1
General Discussion / Re: NordVPN Tutorials/Instructions?
« on: August 02, 2019, 08:59:00 am »
You dont need to set dhcp as tunnel does this all for you.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
General Discussion / Re: NordVPN Tutorials/Instructions?
« on: August 01, 2019, 08:46:38 pm »
Hope this helps, I used their instructions and then added some extra notes on it to get the final bits working.
Notes:
Need to unclick "Automatically generate a shared TLS authentication key." in TLS Authentication
after adding client check to make sure it is running under
VPN ==> OpenVPN ==> Connection Status
Only thing done under the interface is to enabled and give a new name
Check under the Dashboard and you should see a NordVPN VPN4 and VPN6 Gateway, if following this you will see they will not have an address, you need to restart the OPNVPN client after creating the Interfaces, hence go and restart and recheck the status here to see an IP pop up against the VPN4 gateway
In Service ==> Unbond DNS ==> General
needed to uncheck IPv6 Link-local
In outgoing interfaces make sure to select the Nord VPN interface you named above and not the OpenVPN client.
In Firewall ==> Rules ==>
select the NordVPN VPN4 as the default gateway
Under System ==> Settings ==> General
For both 103.86.96.100 & 103.86.99.100 Use gateway:None
This is what I found after using the instructions
At this stage I could ping ips (e.g. 8.8.8.
but I couldn't reslove names.
Check traceroutes and saw the default interface was pushing everything down VPNtunnel
I flick backed into the VPN client and select "Don't add/remove Routes"
restarted the firewall
Still no DNS so added an extra rule at the top of the LAN network
Protocol IPV4*
Source LAN Net
Default LAN Net
Gateway Default
DNS kicked back in and I could browse to Nordvpn.com and confirm I was protected.
Last step for me is to go into System ==> Gateways ==> Single and disable the Nord VPN6 gateway.
Notes:
Need to unclick "Automatically generate a shared TLS authentication key." in TLS Authentication
after adding client check to make sure it is running under
VPN ==> OpenVPN ==> Connection Status
Only thing done under the interface is to enabled and give a new name
Check under the Dashboard and you should see a NordVPN VPN4 and VPN6 Gateway, if following this you will see they will not have an address, you need to restart the OPNVPN client after creating the Interfaces, hence go and restart and recheck the status here to see an IP pop up against the VPN4 gateway
In Service ==> Unbond DNS ==> General
needed to uncheck IPv6 Link-local
In outgoing interfaces make sure to select the Nord VPN interface you named above and not the OpenVPN client.
In Firewall ==> Rules ==>
select the NordVPN VPN4 as the default gateway
Under System ==> Settings ==> General
For both 103.86.96.100 & 103.86.99.100 Use gateway:None
This is what I found after using the instructions
At this stage I could ping ips (e.g. 8.8.8.
but I couldn't reslove names.Check traceroutes and saw the default interface was pushing everything down VPNtunnel
I flick backed into the VPN client and select "Don't add/remove Routes"
restarted the firewall
Still no DNS so added an extra rule at the top of the LAN network
Protocol IPV4*
Source LAN Net
Default LAN Net
Gateway Default
DNS kicked back in and I could browse to Nordvpn.com and confirm I was protected.
Last step for me is to go into System ==> Gateways ==> Single and disable the Nord VPN6 gateway.
3
General Discussion / Re: Single openVPN client restart with cron
« on: August 01, 2019, 07:56:07 pm »
opps - wrong topic 
4
General Discussion / Re: NordVPN Tutorials/Instructions?
« on: August 01, 2019, 06:48:39 pm »
In the beginning due to my network setup (1DMZ, 1 VPN ,1 Guest, 1 IoT) I had decent issues so in the end I went from 19.1 to follow word by word the instructions and then upgraded to 19.7 but after the upgrade it was broken and I needed to fix it.
I thinking due I will try fresh so give me an hour and I'll let you know how I get on with 19.7
I thinking due I will try fresh so give me an hour and I'll let you know how I get on with 19.7
5
General Discussion / Re: Firewall rules, Have I read this wrong or just doing it the hard way
« on: August 01, 2019, 06:44:56 pm »
Thanks guys,
Mdriricki, you answer works, for non floating rules you can limit what goes in "e.g. only one direction"
Maurice, Ta I didn't see that topic Maurice, It doesn't mention floating rules but does imply this is the only real way I can see for now until the feature is introduced.
