Hello
Just wanted to verify I am doing this right, or if there is a more legitimate way.
All I am doing is under LAN 'outbound' I am assigning said LAN IP to have 'wan' gateway, not nordvpn gateway.
It has been working thus far (have i been lucky?) but then my girlfriends laptop, with same ip on this bypass setup, was denied from Hulu for being on VPN...But it isn't!!! [at least based upon how I said I did it].
Maybe show the alias and your LAN rules? And check with whatsmyip or similar.
I will look into that.
This is my home network, very small and simple so I have not used aliases thus far, just IP's cause I know each IP to each device, neither here nor there. I will look into aliases either way.
I will test your recommendation, when all is set as I believe it is, I will see what the "whatsmyip" results are.
For now, my LAN Rule...
LAN
I guess I would put the last rule first and how do you manged to have this many gateways?
The last rule is obsolete because LAN-to-LAN traffic is handled by your switch and not by the router (OPNsense in this case).
Hi!
I have a block of 8 static ip's (5 usable) so really my [main] LAN uses WAN_PPPOE which with NordVPN active, uses that, so I gave the IP's in question the gateway of WAN_PPPOE to bypass the NordVPN, for Hulu/Netflix.
I mean I may be doing it wrong, but it works [?] BUT am absolutely open to suggestion.
Unless 1.) OPNSense made that last obsolete lan-to-lan or 2.) Nordvpn did, I did not so I suppose I will remove it and see how it goes.
Quote from: vpx23 on July 06, 2023, 09:46:00 PM
The last rule is obsolete because LAN-to-LAN traffic is handled by your switch and not by the router (OPNsense in this case).
At least in my mind, the firewalls interface is included here so it would serve some purpose.
Morning.
So was the way I was doing it right? I made an Alias for the 4 IP's that so want "out" of the NordVPN (and they are set statically on the devices) 2 x TV, 1 x XBox and 1 x GF Laptop). Is my way the right way? Simply making a LAN "out" to use the WAN_PPPOE as their GW to bypass the NordVPN GW or is there a setting/config in the NordVPN/OpenVPN to exclude IP's?
We need to know what are WAN_PPOE (interface or gateway?), 178_Out, 180_OUT, 179_Out, NORDVPN_VPN4 or we won't get any further. I'm not sure if there are actually any gateways set up under System->Gateways->Single.
WAN_PPPOE = The Gateway by default for the OPNSense, what EVERY IP in the 192.168.5.0 Network uses by default. x.x.x.182
178_Out = x.x.x.178, I have 192.168.5.178 use 178_Out for it to have outbound/inbound on THAT WAN IP. When I do not set it, it maybe have it's correct WAN IN, bout when I say whatsmyip, it shows .182, not 178. So that is that.
180_Out = x.x.x.180 (192.168.5.180), 179_Out = x.x.x.179 (192.168.5.179)
NORDVPN_VPN4 = the automatic created WAN/Gateway when I set up OpenVPN with NordVPN...When enabled, ALL 192.168.5.0 use it for Internet..... I am wanting to exclude several LAN ip's from the NORDVPN, so I make said LAN IP's use WAN_PPPOE as the gateway, as to not be on the VPN.
I am sorry, I really am unsure what to explain as far as what details are important. I hope this makes sense.
OK,
1. Show us a screenshot of System->Gateways->Single
2. Show us a screenshot of Interfaces->WAN
3. Show us a screenshot your VPN->OpenVPN (->Clients?) configuration
(black out any passwords)
www.whatismyip.com will show your public IP address of the WAN interface not your private address inside the LAN.
Also you can't have the source address of your LAN devices as a gateway. Are these xxx_Out aliases in Firewall->Aliases?
VPN Currently down until I figure this out... No aliases for xxx_out, I just use the IP's as I know them by heart
What I want to do in the grand scheme of things;
NONVPN (My actual WAN) - 192.168.5.2-100
OpenVPN (States VPN) - 192.168.5.101-150
OpenVPN (OffShore VPN) - 192.168.5.151-200
First you need to create 3 host aliases, just call them as you listed:
Name: NONVPN:
Content: 192.168.5.2-192.168.5.100
Name: OpenVPN_USA
Content: 192.168.5.101-192.168.5.150
Name: OpenVPN_INT
Content: 192.168.5.151-192.168.5.200
In the LAN rules change the source of #1 to NONVPN.
In rule #5 change the source to OpenVPN_INT and the destination to any (to be changed later).
In rule #6 change the source to OpenVPN_USA.
Delete the rules #2, #3, #4 and #7
Delete the Out-Gateways because they don't make any sense.
Now you just have to get your USA OpenVPN working and add another one for your offshore VPN.
Enter the gateway for the offshore VPN in the rule with the OpenVPN_INT source.
Morning..
