General questions regarding pfsense and vpn

softballs

Hi Everybody!

I have a few questions but first let me explain my network/setup, I am fairly new with pfSense so bear with me if the questions seem stupid or asked incorrectly.

I have a pfSense box that I have built myself (Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 8 CPUs) which is a big overkill for my home network (about 5 devices connected at any time) but I could get it from work so why not. The box is running really smooth and there is no problem with that, problem is when I connect it to my VPN provider I start to get 1-10% packet loss (RRD graphs -> Quality, can be different during the day). This itself does not seem to be any problem at all except that my TV hangs for a few seconds a few times every day. The VPN provider went from 4 -> 12 vpn servers a few weeks ago and now the problem is less but still there.

My first question is:
What would be a acceptable packet loss % when connected to a vpn? If i did not have the problem with my tv I would probably not even have noticed it.

My second question is:
I understand the basic firewall rule setup, open port 80 from wan to lan to open my local web server to the internet. But how do you do this setup when I have three interfaces? (Wan, Lan, VPN) Should I treat my VPN interface as internet and just ignore wan? Do you need to open the port from lan to wan and then to vpn?

My third question is:
I have installed squid3 with clamav and have that running without any issues, in settings most things are set to wan though and I wonder if i should have this on VPN interface instead?

My last question is:
I was able to have my PPTP trafic (I connect to work through a PPTP vpn) to go directly through the wan interface because I was not able to do it through my vpn interface. Can I do something similar for my tv? I know it connects to 1 of 3 different URLs and it has a static lan IP so from what I have seen I should be able to add a alias for the 3 URLs and then create 1 rule which makes the tv client connect through the wan interface when communicating with those URLs?

I hope someone had the time and energy to read all the way here, this post got longer than I first thought :) Feel free to reply with help on one or more of my questions!

/Andreas

PSprague

I use IPSec, it tunnels through the public WAN, with its own firewall interface.

Also use OpenVPN, which I found much quicker to get working correctly, especially for mobile and satellite.

Best advice I can give is to get the PFSense book.  It has numerous chapters on VPN configuration.  Well worth the contribution to PFSense project authors to save hours of messing about.

Peter

KOM

1. That depends on your requirements.  High loss is fine if you don't notice it  ;D  However, if it is causing an impact then you need to isolate the problem.  For example, how stable is the route between you and the VPN provider's endpoint that you connect to?  A tunneled connection won't improve line quality, so if you're getting loss or high latency when pinging then that's a problem.

2. You have a local web server that you want to present to the Internet?  I don't know how your VPN figures into it.  Create a port-forward for the web server and a firewall rule on WAN to allow the traffic.

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

https://doc.pfsense.org/index.php/Category:NAT

3)  Sorry, I don't know much about Squid in a multi-WAN configuration.

4)  What you want sounds like policy routing

https://doc.pfsense.org/index.php/What_is_policy_routing