How do I VPN only 1 host device?



  • I have 1 WAN, 1 subnet and on one of the devices (let's say 192.168.1.2), I want to use the vpn only on that device.

    Currently, OpenVPN is setup according to the StrongVPN guide stickied at the top and the VPN is connected.

    Without any changes to firewall or NAT rules, all traffic is being pushed through the VPN connection. The only thing that stops it is if I disable the interface altogether. If I try to stop the service, it turns itself back on or just simply never disconnects.

    My understanding of the the way a VPN works is host-LAN-WAN-VPN so I need to set NAT outbound for 192.168.1.2 to the VPN IP (although I'm not sure what the difference is between the virtual VPN IP and the actual VPN server IP. For incoming traffic, I need to create a firewall rule allowing all traffic in from the VPN.

    Previously, I had those firewall/NAT rules but deleted it all because it wasn't working. Now like I said, I can't get it to stop working without disabling the interface.

    What is the best solution? Multiple LAN subnets or is there a configuration solution?

    I don't know if this complicates things but my pfsense is virtualized with hyper-v using the regular network adapters (not the legacy ones).


  • LAYER 8 Netgate

    @seitys:

    I have 1 WAN, 1 subnet and on one of the devices (let's say 192.168.1.2), I want to use the vpn only on that device.

    Currently, OpenVPN is setup according to the StrongVPN guide stickied at the top and the VPN is connected.

    Without any changes to firewall or NAT rules, all traffic is being pushed through the VPN connection. The only thing that stops it is if I disable the interface altogether. If I try to stop the service, it turns itself back on or just simply never disconnects.

    That's what that guide is intended to accomplish.

    If you follow that guide and change that last part where it sets the firewall rule on LAN to gateway "LAN net" to "VPN" to instead gateway "192.168.1.2" to "VPN" followed by a rule that passes LAN net to the default gateway you should be pretty close.



  • Usually those vpn guides have a firewall rull that passes the entire lan (usually a /24)
    If you change that one rule to the ip address of the client you want to be VPNed (a /32) you should be golden.

    So basically…  what Derelict said....



  • It doesn't work for me. Here are my firewall rules in order from top to bottom.

    1. Protocol: IPv4, Source: Desktop (alias for 192.168.1.2, Destination: blank, Gateway: VPN
    2. Protocol: IPv4, Source: LAN net, Destination: blank, Gateway: DHCP WAN
    3. Protocol: IPv4, Source: blank, Destination: blank, Gateway: default
    4. Protocol: IPv6, Source: blank, Destination: blank, Gateway: default ipv6

    Rules 3 and 4 are there by default but I left them as is because the firewall reads the rules from top to bottom so rules 1 and 2 should take care of traffic for the entire LAN net.

    Yet, when I turn on VPN, every since device on my network passes through the vpn, not just my desktop.



  • Using manual outbound NAT?



  • Yes manual outbound NAT although I haven't added any additional outbound NAT rules.

    Currently I have 4 outbound NAT rules.

    1. Interface: WAN, Source:L 127.0.0.0/8, Destination: blank, Destination Port: 500, NAT Address: (my ISP WAN address here), NAT Port: Blank, Static Port: Yes
    2. Interface: WAN, Source: 127.0.0.0/8, Destination: blank, Destination Port: blank, NAT Address: (my ISP WAN address here), NAT Port: Blank, Static Port: No
    3. Interface: WAN, Source: 192.168.1.1/24, Destination: blank, Destination Port: 500, NAT Address: (my ISP WAN address here), NAT Port: Blank, Static Port: Yes
    4. Interface: WAN, Source: 192.168.1.1/24, Destination: blank, Destination Port: blank, NAT Address: (my ISP WAN address here), NAT Port: Blank, Static Port: No

    These are the 4 default settings.

    Edit: partially deleted because I wasn't being accurate. I've staring at this too long, all day, and its making me delirious.



  • The one you had before…

    Interface: OpenVPN, Source: Desktop (my alias for 192,168.1.1), Destination:blank, Destination Port: Blank, NAT Address: (my VPN address here), NAT Port: (VPN port), Static Port: Yes

    Remake that one and put it at the top of the list.

    BTW - If 192.168.1.1 is your desktop IP, then what is the LAN IP of pfsense?

    Did you mean to type 192.168.1.2 as IP of desktop?



  • Yeah ignore what I wrote for that because the source for NAT outbound only has "any," "This Firewall (self)," and "Network" so I wasn't sure what to put there. If I put 192.168.1.0 then my entire subnet would be redirected to the VPN which is not what I want. I thought of creating a separate subnet but I was hoping I didn't have to because I think that could get messy when changing configurations.

