Problem with synology AND policy based routing

tigs

I am having problem getting this to work.
pfsense 2.1.5 32 bit
4 ethernet port board, Port 1 = WAN, Port 3&4 Bridged to LAN with 192.168.1.1
Synology NAS
Private internet access VPN service

openvpn client works well either with "route-nopull" option or not. But if use PBR, once a client host is put under vpn tunnel, it can not access the synology NAS any more. It does not matter whether the Synology NAS is in the vpn tunnel.

It still works if the Synology is in the tunnel, as long as the client computer is not in the tunnel.

Edit:

I have tried to set the router globally going through VPN tunnel. Then, I selectively route my computer outside of the tunnel straight to WAN. This way every device including is going through VPN except my computer.  It can not access the NAS either.

The only two situations it worka are:

1. Global VPN, every device goes through the VPN
2. PBR, but only the Synology goes through the VPN, the computer stays outside the tunnel.

any idea and help?
thanks

heper

not enough info to get you any sort of help.

but:
1)update to latest release
2)stop bridging i you can, only bridge if you don't have any other option
3) draw a schematic of your setup
4) provide screenshots of your rules / vpn config

tigs

@heper:

not enough info to get you any sort of help.

but:
1)update to latest release
2)stop bridging i you can, only bridge if you don't have any other option
3) draw a schematic of your setup
4) provide screenshots of your rules / vpn config

Thanks for jumping in to help.

I have tried version 2.2.5 64 bit. Its VPN performance is a lot worse than 2.1.5 32 bit version. I don't know why. After that experiment, I have decided to stay with 2.1.5 32 bit.

the pfsense box is in the basement, so is the Synology NAS. I have only on cable running through to upstairs. I did tried with bridged router as a switch with no bridging the pfsense box. Same problem.

scheme and screenshot are attached. This is for the second scenario as I described above. The pfsense box openvpn was configure with no _route-nopull", so the default route is through PIAVPN. I have routed mac mini to WAN. T5500 desktop and Synology Diskstation were left in the default route to PIAVPN. The T5500 can access Diskstation, but not the mac mini.

192.168.1.2 T5500
192.168.1.5 macmini
192.168.1.40 DiskStation
192.168.1.45 Transporter
192.168.1.50 Squeezebox




tigs

Here is other Scenario:

Oenvpn was configured with "route-nopull", and the T5500 desktop was routed through VPN. In this screenshot, the Diskstation was also routed through VPN. In reality, it doesn't matter whether the Diskstation was routed through VPN or not. T5500 desktop won't be able to access Diskstation as long as it is routed through VPN in this setup. Once I remove T5500 from the tunnel, it will be able to access Diskstation even when the Diskstation remained in the tunnel.

192.168.1.2 T5500
192.168.1.5 macmini
192.168.1.40 DiskStation
192.168.1.45 Transporter
192.168.1.50 Squeezebox

The same behavior happens not just to T5500 desktop, but also to squeezebox, transporter and ipad.

They can find the NAS but won't be able to make connection.




johnpoz

If you want vpn clients to talk to your devices on your network, then you need to let them route correctly.. You need to have a firewall rule that allows the traffic to go out vpn connection before you policy route it out your vpn.

This is basic 101 PBR, doesn't matter if the network is out a vpn connection or just another local segment..  Your rules do not allow anything to route traffic before they get shoved out a specific gateway.

Create a rule that allows traffic to your tunnel network before you send them out a gateway.

tigs

@johnpoz:

If you want vpn clients to talk to your devices on your network, then you need to let them route correctly.. You need to have a firewall rule that allows the traffic to go out vpn connection before you policy route it out your vpn.

This is basic 101 PBR, doesn't matter if the network is out a vpn connection or just another local segment..  Your rules do not allow anything to route traffic before they get shoved out a specific gateway.

Create a rule that allows traffic to your tunnel network before you send them out a gateway.

Thanks for the pointer. forgive my ignorance. I am NOT a computer guy at all. Would you be able to specifically describe what are the rule I should add in each of these setups? Take Mac mini as an example in the scenario with no "route-nopull" option and T5500 desktop in the other senario.

Thanks

update:

I think I figure it out. Can you help confirm this? I added a rule on top of everything else:

Update 2:

I am not home now. I guess I can use from LAN net to LAN net instead of adding individual rules. I will experiment .

johnpoz

no that is not right.. Why would you need to route to lan net??  Lan talking to lan doesn't even talk to pfsense..

