Routing / Tunneling through pfsense for VPN users



  • Hi all,
    I posted this in the firewall section but no replies so am trying here - I am not sure if I need NAT help or firewall help!

    I am new to pfsense, and have a setup briefly as follows:

    WAN comes into a router that just does routing/load balancing and hosts an L2TP VPN
    Router output goes to RED on the pfsense box which acts as my firewall and does the fancy stuff like squid etc.
    GREEN out of pfsense goes to my LAN.

    So I need to setup something on the pfsense to allow VPN users to come right through the firewall onto the LAN so VPN users have full access. Have never done anything with static routes so not sure if this is what I want.

    Here's something with IP addresses:

    External static IP = 80.x.x.x  –-> WAN on VPN router. NATs to LAN port on 192.168.91.254. VPN users have been set to pickup 192.168.91.x  ----> RED on pfsense set to 192.168.91.91 which NATs to 192.168.1.x which is internal LAN range.

    Anyone doing something similar? - would be very grateful for some advice. Tried the documents without much help so far.

    Additional info: I have the VPN user set as IP 192.168.91.225. He can ping 192.168.91.91 so he is definitely getting through the first router and can see the RED on the pfsense. But he can't ping 192.168.1.254 which is the LAN card on the pfsense

    many thanks
    Rob

    PS I tried setting up the VPN on the pfsense instead but couldn't connect to it - the router itself is much more complex than the pfsense firewall so I think this would be the easier path to follow.
    Modify message



  • Hi,

    the best solution would be to set your router in bridge mode and let pfSense do the VPN termination. So the firewall can control all connections from outside itself.

    I've neither a L2TP set up nor a double natting. So I am not able to share some experience with that.
    However, if you want to solve it this way let us research…

    Two elementary things will be necessary to get it work:

    • The VPN clients must know the route to the LAN network.

    • The firewall must allow this access.

    For allowing access, you have to set up a firewall rule.
    I assume, your pfSense WAN net is a /24 and the VPN pool uses the same whole subnet. It will be a good advice to reduce the VPN pool to a e.g. /27 or whatever you need, or just more better, to use a different subnet. So it will be easier to distinguish the VPN and internet traffic.
    So you will have to add a rule to WAN interface to allow access from VPN subnet to your LAN network.
    If VPN pool uses whole WAN subnet you have to add additional block rules with higher prio to prevent access from internet (192.168.91.254 in your case) and possibly other hosts on this subnet.

    The other thing is the route at VPN client to the LAN behind pfSense.
    If your client sets the VPN server as default gateway at establishing connection there should be no additional route required. Otherwise you have to set manually a route to LAN subnet using the pfSenses WAN IP.
    As far as I know L2TP has no capability to push special routes from server side.


Log in to reply