    Edit: I'm going to try

    Interface: OpenVPN, Source: any, Translation: Desktop () and leaving everything else blank.

    Edit 2: Okay but I just thought about it. Even if I added that outbound NAT rule, it wouldn't fix anything because it translates everything from my VPN to my 1 host and then it should go down the list, where it should translate everything else to my ISP WAN IP but it doesn't do that.



  • No - you need to have the ip of the desktop in there with a /32 behind it.  And it needs to be top of list.

    Interface: VPN, Source: 192.168.1.2/32, Destination: blank, Destination Port: blank



  • Why 32? My entire subnet range is only 192.168.1.1 to 192.168.1.254.



  • OK - here is the thing.

    There is actually no need to create firewall rules actually if you are using manual outbound NAT.

    You can just do it on manual outbound NAT.

    Seems like you have mixed together a couple of how-to docs…

    The reason you enter a /32 behind the desktop IP is because a /32 is one IP where as a /24 is 255.  256 if you count 0.



  • Interface: VPN, Source: 192.168.1.2/32, Destination: blank, Destination Port: blank, NAT Address: (my VPN address) NAT Port: blank

    I just added that rule and my entire network still defaults to the VPN instead of just my desktop.



  • Can you post a pic of your outbound NAT and a pic of your LAN firewall rule?



  • http://i.imgur.com/pQFlQy0.png

    http://i.imgur.com/6UHhYfz.png

    How do you post images? I'm a newb at forum stuff.



  • may I see you alias for desktop also please?





  • In your outbound NAT, what is that 207 address?  Why doesn't that just say WAN?



  • its my WAN IP. It says the actual IP instead of WAN because that is the default setting. If I were to remove it and add it again, it would show up as WAN, not the actual IP in numerical form. The only 3 choices in the translation section are interface IP, host alias and other subnet.



  • I'd make it WAN.

    Then I would delete those first two firewall rules you added on the LAN where you modified the gateway.

    Then try it.



  • Still the same result.

    Why are the firewall rules and NAT outbound rules redundant?

    From my understanding:

    NAT rules translates my internal IP to an externally registered IP.

    Firewall rules dictate what traffic can be allowed into my network.

    Aren't those 2 different functions?



  • perhaps this is a 2.2 weirdness.



  • okay here is something.

    Before, every how-to guide mentioned the VPN as another gateway but with the settings in how-to stickied above, the gateway was always offline. BUT, if I remove "redirect-gateway def1" from the advanced setting when configuring vpn, the gateway now shows as online.

    Now that I've done that, the opposite thing happens. Only some of the traffic is going through the VPN but my desktop IP is not showing the VPN IP. And I'm not sure what traffic is going through the VPN but its much less than before.



  • Are you opposed to posting your vpn config?



  • http://i.imgur.com/t5R0NNB.png

    http://i.imgur.com/Lz20eYt.png

    Here's what I learned in the last 5 minutes.

    If I have the NAT outbound settings like before and I have the firewall settings as before (on the LAN interface) OR if I create a firewall rule to allow any traffic in on the VPN interface, then my traffic goes directly to the VPN. I tested it by running trace routes to google.

    However, my IP still doesn't show as my VPN IP.

    Edit: my last 2 posts on this forum logged my VPN IP but for some reason, when I run whoer.net/ext, my VPN ip doesn't show up.



  • You know…  Mine was set up really different than this.

    The server side was set up to tunnel all traffic across the vpn.

    The client side was set as remote access.

    There were no rules on the firewall set at all.

    And just a manual outbound NAT rule for the IP(s) I wanted tunneled.



  • Was your setup the same or similar to mine ie. using a external VPN service?

    Or were you connecting to another pfsense box running a openvpn server?

    Do you mind sharing your config?



  • I set it up with another of my pfsense openvpn at the server side.
    I will pull up my VM that is set up this way, verify its functioning correctly and post something here.



  • Hi,

    Been working with Seitys on the same problem at the /r/PFSENSE sub-reddit.

    He mentioned that this is appears to be a bug in the pfSense 2.2 beta. It's been solved for IPv4 traffic and they will probably get this working for IPv6 soon.

    https://forum.pfsense.org/index.php?topic=80607.msg457724#msg457724
    https://redmine.pfsense.org/issues/3760

    Just thought I should update this thread.



  • Could be - I know there is a problem with replies going out pver the same interfaces they come in on.
    I'm pretty excited about 2.2 once the bugs are worked out. 
    A well threaded pfsense will make a huge difference.


Log in to reply