You need a rule that says if your going to your vpn tunnel network address to allow it and not set a gateway.. This way pfsense says oh, I have that network connected via my openvpn… Send it out that connection..

Look under diag, routes and you will see all your routes... Notice you will have your tunnel networks listed..  I run 2 instances of openvpn, 1 on tcp and one on udp - I use different networks for these server 10.0.8 and 10.0.200  so you see them listed in the route table.

So in my case a client connects it gets a 10.0.8.x address..  So you would make a rule that allows traffic from your lan network to that network to use your default routing vs setting a gateway.  your rule says hey if your coming from that IP (which is on your lan) and your going to lan..  When would that ever happen??  It wouldn't!!  Devices on your lan only talk to pfsense when they want to go to networks other than their local network..

tigs

Oh my! I am completely overwhelmed and lost. I appreciate your detailed explanation. I'd be honest, I don't really understand it. I think I would learn better with specific examples.

Do I need to revamp my current setup, or I can simply add rule or two on top to make it work?
What is the specific rule I should add?

edit:

Undersystem/routes, I see 4 gateways, NO routes at all. I am using openvpn client to access PIA service. This may not be same as yours.

Would you be able to post some screenshots of your NAT and Rules as well? This seems to be pure new learning for me. I initially just followed the instruction PIA website to setup VPN and another post here to setup selective routing. I noticed the problem of not able to access my NAS anymore.

Thanks.

johnpoz

Does not freaking matter what vpn service your using..  You need to let pfsense route before you force something out a gateway..  Also you need to make sure you not getting default route from your vpn service..

Post up your diag, routes for your ipv4 as I did portion of..

Look here  if I want my ubuntu box on 192.168.9.7 to go out my vpn, and also talk to stuff on my other segments.. be it my vpn tunnels or other local segments create a simple rule that says source IP 192.168.9.7 going to rfc1918 address allow no set gateway so it will use pfsenes routing to send it where it needs to go.  After that I send it out the vpn connection with rule that says anything NOT rfc1918 addresses go out the vpn gateway.

So you see I have a vpn connection with a 172 address.. When I trace from ubuntu it goes out the vpn connection then to google, when I trace to another local segment it just goes to pfsense and then to that other segment.  But you see my other box on 192.168.9.100 does not trigger either of those rules and just hits the ipv4 any any rule that either routes it out my normal wan connection, or out to other segments on my network.

tigs

here are some screenshots. By the way, what is your "rfc1918 address"?

johnpoz

rfc1918 is all the private address space  192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

https://tools.ietf.org/html/rfc1918

What are you not understanding that you have to have a rule that allows it to go to your networks, before you route it out that gateway??  If you route it that gateway how is it going to get to your networks!!!

tigs

@johnpoz:

rfc1918 is all the private address space  192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

https://tools.ietf.org/html/rf
c1918

What are you not understanding that you have to have a rule that allows it to go to your networks, before you route it out that gateway??  If you route it that gateway how is it going to get to your networks!!!

I understand the rationale well. I just don't know how to do it. I don't have any networks in my route table. I don't what to do with that. All I have are 4 gateways. This is way too much for me.

I need step-by-step instructions based my current setting.

For whatever reason, I added a "LAN net"-"LAN net" rule on top of everything. It works. It used Vpn gateway and allows me access NAS at the same time. Is there anything I should worry about with this?

Thanks for your patience. Happy holidays!

edit: found the IPV4 table. What should I do with the "destination" area in order to include all  rfc1918 address


johnpoz

dude create an alias and put whatever networks you want in it… I have an alias I created that I put all the rfc1918 networks in.

tigs

@johnpoz:

dude create an alias and put whatever networks you want in it… I have an alias I created that I put all the rfc1918 networks in.

I have been using "alias" . I thought you have SMARTER way of doing that.

isn't "LAN net" doing exactly the same or more? I got the clue from your fist reply, and it works. I thought creating a rule of "LAN net" to "LAN net" would allow any communications between any local IPs. I think it is working as intended.

Happy Holidays

johnpoz

Dude LAN never talks to pfsense to talk to LAN..  No its not the same thing..  Client on 192.168.0.0/24 doesn't talk to pfsense to go to 192.168.0.0/24 ??

Smarter way to create an alias for a list of networks?