• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem with synology AND policy based routing

Scheduled Pinned Locked Moved General pfSense Questions
15 Posts 3 Posters 5.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tigs
    last edited by Dec 24, 2015, 2:01 PM Dec 24, 2015, 1:54 PM

    Here is other Scenario:

    Oenvpn was configured with "route-nopull", and the T5500 desktop was routed through VPN. In this screenshot, the Diskstation was also routed through VPN. In reality, it doesn't matter whether the Diskstation was routed through VPN or not. T5500 desktop won't be able to access Diskstation as long as it is routed through VPN in this setup. Once I remove T5500 from the tunnel, it will be able to access Diskstation even when the Diskstation remained in the tunnel.

    192.168.1.2 T5500
    192.168.1.5 macmini
    192.168.1.40 DiskStation
    192.168.1.45 Transporter
    192.168.1.50 Squeezebox

    The same behavior happens not just to T5500 desktop, but also to squeezebox, transporter and ipad.

    They can find the NAS but won't be able to make connection.

    Untitled2.jpg
    Untitled2.jpg_thumb
    ![vpn 2.jpg](/public/imported_attachments/1/vpn 2.jpg)
    ![vpn 2.jpg_thumb](/public/imported_attachments/1/vpn 2.jpg_thumb)
    ![NAT 2.jpg](/public/imported_attachments/1/NAT 2.jpg)
    ![NAT 2.jpg_thumb](/public/imported_attachments/1/NAT 2.jpg_thumb)
    NAS.jpg
    NAS.jpg_thumb
    ![rule 2.jpg_thumb](/public/imported_attachments/1/rule 2.jpg_thumb)
    ![rule 2.jpg](/public/imported_attachments/1/rule 2.jpg)

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Dec 24, 2015, 2:09 PM

      If you want vpn clients to talk to your devices on your network, then you need to let them route correctly.. You need to have a firewall rule that allows the traffic to go out vpn connection before you policy route it out your vpn.

      This is basic 101 PBR, doesn't matter if the network is out a vpn connection or just another local segment..  Your rules do not allow anything to route traffic before they get shoved out a specific gateway.

      Create a rule that allows traffic to your tunnel network before you send them out a gateway.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • T
        tigs
        last edited by Dec 24, 2015, 3:51 PM Dec 24, 2015, 2:45 PM

        @johnpoz:

        If you want vpn clients to talk to your devices on your network, then you need to let them route correctly.. You need to have a firewall rule that allows the traffic to go out vpn connection before you policy route it out your vpn.

        This is basic 101 PBR, doesn't matter if the network is out a vpn connection or just another local segment..  Your rules do not allow anything to route traffic before they get shoved out a specific gateway.

        Create a rule that allows traffic to your tunnel network before you send them out a gateway.

        Thanks for the pointer. forgive my ignorance. I am NOT a computer guy at all. Would you be able to specifically describe what are the rule I should add in each of these setups? Take Mac mini as an example in the scenario with no "route-nopull" option and T5500 desktop in the other senario.

        Thanks

        update:

        I think I figure it out. Can you help confirm this? I added a rule on top of everything else:

        Update 2:

        I am not home now. I guess I can use from LAN net to LAN net instead of adding individual rules. I will experiment .

        Untitled.jpg
        Untitled.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Dec 24, 2015, 3:54 PM

          no that is not right.. Why would you need to route to lan net??  Lan talking to lan doesn't even talk to pfsense..

          You need a rule that says if your going to your vpn tunnel network address to allow it and not set a gateway.. This way pfsense says oh, I have that network connected via my openvpn… Send it out that connection..

          Look under diag, routes and you will see all your routes... Notice you will have your tunnel networks listed..  I run 2 instances of openvpn, 1 on tcp and one on udp - I use different networks for these server 10.0.8 and 10.0.200  so you see them listed in the route table.

          So in my case a client connects it gets a 10.0.8.x address..  So you would make a rule that allows traffic from your lan network to that network to use your default routing vs setting a gateway.  your rule says hey if your coming from that IP (which is on your lan) and your going to lan..  When would that ever happen??  It wouldn't!!  Devices on your lan only talk to pfsense when they want to go to networks other than their local network..

          vpnrouting.png
          vpnrouting.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • T
            tigs
            last edited by Dec 24, 2015, 5:38 PM Dec 24, 2015, 5:07 PM

            Oh my! I am completely overwhelmed and lost. I appreciate your detailed explanation. I'd be honest, I don't really understand it. I think I would learn better with specific examples.