Ok, two questions... You mention delete rules #7, I do not see 7 :(
You mention delete out gateways..... I can easily do so, but maybe my NAT is wrong but, if I remove them, all those IP's all have x.x.x.182 "whats my ip" but they are supposed to have their own. I.E. 192.168.5.178 should also have WAN x.x.x.178, without the out rule, it does not. Maybe my NAT is wrong?
Rule #7 was the LAN net to LAN net, maybe you already deleted it?
https://whatsmyip.com shows your private address?
Please show a screenshot of both https://whatsmyip.com and https://ipchicken.com
So, I made a WITH_Out_rule and a WITHOUT_Out_Rule.. You can see, without my [wrongly made?] rule, my whatsmyip does not align with the said IP. I.E 192.168.5.180 should also be x.x.x.180, but when rule disabled, it uses default WAN IP. In this case, it is on the VPN.
Also, for me, the significance of my OUT NEEDING to be correct is, my email server won't outbound.
After reading your very first thread about the Cisco FPR1010 I understand that you actually got a /29 subnet from your ISP with 8 addresses (1x network address, 1x broadcast address, 6x usable addresses).
x.x.x.176 network address
x.x.x.177 server #1 (Virtual IP bound to WAN) - 1:1 NAT to 192.168.5.177
x.x.x.178 server #2 (Virtual IP bound to WAN) - 1:1 NAT to 192.168.5.178
x.x.x.179 server #3 (Virtual IP bound to WAN) - 1:1 NAT to 192.168.5.179
x.x.x.180 server #4 (Virtual IP bound to WAN) - 1:1 NAT to 192.168.5.180
x.x.x.181 server #5 (Virtual IP bound to WAN) - 1:1 NAT to 192.168.5.181
x.x.x.182 is your public WAN IP for all clients
x.x.x.183 broadcast address
y.y.y.27 Gateway to ISP
It was just very confusing because it looked like you used your private addresses as gateway when you just used the same number for the last octet of both public and private IP.
I'm not sure if the Virtual IPs themselves can be set as a gateway.
Please show us the Virtual IP settings for e.g. x.x.x.180 for better understanding.
The CiscoFPR was just something I was using and wanted to know if it could be ...flashed.. to install OPNSense, I am not using it at all. But yeah..
So what is the problem now, only the one GF laptop getting VPN address instead of WAN address or something else?
Well, aside from it being "messy" I.E not being organized with aliases etc, does it all look legit?
Is me using the LAN w/ _OUT Gateways the right way, or should that be under outbound:nat?
Yeah, her laptop kept saying she was on a VPN even though her IP was added to the "bypass" list..Have not tried it since, maybe it was a glitch. My 2 tv's are bypassing correctly.
If it's all working I don't see a problem. As you use 1:1 NAT outbound NAT configuration is not needed as also described here: https://docs.netgate.com/pfsense/en/latest/nat/1-1.html
I guess what sticks in my mind is, if I have 1:1 NAT, x.x.x.180 to 192.168.5.180, shouldn't outbound automatically go to it's NAT'd IP or is it normal for it [LAN IP] to default to default WAN Gateway [x.x.x.182]. I guess, I would assume that without any LAN rule, LAN ip should default in and out as it's NAT'd IP. But maybe in real world, outgoing is irrelevant [generally speaking, unless let's say an email server] so it does not matter what outgoing is, as most things are coming IN, which 1:1 NAT works correctly.
I'm not very experienced with Virtual IPs but I guess when the packet is send out the fw looks up which interface the Virtual IP is bound to and then sends out the packet over this Interface. Due to the 1:1 NAT rule it should change the source address to the right one.
Just test it on one of your servers, go to https://whatsmyip.com then change the gateway in the LAN rule to any and see if the IP changes.
Yes, so 192.168.5.180 (Has NAT 1:1 w/ x.x.x.180) will indeed whatsmyip with x.x.x.178, x.x.x.179 if I set the LAN "out" to them and withOUT and LAN rule will either be x.x.x.182 if VPN is off, or 45.86.210.117 if using VPN. So I think what you say makes sense. Unless defined, any outgoing resolves to default WAN Interface IP (of the FW?) or whatever VPN said FW/Wan Interface IP is.
So I suppose until otherwise informed.
1. I have my NAT or whatever wrong, and it SHOULD go out the same IP as is designated in without a LAN rule.
2. It is correct that outgoing will always be, unless defined, the default WAN/Interface IP and so my LAN OUT rules are correct.
3. My stuff works correctly, meaning outgoing does need to be defined, but I am doing it wrong regardless.
Is "Upstream Gateway" checked in NORDVPN_VPNV4? If yes then uncheck it and test again.
Interesting, it was not checked.
So I was looking into what we spoke about earlier, having multiple VPN Connections. Would I need to create multiple Interfaces for each VPN (1 states, 1 europe) or just multiple Clients under VPN:OPENVPN:CLIENTS... And then Would I do multiple under the MAIN existing client one or have separate clients?
For fun, ALL I did was under clients, create a NEW one, but no where can I find out how to select that one, which leads me to believe I would need an Interface for EACH client.