll probably be posting more dumb questions; but that was a major hurdle.