Cannot get internet connectivity for LAN and VPN_LAN clients at the same time
-
I am trying to configure my first pfSense 2.2.2 install, but running into trouble with the routing of traffic when the openvpn client is configured. Basically, if I enable the VPN client, all devices in the VPN LAN have internet access, while devices in my normal LAN don't, and vice-versa. It seems that the vpn client alters the pfsense routing table, from a server push request, to force ALL traffic through the vpn_wan gateway, but if I select the -nopull option to stop that, the LAN traffic can pass out the WAN, but the LAN_VPN has no route out anymore!
What I am trying to do is the following:
-
Three local LANS.
- LAN: 10.10.10.0/24
- LAN_VPN: 10.10.20.0/24 (VPN client net)
- VPN_LAN: 10.10.30.0/24 (Remote Access clients net) -
LAN traffic reaches internet through WAN.
-
LAN_VPN traffic reaches internet through VPN_WAN.
-
Local traffic can pass between LAN, LAN_VPN, & Remote Access clients.
-
DNS resolver is used for LAN only.
-
LAN_VPN uses external DNS through VPN tunnel, assigned by interface.
Basically I have tried to follow the following guides without much luck: http://irj972.co.uk/articles/pfSense-VPN-setup & https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/.
Can anybody provide any guidance, based on the attached pics of my config??
Much appreciated.
Edit: Network diagram
NAT Outbound:
LAN Rules:
LAN_VPN Rules:
LAN_VPN DHCP:
-nopull Routing Table:
-
-
when using the -nopull option, you need to assign an interface to your openvpn instance (interfaces–>assign--><+>-->ovpncx)
then goto interfaces-->optx--> set type to 'none' ---> save
you should now have a gateway / if you don't create a gateway for the optx interface.
use the gateway in your vpn_lan firewall rulesoh yeah, you probably need to create some 'PASS' rules on the optx interface and if you have manual NAT, you'd have to sort that too
-
Thanks heper.
I think I already have that interface, named VPN_WAN, which i identify in NAT and lan_vpn already right?
If I add PASS rules on the VPN_WAN gateway, wouldn't that be only for inbound connections from the internet?? Currently I just have a block all rule…
See attached pics for VPN_WAN gateway and firewall details.![2015-05-25 08.13.47.jpg](/public/imported_attachments/1/2015-05-25 08.13.47.jpg)
![2015-05-25 08.13.47.jpg_thumb](/public/imported_attachments/1/2015-05-25 08.13.47.jpg_thumb)
-
Bump.
So referencing my LAN_VPN rules i have attached, what do I need to change to route that lan out the VPN WAN??
-
This is too much for me to want to process (sans compensation) without an accurate, detailed network diagram.
-
This is too much for me to want to process (sans compensation) without an accurate, detailed network diagram.
Diagram added.
-
There is no reason to set the gateway on your LAN rules to WAN_PPPOE. Set it back to default. If you REALLY need to policy route everything out WAN_PPPOE, you need to bypass policy routing for everything that needs to route elsewhere, such as traffic from LAN to LAN_VPN.
With one WAN there is no reason to use policy routing. Set it to default. Note that you also need to bypass policy routing on LAN_VPN if you want those hosts to be able to access any "local" resources like LAN.
https://doc.pfsense.org/index.php/What_is_policy_routing
https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
What is in the VPN_DNS alias?
Are you sure you are having a traffic routing problem or a DNS problem? I am not sure about the policy routing out the VPN with the /32 routes in the table for 8.8.8.8 and 8.8.4.4 since you have those name servers "glued" to WAN_PPPOE in pfSense and you're trying to policy route the same DNS servers (Those are the servers you're giving to LAN_VPN clients via DHCP).
For instance, with the VPN connection up can you ping 208.67.222.222 from Host A2?
-
Derelict, thanks for providing some help here. I have updated the pics in my original post to reflect some changes, as directed by yourself.
Unfortunately, I still cannot get Internet connectivity out the VPN subnet, while using the -nopull option. I updated the monitor IP for the VPN_WAN gateway to 8.8.8.8, and interestingly that allows me to ping that particular IP out the VPN, but nothing else. i.e. I cannot ping 208.67.222.222 from the LAN_VPN subnet unless I set it to be the monitor IP for the VPN_WAN gateway.
What is in the VPN_DNS alias?
This was just and alias for 8.8.8.8 & 8.8.4.4
Any other hints or advice?
-
You don't have any old IPsec configs or anything covering 10.10.20.0/24 do you?
-
You don't have any old IPsec configs or anything covering 10.10.20.0/24 do you?
Nope. This is a fresh install with openvpn only.
-
Don't know, dude. It works every time I do it.