            Do I need to revamp my current setup, or I can simply add rule or two on top to make it work?
            What is the specific rule I should add?

            edit:

            Undersystem/routes, I see 4 gateways, NO routes at all. I am using openvpn client to access PIA service. This may not be same as yours.

            Would you be able to post some screenshots of your NAT and Rules as well? This seems to be pure new learning for me. I initially just followed the instruction PIA website to setup VPN and another post here to setup selective routing. I noticed the problem of not able to access my NAS anymore.

            Thanks.

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Dec 24, 2015, 8:00 PM

              Does not freaking matter what vpn service your using..  You need to let pfsense route before you force something out a gateway..  Also you need to make sure you not getting default route from your vpn service..

              Post up your diag, routes for your ipv4 as I did portion of..

              Look here  if I want my ubuntu box on 192.168.9.7 to go out my vpn, and also talk to stuff on my other segments.. be it my vpn tunnels or other local segments create a simple rule that says source IP 192.168.9.7 going to rfc1918 address allow no set gateway so it will use pfsenes routing to send it where it needs to go.  After that I send it out the vpn connection with rule that says anything NOT rfc1918 addresses go out the vpn gateway.

              So you see I have a vpn connection with a 172 address.. When I trace from ubuntu it goes out the vpn connection then to google, when I trace to another local segment it just goes to pfsense and then to that other segment.  But you see my other box on 192.168.9.100 does not trigger either of those rules and just hits the ipv4 any any rule that either routes it out my normal wan connection, or out to other segments on my network.

              examplepbr.png
              examplepbr.png_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • T
                tigs
                last edited by Dec 24, 2015, 10:30 PM Dec 24, 2015, 9:53 PM

                here are some screenshots. By the way, what is your "rfc1918 address"?

                Untitled2.jpg
                Untitled3.jpg
                Untitled2.jpg_thumb
                Untitled3.jpg_thumb
                Untitled.jpg_thumb
                Untitled.jpg

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Dec 25, 2015, 6:27 AM

                  rfc1918 is all the private address space  192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

                  https://tools.ietf.org/html/rfc1918

                  What are you not understanding that you have to have a rule that allows it to go to your networks, before you route it out that gateway??  If you route it that gateway how is it going to get to your networks!!!

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • T
                    tigs
                    last edited by Dec 25, 2015, 4:38 PM Dec 25, 2015, 3:58 PM

                    @johnpoz:

                    rfc1918 is all the private address space  192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

                    https://tools.ietf.org/html/rf
                    c1918

                    What are you not understanding that you have to have a rule that allows it to go to your networks, before you route it out that gateway??  If you route it that gateway how is it going to get to your networks!!!

                    I understand the rationale well. I just don't know how to do it. I don't have any networks in my route table. I don't what to do with that. All I have are 4 gateways. This is way too much for me.

                    I need step-by-step instructions based my current setting.

                    For whatever reason, I added a "LAN net"-"LAN net" rule on top of everything. It works. It used Vpn gateway and allows me access NAS at the same time. Is there anything I should worry about with this?

                    Thanks for your patience. Happy holidays!

                    edit: found the IPV4 table. What should I do with the "destination" area in order to include all  rfc1918 address

                    Untitled.jpg
                    Untitled.jpg_thumb
                    ![firewall rule entry.jpg_thumb](/public/imported_attachments/1/firewall rule entry.jpg_thumb)
                    ![firewall rule entry.jpg](/public/imported_attachments/1/firewall rule entry.jpg)

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Dec 25, 2015, 6:09 PM

                      dude create an alias and put whatever networks you want in it… I have an alias I created that I put all the rfc1918 networks in.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • T
                        tigs
                        last edited by Dec 25, 2015, 6:41 PM

                        @johnpoz:

                        dude create an alias and put whatever networks you want in it… I have an alias I created that I put all the rfc1918 networks in.

                        I have been using "alias" . I thought you have SMARTER way of doing that.

                        isn't "LAN net" doing exactly the same or more? I got the clue from your fist reply, and it works. I thought creating a rule of "LAN net" to "LAN net" would allow any communications between any local IPs. I think it is working as intended.

                        Happy Holidays

                        1 Reply Last reply Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator
                          last edited by Dec 25, 2015, 9:35 PM

                          Dude LAN never talks to pfsense to talk to LAN..  No its not the same thing..  Client on 192.168.0.0/24 doesn't talk to pfsense to go to 192.168.0.0/24 ??

                          Smarter way to create an alias for a list of networks?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          13 out of 15
                          • First post
                            13/15
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received