OPNsense Forum
English Forums => General Discussion => Topic started by: john230873 on July 21, 2019, 09:20:43 pm
-
Hi, I’ve been trying to replace my current setup I have with pfsense to opnsense and I seem to be hitting a brick wall with my openvpn connection playing nicely with my other networks.
My full network consists of
• Isolated guest network that needs to see the wifi controller on the native network
• Isolated security camera network
• Isolated IoT network
• Always up VPN network
• Native network (for day to day activity)
All of the above networks are Vlaned off from each other.
The hardware setup I have is a Intel NUC running esxi and pfsense is just a virtual machine with 6 virtual network cards.
The rest of the network is made up of unifi gear (switches and APs)
The pfsense router is the last/first Internal hop
To break this down to something I could work with and are the main building blocks I needed this.
• 1 ISP
• VPN account with Nordvpn
• 1 native network
o The native network should not use or know about the VPN gateway
• 1 VPN network
o Computers on the VPN network should be able to see computers on the LAN network
o Computers on the VPN network should not be able to access any external address if the VPN link goes offline.
On pfsense I have been able to achieve this mainly by
• Setting up the openvpn client (I haven’t selected Pull routes, this will become more important later)
• Setting up new opt interfaces
• Not setting up a NAT Outbound rule for the VPN network (this is to prevent it using the network when down)
• Forcing the VPN rules to push via the NORD_DHCP gateway (push all traffic to NORD_DHCP gateway if possibly)
• Setting the standard WAN gateway as the default gateway (allows my other interfaces to work correctly when * is picked for default gateway)
All works a treat :)
I then tried to replicate the setup on opnsense and run into these issues
The main issue I’m seeing is due to having more than the 1 network, if I only had one I think this would kind of work but I don’t so here I am :)
When I follow NordVPNs samples, they say “select the Pull routes” on the OPENVPN client.
When I do this it appears the Default address of the router now becomes the OPENVPN address and all traffic tries to route via it, I’ve saw this by running the traceroute commands against each interface in the diagnostic menu. I did make sure that native WAN gateway was set to default first.
I can kind of make this work by on my normal LAN firewall rules change the all traffic rule to exits via the WAN_DHCP but then I ran into a problem with my DNS not working so I needed to add a rule above this one to say DNS traffic needed to use the default gateway (*). Then the native network worked fine. However the guest network I couldn’t get working.
I have a look at the routing table and I see a 0.0.0.0/1 to use the OPENVPN IP
When I follow my pfsense setup I see that the OpenVPN client doesn’t have “Pull routes” selected so if I left it off like pfsense, this time nothing travels via the VPN interface when doing a Traceroute, even the NORDVPN interface, this is the difference I can see between pfsense and opnsense. In pfsense the NordVPN interface knows enough to use the OPENVPN client to use this interface even when routes aren’t pulled.
I’ve tried 19.1 and 19.7 and both versions provide the same outcomes.
Any suggestions here would be appreciated.
-
Do you have a gateway rule selecting which traffic to travel over the tunnel?
-
Unsure if I fully understand you question, is this setting the default gateways in the firewall rules?
Or is this the setting under the gateway page (I don't have the interface in front of me)?
-
You can add a Firewall rule to match traffic which should walk through VPN and at the bottom you can select a gateway. Thats it :)
-
ta, tried this and got
With not pulling the routes this doesn't work.
When pulling the routes this works but all the rules that have * to use default gateway now try to use the OPENVPN gateway, telling them to use only the WAN gateway instead of * stuffs up internal feature being delivered from the router such as DNS.
When I'm not pulling the routes then setting the defautl gateway in the routes to use OPENVPN doesn't achieve anything.
-
You have to pull the routes but you dont have to add them (there are two checkboxes)
-
thanks for the suggestions, yes I believe I've always have "Don't add/remove routes" unchecked, however I will do this again later and recheck the routing table.
It is odd that I don't need to pull the route for my pfsense router and it works as I would have expected.
-
After a lot of trial and error I tracked down the problem I was having. Turned out to be in the NAT Outbound rules. To create the manual internal rules I thought “This firewall” would be the correct source address, however when I used this as the source I got all the behaviour as above. To repair this I changed the source from “this firewall” to 127.0.0.0/8 and all LANs and gateways routed as I expected.
:) :) :) :) :) :) :) :) :) :) :) :) :) :)