Site to Site fine, but no Internet
Right, I have finally reached the end of my tether, after spending close to a week on this one!
I have burnt out several browsers, pc's and dsl modems trying to search, and find the (probably obvious) answer to my issue!
Please assist if possible!
I do not have an internet connection at home, but my friend (to whom I wirelessly connect over a community wireless network) does.
My Home pfSense box (Two interfaces) - lan, and "wan" (which leads to a mikrotik routerboard on my roof)
My "lan" subnet 10.0.0.0/8 (my pfsense's lan ip is 10.0.0.1)
My "wan" or wifi subnet = 172.16.5.64/26 (my pfSense's "wan" ip is 172.16.5.70)
Friend's home pfSense box:
Friend's "lan" subnet = 192.168.1.0/26 with 192.168.1.1 as his default gateway
Friend's "wifi" subnet = 172.16.6.160/28 (Mikrotik routerboard on roof with ip of 172.16.6.164)
Friend's "wan" nic connects to a DSL Modem, and pppoe's to the internet from the pfSense.
I have a successfully established site-to-site vpn using the 192.168.2.0/28 subnet. The end point ip (at my friend's place) is 192.168.2.1, and the corresponding IP on my side is 192.168.2.2.
I can successfully ping across the tunnel, and receive replies from 192.168.2.1, 2.2, and all of the systems on his network (in the 192.168.1.0/26) subnet. I can access all of my systems from his subnet, so I am 100% confident that the tunnel is working correctly.
My default gateway is my pfsense (10.0.0.1) and his default gateway is his pfsense (192.168.1.1)
I have used the following custom options on the openvpn server at my friend:
push "dhcp-option DNS 192.168.2.1";push "redirect-gateway def1";push "route 192.168.2.0 255.255.255.248";push "route 192.168.1.0 255.255.255.192";verb 4;
Now, my issue!
I cannot, for the life of me, use his internet on my lan. His internet is working fine (I can PPTP to the PPTP service running on his pfSense perfectly)
I have fiddled with firewall rules, pushing routes, advanced outbound nat, etc etc etc.
I can successfully resolve dns using 192.168.2.1 as my dns server, but I am unable to ping, or access anything on the internet.
I am sure there is something really really simple that I have overlooked, but I just cannot seem to find the answer on these, or any other forums. (Possibly because I don't know what to search for) - but I have tried to read every single thread I can find which has anything to do with routing, firewall rules, openvpn, nat, dns etc…
I have read about sending all the traffic over the vpn tunnel, but would not want to use this option, as I am sure there would be issues in accessing the resources on the community wifi lan to which I am connected. Also, there is a bandwidth cap in place on my friend's DSL, and I would hate to cause him to be capped!
If anyone needs a picture, or any further info, let me know!
Thanks in advance!
Per default for every local "real" interface a rule will be installed that NAT's from this interface to WAN.
If you want to have Internet access from multiple LAN subnets (ie. you have a router behind pfSense with another subnet) enable Advanced outbound NAT.
The same goes for OpenVPN if you want the OpenVPN subnet NAT'ed to WAN.
You need to create a rule for every subnet you want NAT'ed.
Thanks for the reply! I have been trying what you have suggested, but am a little unsure of what you actually mean…
Would it be possible for you to give me a step by step guide, which I would need to perform to both my pfSense, and my friend's pfSense?
I think I need to enable advanced outbound nat on my pfsense, but am unsure of the interfaces, subnets etc I need to specify here.
Also, unsure of the corresponding settings to apply to my friends pfsense...
Lastly, I am not certain if I need to add any specific firewall rules (and on which of the two systems?)
I realise this is asking a lot, but I just cannot seem to get my head around this, and if I am finding it difficult, I would guess others may too!
Thank you for replying to my initial post, and pointing me in the right direction!
I hope you can answer the above questions for me!
pfSense only NATs "real" subnets (real as in physical or VLAN) which are connected directly to it.
Every other subnet which can send traffic to pfSense but is not connected directly wont get NATed to WAN unless you create an Advanced outbound NAT rule that tells it to NAT this particular traffic.
Nothing to do on your side:
On your friends side:
Enable Advanced outbound NAT.
Did you look at the link i provided? There is a following link with a screenshot that shows how the rules have to look like.
Just have one rule for every subnet you want NATed.
friend subnet 192.168.1.0/26
your subnet 10.0.0.0/8
OpenVPN subnet 192.168.2.1/? (you didnt say what subnet)
Also make sure that you have rules on the interface that connects to you, that allows the subnet you use on your side.
EDIT: i just noticed that this is the OpenVPN interface --> you cant even add a rule --> it should just work after adding the AoN rules.
I have added the following, including one which I thought may also be required (my "wan" or wireless subnet)
friend subnet 192.168.1.0/26
your wifi subnet 172.16.5.64/26
your subnet 10.0.0.0/8
openvpn "link" subnet 192.168.2.0/28
"OpenVPN subnet 192.168.2.1/? (you didnt say what subnet)" - its 192.168.2.0/28 to link the two pfsense boxes
After giving it some thought, I removed all of the above subnets which you suggested, and left only his lan subnet which seems to be created by default. I then added the 192.168.2.0/28 (tried both lan, and wan) for interface here (surely the openvpn subnet "exists" on his lan, and not his "wan" ?
But to cut a long story short, none of the above combinations seemed to help at all….
The Interface on the left side specifies TO which Interface the traffic will get NATed so you want here WAN.
Well now you have to start troubleshooting.
As you wrote your OpenVPN link is working.
First i would try to get the whole thing working without OpenVPN.
Try to see from which point on your unable to access the internet.
–> your friends side wifi subnet.
--> your side wifi subnet.
--> your side LAN.
I managed to get it all working as I wanted, but ended up cheating in the end…
I added routes to 0.0.0.0/1 and 18.104.22.168/1 via the OpenVPN Tunnel!
One of these days, when I have some time, I'll try get it working the correct way!
GruensFroeschli, thanks very much for all the assistance. I would still have been stuck without your help!