Unable to correctly route to VPN server behind PFsense firewall



  • Help everyone,
    I appreciate any help you can provide and if any more information is needed please let me know. I am running a pfsense box with 6 internal NICs and the newest version (recently updated). Essentially I am running a VPN server on subnet 1(1 of 5 controlled by the pfsense box). Specifically I am running Sophos UTM (running IPSec and SSL VPN). My goal is to use the Sophos(actually a VM) box only for SSL VPN and IPSec VPN while doing all routing, ect by pfsense. I also want to grant the VPN IP addresses access to subnet 1 and 2 on the pfsense box.

    I have setup port forwarding on pfsense to forward UDO 4500, 500, TCP 443, ESP and AH all to IP 10.10.10.70 (on subnet 10.10.10.0/24), this is the IP address of the only interface on the sophos box and is the interface on which the VPN servers are running. Along with these port forwarding settings I left the automatically configured firewall rules for the WAN interface and have added Allow all settings to the WAN and LAN for the subnets 10.242.2.0/24 and 10.242.4.0/24 which are the IP pools for the VPN users.

    Currently what seems to happen when I try to connect to the SSL VPN I am able to pass authentication but right after the connection just hangs as if it is waiting for a response (on the client end) until the user just disconnects due to timeout. I will attach the log to here. Additionally if anyone is wondering this is for a home lab that I use sometimes for work but not a "production" system by any means. If anyone has any suggestions about what I could be forgetting I would really appreciate it.

    Here is a log example from the client attempting to authenticate: http://pastebin.com/Ge5UxFsi

    Thank you!


  • Netgate

    Draw a diagram.



  • I am not sure if this will help very much; I simplified everything irrelevant out of the picture but here it is: http://imgur.com/nnqPc6r

    To explain what is going on in the picture:
    10.10.10.100 is the IP address I am running the Sophos VPN server (SSL and IPSec VPN) along with user portal. 10.10.10.110 is a second IP I am hoping to add to Sophos box on a second virtual NIC to seperate out the admin console but that should not be relevant. The 10.10.10.100 is using the PFsense as the gateway to get to the internet at 10.10.10.1. My goal is to allow VPN connections to various IPs and potentially entire subnets out of the two displayed there (10.10.10.0/24 & 10.10.20.0/24).

    I believe I already mentioned this but the Sophos UTM is setup with NAT masquerade leaving the 10.10.10.100 and the VPN client IPs are 10.242.2.0/24 and 10.242.4.0/24 which are controlled and given out by the Sophos box.


  • Netgate

    What happened to 10.10.10.70.

    So let me see if I understand.  You want to:

    Port forward through pfSense to the Sophos UTM on 10.10.10.100 (or 70 or whatever)
    Have VPN clients connect through pfSense to the Sophos.
    Have Sophos hairpin traffic from VPN clients to 10.10.20.0/24 back to pfSense, and have it route to the subnet with return traffic routing back to pfSense, then back to Sophos then back to pfSense and out to the internet?  Is that basically it?

    I think you should probably be asking here:

    https://community.sophos.com/products/unified-threat-management/



  • Sorry about that .70 and .100 are the same thing; I was looking at something else while making the diagram.

    I am trying to see what I may have missed on the Sophos end on their forums now but to really summarize my question regarding the PFsense portion… I basically want to run a SSL VPN & IPSec VPN server behind my pfsense, regardless if it is sophos, ect. To be able to do that correctly outside of port forwarding, and the basic firewall rules would anything else be required on the PFsense box?


  • Netgate

    Just the port forwards.  The other issues you will likely encounter are asymmetric routes, etc.  All that will have to be handled on the internal router/sophos.

    Even the list of port forwards is a Sophos issue.  Forward what they say you need to forward.

    According to your diagram the VPN clients will be issued addresses on the same subnet as the pfSense interface so you won't have to route any additional subnets over to Sophos and won't have to pass any source addresses other than your typical LAN Net.