Firewall traffic being routed over OpenVPN Client - confused



  • Hey guys, so currently I created an openvpn peer-to-peer client to PIA, with that being setup, I have rules in place for certain vlan's to use the PIA as gateway, some without.

    This works fine.

    The issue is when I'm connected to pfsense via SSH using tunneling, all outbound traffic is going through the PIA gateway.  I can't find any rules in the firewall that pertains to firewall itself or SSH on where that routes to.

    Any idea how to change this not to use PIA openvpn?



  • You have the default route set to PIA gateway?
    You can check it in Diagnostic > Routes.

    Maybe you get it pushed from PIA server. To avoid this go to the client settings and check "Don't pull routes".



  • @viragomann:

    You have the default route set to PIA gateway?
    You can check it in Diagnostic > Routes.

    Maybe you get it pushed from PIA server. To avoid this go to the client settings and check "Don't pull routes".

    The first entry is 0.0.0.0/1 and GW is the PIA server

    Next is default with GW as my WAN PPPoE modem.

    Unsure what is 0.0.0.0/1 ?



  • The way right now with SSH tunneling being routed through PIA is actually good, since that's what I initially wanted when I connect remotely to pfsense to do SSH tunnel.  I just want to know if there's a choice to change this setting.  Or maybe just run SSH server on another box inside my network rather than on FW.



  • 0.0.0.0/1 is 0.0.0.0 - 127.255.255.255.
    You may have also this entry: 128.0.0.0/1

    Together they are the whole IPv4 range or it is the default route.



  • @viragomann:

    0.0.0.0/1 is 0.0.0.0 - 127.255.255.255.
    You may have also this entry: 128.0.0.0/1

    Together they are the whole IPv4 range or it is the default route.

    Yes I have them both, so why is PIA being the default gateway for those?  Or how do I set PIA not to become the default GW?



  • As I mentioned above, maybe you get it pushed from the PIA server. Go to the client settings and check "Don't pull routes".



  • @viragomann:

    As I mentioned above, maybe you get it pushed from the PIA server. Go to the client settings and check "Don't pull routes".

    That fixes it, but now say I want SSH from pfsense to go through PIA as default, how would I do that in the firewall rules?



  • You want establish the connection from inside the your LAN or from pfSense itself?



  • @viragomann:

    You want establish the connection from inside the your LAN or from pfSense itself?

    pfSense itself because I'm using the SSHD from pfsense remotely for tunneling, socks5 proxy on a browser.  I don't see anyway in rules or firewall to change something pertaining to pfsense itself.



  • As far as I know, connections from pfSense are always routed to the default gateway.
    I don't know any way to change this behavior.



  • @viragomann:

    As far as I know, connections from pfSense are always routed to the default gateway.
    I don't know any way to change this behavior.

    Yeah that's too bad then, I would either have PIA make route changes or run the SSHD on another machine which I can apply firewall rules.



  • Yeah. If your SSH destination has a static IP you can add a static route in pfSense to derict it to the gateway you want.



  • @FlashEngineer:

    @viragomann:

    As I mentioned above, maybe you get it pushed from the PIA server. Go to the client settings and check "Don't pull routes".

    That fixes it, but now say I want SSH from pfsense to go through PIA as default, how would I do that in the firewall rules?

    to establish that you need to

    • assign & enable  an interface to your openvpn connection (if you haven't done so already): IPv4/v6 Configuration Type=none & uncheck 'Block private networks'.
    • restart your openvpn service. (might not be required)

    you should now have an automagical gateway for your openvpn.
    use policy routing to decide what traffic goes over you vpn & what goes out your regular wan.
    https://doc.pfsense.org/index.php/What_is_policy_routing



  • @heper:

    @FlashEngineer:

    @viragomann:

    As I mentioned above, maybe you get it pushed from the PIA server. Go to the client settings and check "Don't pull routes".

    That fixes it, but now say I want SSH from pfsense to go through PIA as default, how would I do that in the firewall rules?

    to establish that you need to

    • assign & enable  an interface to your openvpn connection (if you haven't done so already): IPv4/v6 Configuration Type=none & uncheck 'Block private networks'.
    • restart your openvpn service. (might not be required)

    you should now have an automagical gateway for your openvpn.
    use policy routing to decide what traffic goes over you vpn & what goes out your regular wan.
    https://doc.pfsense.org/index.php/What_is_policy_routing

    This was already done since I can direct traffic from various vlans to either openvpn or wan.  It doesn't help in the case where the internal SSH server which resides on pfsense, essentially has no "interface" to change rules to direct to a specific gateway.  Unless you know something I don't?


  • Netgate

    The SSH server in pfSense is for managing the firewall. Nothing more.



  • @Derelict:

    The SSH server in pfSense is for managing the firewall. Nothing more.

    There is permission to allow tunneling only, which is exactly what I need at certain situations where openvpn is not an option.

    Again, the only issue is, all traffic is routed through default gateway.



  • @FlashEngineer:

    @Derelict:

    The SSH server in pfSense is for managing the firewall. Nothing more.

    There is permission to allow tunneling only, which is exactly what I need at certain situations where openvpn is not an option.

    Again, the only issue is, all traffic is routed through default gateway.

    Can I ask why you don't just forward a port to an internal device running your SSH server?