Mdriricki, you answer works, for non floating rules you can limit what goes in "e.g. only one direction"
Maurice, Ta I didn't see that topic Maurice, It doesn't mention floating rules but does imply this is the only real way I can see for now until the feature is introduced.
6
General Discussion / Re: NordVPN Tutorials/Instructions?
« on: August 01, 2019, 10:40:56 am »
Did you get it working as i use nordvpn and it works fine for me
7
General Discussion / [Answered] Firewall rules, Have I read this wrong or just doing it the hard way
« on: July 31, 2019, 09:22:50 pm »
Hi, from the reading I have done with testing to confirm, for me when I have Guest network and DMZ network it seems the only way to truly lock them down is to use floating rules.
For ease or reading in this "Interface" is referring to a logical interfaces setup inside opnsense, "Network port" then I referring to the physical network port (or logical if opnsense is virtualised) coming into the firewall from the outside world.
From what I can tell, the normal firewall rules only work on traffic received from the network port and not coming from the interfaces (e.g. intervlan communication).
If I have this correct then when creating a DMZ I prefer to be able to set this up once and know that no traffic can get to this network or come out of this network once it has been set.
With the standard rules on the DMZ interface I can make sure no traffic can go to any other network but I can't stop other traffic coming in, this needs to be done on each other interface.
This means that when ever a new interface is created I need to remember all the networks that need to be isolated and create new rules for them to make sure they stay isolated.
Have I got this correct ?
For now I've flicked over to floating rules for these networks and basically said any traffic going to this network not from this network is blocked.
Is this the best way or I'm I looking at this old school?
For ease or reading in this "Interface" is referring to a logical interfaces setup inside opnsense, "Network port" then I referring to the physical network port (or logical if opnsense is virtualised) coming into the firewall from the outside world.
From what I can tell, the normal firewall rules only work on traffic received from the network port and not coming from the interfaces (e.g. intervlan communication).
If I have this correct then when creating a DMZ I prefer to be able to set this up once and know that no traffic can get to this network or come out of this network once it has been set.
With the standard rules on the DMZ interface I can make sure no traffic can go to any other network but I can't stop other traffic coming in, this needs to be done on each other interface.
This means that when ever a new interface is created I need to remember all the networks that need to be isolated and create new rules for them to make sure they stay isolated.
Have I got this correct ?
For now I've flicked over to floating rules for these networks and basically said any traffic going to this network not from this network is blocked.
Is this the best way or I'm I looking at this old school?
8
General Discussion / Re: Single openVPN client restart with cron
« on: July 31, 2019, 08:57:16 pm »
Don't know if it helps but I found when the OPENVPN interface went down they just start using the standard gateway. I got around this by creating a new vlan only for the VPN clients and not OUTBOUND natting this vlan (all the rest of the setup was normal). Could this be what you are seeing when you down the interface, them flicking to another gateway to get out?
9
General Discussion / Re: Virtual to physical
« on: July 31, 2019, 08:44:11 pm »
New to opnsense but expect this will be the same as pfsense. As Bart said your interfaces could change this can be because you are going from physical nics to a vlan setup or the virtual nic just loads in different orders.
If you were heading down this track I would take a good back and then try your new setup. Have a look at the how the interfaces are setup with their names and then in a text editor take a copy of the backup and in this substitute the old names with the new, load and test.
Next check that the interfaces are still using the correct virtual nics and are going to the correct networks as their order might have changed, easy to check using the Mac addresses.
If you were heading down this track I would take a good back and then try your new setup. Have a look at the how the interfaces are setup with their names and then in a text editor take a copy of the backup and in this substitute the old names with the new, load and test.
Next check that the interfaces are still using the correct virtual nics and are going to the correct networks as their order might have changed, easy to check using the Mac addresses.
10
General Discussion / Port forward using extrenal DNS from the LAN
« on: December 07, 2018, 05:34:42 am »
Hi, I have a simple external DNS domain set up and in opnsense I have some simple port forward rules set up.
I then have some application on my phone that use these port forward rules. They work fine on the public network (e.g. coming in on the WAN) but when I'm on the LAN they don't seem to reverse back in to the LAN network.
Any idea what I could be doing wrong here.
I then have some application on my phone that use these port forward rules. They work fine on the public network (e.g. coming in on the WAN) but when I'm on the LAN they don't seem to reverse back in to the LAN network.
Any idea what I could be doing wrong here.
Pages: [1]