Firewall traffic being routed over OpenVPN Client - confused
-
i see, you don't like things easy, doing stuff that everyone else avoids is your thing. ;)
anyhow you could try floating rules. don't select any interface / dir:out / quick / dst-port:22 / gw: PIA
Tried a bunch, nothing really works. I suspect it's only the default gateway route is the only thing will change.
-
It's to access both, LAN resources and also internet. I do have a hardened SSH sever running on a machine but I wanted to shutdown that machine that's for solely running SSHD as it draws 50-60watts.
I tried RPI but the performance is pretty bad compared to my main machine. Not sure if there's some lower wattage draw device I can use that can give at least 70-90mbps throughput. I have 300/100 fiber connection and at remote location it's about 700/700 fiber, so you understand my performance requirements.
RPI at most gives 17mbps
Well, if you don't mind throwing some money at the problem, an Intel NUC would probably fit the bill. I'm not sure what processor you would need to get to hit those speeds, but power consumption should be around 5W idle (based on reviews).
What are you running pfSense on?
-
It's to access both, LAN resources and also internet. I do have a hardened SSH sever running on a machine but I wanted to shutdown that machine that's for solely running SSHD as it draws 50-60watts.
I tried RPI but the performance is pretty bad compared to my main machine. Not sure if there's some lower wattage draw device I can use that can give at least 70-90mbps throughput. I have 300/100 fiber connection and at remote location it's about 700/700 fiber, so you understand my performance requirements.
RPI at most gives 17mbps
Well, if you don't mind throwing some money at the problem, an Intel NUC would probably fit the bill. I'm not sure what processor you would need to get to hit those speeds, but power consumption should be around 5W idle (based on reviews).
What are you running pfSense on?
I'm running it off a C2758 with 16GB ram and 8 total ethernet(4 on board), 4 extra pci-e supermicro card.
-
i see, you don't like things easy, doing stuff that everyone else avoids is your thing. ;)
anyhow you could try floating rules. don't select any interface / dir:out / quick / dst-port:22 / gw: PIA
Tried a bunch, nothing really works. I suspect it's only the default gateway route is the only thing will change.
got it working with sort of the floating rule i talked about but set statetype to none
-
I'm running it off a C2758 with 16GB ram and 8 total ethernet(4 on board), 4 extra pci-e supermicro card.
I was going to suggest ESXi + pfSense + SSH server, but I have no idea what else you're running on your router or what your normal bandwidth utilization is. That's a pretty capable CPU, so it might be worth a try. If you do, I'd love to hear how it performs.
-
I'm running it off a C2758 with 16GB ram and 8 total ethernet(4 on board), 4 extra pci-e supermicro card.
I was going to suggest ESXi + pfSense + SSH server, but I have no idea what else you're running on your router or what your normal bandwidth utilization is. That's a pretty capable CPU, so it might be worth a try. If you do, I'd love to hear how it performs.
Yeah I tried going that route with my previous FW Zeroshell but the additional layer on top isn't something I want to deal with, especially when it's only adding one extra ssh server.
I chose the C2758 because pfsense sells it as well. Basically 2nd highest unit they have, so why not use same hardware?
I have various OpenVPN tunnels running so mainly that's what the FW is for, plus intervlan switching, don't really want to mess with L3 ACL on my C2960X switch.
-
i see, you don't like things easy, doing stuff that everyone else avoids is your thing. ;)
anyhow you could try floating rules. don't select any interface / dir:out / quick / dst-port:22 / gw: PIA
Tried a bunch, nothing really works. I suspect it's only the default gateway route is the only thing will change.
got it working with sort of the floating rule i talked about but set statetype to none
Doesn't work for me.. are you remotely ssh in and creating a tunnel to use?
-
i'm using ssh to connect to pfsense from LAN. then from pfSense i ssh to a host on the internet by routing through a site-2-site openVPN tunnel. no ssh-tunneling involved, but i doubt it matters.
i did forget to mention i had to manually add a NAT entry for the vpn-interface so that it would also NAT the WAN-address of the def gw. (because automagically, it doesn't )