Firewall traffic being routed over OpenVPN Client - confused
-
Hey guys, so currently I created an openvpn peer-to-peer client to PIA, with that being setup, I have rules in place for certain vlan's to use the PIA as gateway, some without.
This works fine.
The issue is when I'm connected to pfsense via SSH using tunneling, all outbound traffic is going through the PIA gateway. I can't find any rules in the firewall that pertains to firewall itself or SSH on where that routes to.
Any idea how to change this not to use PIA openvpn?
-
You have the default route set to PIA gateway?
You can check it in Diagnostic > Routes.Maybe you get it pushed from PIA server. To avoid this go to the client settings and check "Don't pull routes".
-
You have the default route set to PIA gateway?
You can check it in Diagnostic > Routes.Maybe you get it pushed from PIA server. To avoid this go to the client settings and check "Don't pull routes".
The first entry is 0.0.0.0/1 and GW is the PIA server
Next is default with GW as my WAN PPPoE modem.
Unsure what is 0.0.0.0/1 ?
-
The way right now with SSH tunneling being routed through PIA is actually good, since that's what I initially wanted when I connect remotely to pfsense to do SSH tunnel. I just want to know if there's a choice to change this setting. Or maybe just run SSH server on another box inside my network rather than on FW.
-
0.0.0.0/1 is 0.0.0.0 - 127.255.255.255.
You may have also this entry: 128.0.0.0/1Together they are the whole IPv4 range or it is the default route.
-
0.0.0.0/1 is 0.0.0.0 - 127.255.255.255.
You may have also this entry: 128.0.0.0/1Together they are the whole IPv4 range or it is the default route.
Yes I have them both, so why is PIA being the default gateway for those? Or how do I set PIA not to become the default GW?
-
As I mentioned above, maybe you get it pushed from the PIA server. Go to the client settings and check "Don't pull routes".
-
As I mentioned above, maybe you get it pushed from the PIA server. Go to the client settings and check "Don't pull routes".
That fixes it, but now say I want SSH from pfsense to go through PIA as default, how would I do that in the firewall rules?
-
You want establish the connection from inside the your LAN or from pfSense itself?
-
You want establish the connection from inside the your LAN or from pfSense itself?
pfSense itself because I'm using the SSHD from pfsense remotely for tunneling, socks5 proxy on a browser. I don't see anyway in rules or firewall to change something pertaining to pfsense itself.
-
As far as I know, connections from pfSense are always routed to the default gateway.
I don't know any way to change this behavior. -
As far as I know, connections from pfSense are always routed to the default gateway.
I don't know any way to change this behavior.Yeah that's too bad then, I would either have PIA make route changes or run the SSHD on another machine which I can apply firewall rules.
-
Yeah. If your SSH destination has a static IP you can add a static route in pfSense to derict it to the gateway you want.
-
As I mentioned above, maybe you get it pushed from the PIA server. Go to the client settings and check "Don't pull routes".
That fixes it, but now say I want SSH from pfsense to go through PIA as default, how would I do that in the firewall rules?
to establish that you need to
- assign & enable an interface to your openvpn connection (if you haven't done so already): IPv4/v6 Configuration Type=none & uncheck 'Block private networks'.
- restart your openvpn service. (might not be required)
you should now have an automagical gateway for your openvpn.
use policy routing to decide what traffic goes over you vpn & what goes out your regular wan.
https://doc.pfsense.org/index.php/What_is_policy_routing -
As I mentioned above, maybe you get it pushed from the PIA server. Go to the client settings and check "Don't pull routes".
That fixes it, but now say I want SSH from pfsense to go through PIA as default, how would I do that in the firewall rules?
to establish that you need to
- assign & enable an interface to your openvpn connection (if you haven't done so already): IPv4/v6 Configuration Type=none & uncheck 'Block private networks'.
- restart your openvpn service. (might not be required)
you should now have an automagical gateway for your openvpn.
use policy routing to decide what traffic goes over you vpn & what goes out your regular wan.
https://doc.pfsense.org/index.php/What_is_policy_routingThis was already done since I can direct traffic from various vlans to either openvpn or wan. It doesn't help in the case where the internal SSH server which resides on pfsense, essentially has no "interface" to change rules to direct to a specific gateway. Unless you know something I don't?
-
The SSH server in pfSense is for managing the firewall. Nothing more.
-
The SSH server in pfSense is for managing the firewall. Nothing more.
There is permission to allow tunneling only, which is exactly what I need at certain situations where openvpn is not an option.
Again, the only issue is, all traffic is routed through default gateway.
-
The SSH server in pfSense is for managing the firewall. Nothing more.
There is permission to allow tunneling only, which is exactly what I need at certain situations where openvpn is not an option.
Again, the only issue is, all traffic is routed through default gateway.
Can I ask why you don't just forward a port to an internal device running your SSH server?
If the intent is to tunnel internet traffic only, I would set up a small VM or RaspberryPi running sshd on its own subnet, then set firewall rules to only allow traffic out through the PIA gateway (i.e. completely block local traffic). This seems better from a security point-of-view than exposing SSH on pfSense to the world. And if your SSH server is somehow compromised, it shouldn't be able to access the rest of your LAN.
If you're using the tunnel to access resources on the LAN, set rules accordingly. I still think it's a safer option.
-
It's to access both, LAN resources and also internet. I do have a hardened SSH sever running on a machine but I wanted to shutdown that machine that's for solely running SSHD as it draws 50-60watts.
I tried RPI but the performance is pretty bad compared to my main machine. Not sure if there's some lower wattage draw device I can use that can give at least 70-90mbps throughput. I have 300/100 fiber connection and at remote location it's about 700/700 fiber, so you understand my performance requirements.
RPI at most gives 17mbps
-
i see, you don't like things easy, doing stuff that everyone else avoids is your thing. ;)
anyhow you could try floating rules. don't select any interface / dir:out / quick / dst-port:22 / gw: PIA