    If the intent is to tunnel internet traffic only, I would set up a small VM or RaspberryPi running sshd on its own subnet, then set firewall rules to only allow traffic out through the PIA gateway (i.e. completely block local traffic). This seems better from a security point-of-view than exposing SSH on pfSense to the world. And if your SSH server is somehow compromised, it shouldn't be able to access the rest of your LAN.

    If you're using the tunnel to access resources on the LAN, set rules accordingly. I still think it's a safer option.



  • It's to access both, LAN resources and also internet.  I do have a hardened SSH sever running on a machine but I wanted to shutdown that machine that's for solely running SSHD as it draws 50-60watts.

    I tried RPI but the performance is pretty bad compared to my main machine.  Not sure if there's some lower wattage draw device I can use that can give at least 70-90mbps throughput.  I have 300/100 fiber connection and at remote location it's about 700/700 fiber, so you understand my performance requirements.

    RPI at most gives 17mbps



  • i see, you don't like things easy, doing stuff that everyone else avoids is your thing. ;)

    anyhow you could try floating rules. don't select any interface /  dir:out / quick / dst-port:22 / gw: PIA



  • @heper:

    i see, you don't like things easy, doing stuff that everyone else avoids is your thing. ;)

    anyhow you could try floating rules. don't select any interface /  dir:out / quick / dst-port:22 / gw: PIA

    Tried a bunch, nothing really works.  I suspect it's only the default gateway route is the only thing will change.



  • @FlashEngineer:

    It's to access both, LAN resources and also internet.  I do have a hardened SSH sever running on a machine but I wanted to shutdown that machine that's for solely running SSHD as it draws 50-60watts.

    I tried RPI but the performance is pretty bad compared to my main machine.  Not sure if there's some lower wattage draw device I can use that can give at least 70-90mbps throughput.  I have 300/100 fiber connection and at remote location it's about 700/700 fiber, so you understand my performance requirements.

    RPI at most gives 17mbps

    Well, if you don't mind throwing some money at the problem, an Intel NUC would probably fit the bill. I'm not sure what processor you would need to get to hit those speeds, but power consumption should be around 5W idle (based on reviews).

    What are you running pfSense on?



  • @zayrn9efir:

    @FlashEngineer:

    It's to access both, LAN resources and also internet.  I do have a hardened SSH sever running on a machine but I wanted to shutdown that machine that's for solely running SSHD as it draws 50-60watts.

    I tried RPI but the performance is pretty bad compared to my main machine.  Not sure if there's some lower wattage draw device I can use that can give at least 70-90mbps throughput.  I have 300/100 fiber connection and at remote location it's about 700/700 fiber, so you understand my performance requirements.

    RPI at most gives 17mbps

    Well, if you don't mind throwing some money at the problem, an Intel NUC would probably fit the bill. I'm not sure what processor you would need to get to hit those speeds, but power consumption should be around 5W idle (based on reviews).

    What are you running pfSense on?

    I'm running it off a C2758 with 16GB ram and 8 total ethernet(4 on board), 4 extra pci-e supermicro card.



  • @FlashEngineer:

    @heper:

    i see, you don't like things easy, doing stuff that everyone else avoids is your thing. ;)

    anyhow you could try floating rules. don't select any interface /  dir:out / quick / dst-port:22 / gw: PIA

    Tried a bunch, nothing really works.  I suspect it's only the default gateway route is the only thing will change.

    got it working with sort of the floating rule i talked about but set statetype to none



  • @FlashEngineer:

    I'm running it off a C2758 with 16GB ram and 8 total ethernet(4 on board), 4 extra pci-e supermicro card.

    I was going to suggest ESXi + pfSense + SSH server, but I have no idea what else you're running on your router or what your normal bandwidth utilization is. That's a pretty capable CPU, so it might be worth a try. If you do, I'd love to hear how it performs.



  • @zayrn9efir:

    @FlashEngineer:

    I'm running it off a C2758 with 16GB ram and 8 total ethernet(4 on board), 4 extra pci-e supermicro card.

    I was going to suggest ESXi + pfSense + SSH server, but I have no idea what else you're running on your router or what your normal bandwidth utilization is. That's a pretty capable CPU, so it might be worth a try. If you do, I'd love to hear how it performs.

    Yeah I tried going that route with my previous FW Zeroshell but the additional layer on top isn't something I want to deal with, especially when it's only adding one extra ssh server.

    I chose the C2758 because pfsense sells it as well.  Basically 2nd highest unit they have, so why not use same hardware?

    I have various OpenVPN tunnels running so mainly that's what the FW is for, plus intervlan switching, don't really want to mess with L3 ACL on my C2960X switch.



  • @heper:

    @FlashEngineer:

    @heper:

    i see, you don't like things easy, doing stuff that everyone else avoids is your thing. ;)

    anyhow you could try floating rules. don't select any interface /  dir:out / quick / dst-port:22 / gw: PIA

    Tried a bunch, nothing really works.  I suspect it's only the default gateway route is the only thing will change.

    got it working with sort of the floating rule i talked about but set statetype to none

    Doesn't work for me.. are you remotely ssh in and creating a tunnel to use?



  • i'm using ssh to connect to pfsense from LAN. then from pfSense i ssh to a host on the internet by routing through a site-2-site openVPN tunnel. no ssh-tunneling involved, but i doubt it matters.

    i did forget to mention i had to manually add a NAT entry for the vpn-interface so that it would also NAT the WAN-address of the def gw. (because automagically, it doesn't )