LAN routing through VPN



  • Members,
    I have a purpose build appliance running PFSENSE 2.2.4 Nano BSD and I have configured it to connect to a VPN service (privateinternetaccess) using the following guide. https://forum.pfsense.org/index.php?topic=76015.0
    My intention is to route all traffic from the LAN over the VPN.
    I have a couple of questions, the first regarding the "Routing" section in the guide. I have configured as per the guide to "allow all" on the lan to gateway to the internet via the "piavpn" gateway, but sometimes client machines that connect directly to the pfsense box disregard this rule. I have other client machines that connect to a wireless router which has the WAN side connected to the pfsense box -  these machines accept the rule and do not connect to the internet should the VPN go down.
    Which leads me into my second question regarding DNS (but linked to the firewall and gateways) If the VPN goes down and tries to reconnect the logs indicate that it cannot resolve the hostname for my vpn server. I'm presuming because the dns queries are attempting to access the internet via the VPN gateway which is of course down.
    The only way I can bring the VPN back up if it goes down is to log into the pfsense box and manually restart the connection.

    I'm new to pfsense - what a great bit of software!
    Help appreciated,

    Dan



  • @djt4071:

    I have configured as per the guide to "allow all" on the lan to gateway to the internet via the "piavpn" gateway, but sometimes client machines that connect directly to the pfsense box disregard this rule. I have other client machines that connect to a wireless router which has the WAN side connected to the pfsense box -  these machines accept the rule and do not connect to the internet should the VPN go down.

    All these clients are connected to the same pfSense interface via a switch and have IPs in the same subnet? If so the rules must be applied to all hosts.
    If you haven't done yet try this: go to System > Advanced > Miscellaneous, go down to Gateway Monitoring check "State killing on gateway failure" and "Skip rules when gateway is down".
    This should be done for your goal, maybe this helps in your issue.

    @djt4071:

    Which leads me into my second question regarding DNS (but linked to the firewall and gateways) If the VPN goes down and tries to reconnect the logs indicate that it cannot resolve the hostname for my vpn server. I'm presuming because the dns queries are attempting to access the internet via the VPN gateway which is of course down.
    The only way I can bring the VPN back up if it goes down is to log into the pfsense box and manually restart the connection.

    In the GUI go to System > Generell Setup, beside the DNS servers entries you can select the WAN gateway from the drop-down and save the setting. A WAN gateway must be configured, off course.



  • viragomann,

    Thankyou for your reply.

    @viragomann:

    All these clients are connected to the same pfSense interface via a switch and have IPs in the same subnet? If so the rules must be applied to all hosts.

    Yes that is correct all clients and other routers connect to the pfsense box via a switch. However the clients that connect directly to the pfsense box ignore the firewall rule and connect to the local internet when the vpn is down. The clients that connect to the pfsense box via a wireless router do not.

    @viragomann:

    If you haven't done yet try this: go to System > Advanced > Miscellaneous, go down to Gateway Monitoring check "State killing on gateway failure" and "Skip rules when gateway is down".
    This should be done for your goal, maybe this helps in your issue.

    Maybe I didn't explain this properly - I explicitly do not want any clients to connect to the WAN interface, only the pfsense box in order to bring up the VPN.

    @viragomann:

    In the GUI go to System > Generell Setup, beside the DNS servers entries you can select the WAN gateway from the drop-down and save the setting. A WAN gateway must be configured, off course.

    Will this not cause DNS leakage when the VPN is up? Is there a way to temporarily allow the WAN DNS to resolve the hostname for the VPN server in the event that the VPN is down and then remove the option when the VPN is up?

    I appreciate your efforts,

    Dan



  • @djt4071:

    @viragomann:

    If you haven't done yet try this: go to System > Advanced > Miscellaneous, go down to Gateway Monitoring check "State killing on gateway failure" and "Skip rules when gateway is down".
    This should be done for your goal, maybe this helps in your issue.

    Maybe I didn't explain this properly - I explicitly do not want any clients to connect to the WAN interface, only the pfsense box in order to bring up the VPN.

    You should have defined this in a special firewall rule, which is set to use the VPN gateway.
    The suggested settings care that this rule is applied anyway if the VPN gateway is down.

    @djt4071:

    @viragomann:

    In the GUI go to System > Generell Setup, beside the DNS servers entries you can select the WAN gateway from the drop-down and save the setting. A WAN gateway must be configured, off course.

    Will this not cause DNS leakage when the VPN is up? Is there a way to temporarily allow the WAN DNS to resolve the hostname for the VPN server in the event that the VPN is down and then remove the option when the VPN is up?

    Which kind of DNS leakage? This sets the DNS server your pfSense uses. It doesn't much matter if it is accessed over VPN or directly. And its the only way for pfSense to resolve FQDNs if VPN is down. This is what you need. If you don't want set the VPN server to an IP. If its dynamic you will have no choice.

    If your clients use pfSenses DNS Forwareder of Resolver and want to connect to an public host when VPN is down, they get the hostname resolved indeed, but can't connect. So what's the problem with that?