Topics

1

19.7 Legacy Series / VPN without pull routes enabled

« on: January 08, 2020, 12:07:13 am »

I am trying to use PIA VPN service with "Don't pull routes" checked. With that unchecked it works as expected. My goal is to be able to use firewall aliases/rules to direct what traffic uses the VPN and what doesn't, rather than having all traffic sucked into the VPN. I'm using 19.7.8. I didn't find my answer from reading the many threads on here and PF. I've read the HOW TO thread 4979 at least 4 times.

I created a new VPN client and it connects fine. I then setup an interface for it to name it and left the interface enabled. No other interface settings touched. I also created an alias for PC's to use the VPN and verified the alias in pfTables. I haven't touched the DNS settings, which are pointed to PIA's servers already.

NAT - I have 4 new rules with the new interface. 2 have Source = 127.0.0.0/8 and one of those has destination port = 500 with static port checked. The other 2 new NAT rules have Source = VPN alias list and one is port = 500/static. All 4 are at the top of the list.

On the 2nd two rules, I have experimented with changing the source to LAN net and my LAN interface group. I did that b/c the working VPN's NAT source = (LAN interface group name) net. Neither has worked.

System>Gateways>Single shows the interface as online. I have no Gateway groups yet, though if I can get this working I plan to with multiple VPN client gateways for load balancing & failover.

Firewall>Rules>LAN - At the top of the list I put a pass/in/IPv4 rule with the new VPN client gateway set. I've tried setting source as the VPN alias list, LAN net, Group-name net. I have tried this rule with source variations on the interface group rules too, where I would prefer it be.

I have 3 Floating rules. The top one is pass any direction, IPv4* to destination LAN-group net, with "*" for the source, ports, and gateway. The 2nd is pass any direction IPv4 TCP/UDP to all "*". The 3rd is the same as the 2nd, except ICMP instead of TCP/UDP. I don't recall if or why I set these rules, probably a few years ago. I disabled the top rule with no noticable impact. If I disable the bottom, ICMP rule, my connection cuts in and out every other second. If I disable the middle, TCP/UDP rule, I lose my connection and OPNSense gui. I have to ssh in and reload all services to get the gui back. Sometimes I briefly get the VPN connection after reload, but not consistently. I lose the gui again within a minute or two.

I tried adding a floating rule for the VPN on top of the TCP/UDP rule and got almost the same as disabling the TCP/UDP rule. The difference was that I couldn't get the GUI back by reloading services. I SSHed in and restored a config from 20 minutes prior. That's when I came to ask for help.

Is there a better way to achieve my goal of controlling VPN traffic and disabling pull routes? I don't care if I can't make it work the way I've been trying so long as I can get it to work. Or can someone please identify where I went wrong and teach me how to fix it?

2

19.7 Legacy Series / VPN use on 19.7

« on: July 25, 2019, 07:16:33 pm »

I was hoping someone as ignorant as I am about port forwarding would have asked this already but I can't find it. I upgraded to 19.7 last week, aware of the change with openvpn now needing to use localhost with port forwarding, but apparently over-optimistic about my ability to do it. Though I've set the VPN client and interface to disabled for now so I can get online, I have everything back to being set according to the older post "How to - Routing Traffic over Private VPN" found https://forum.opnsense.org/index.php?topic=4979.0. Can someone please tell me how to setup the port forwarding for the new requirements?

3

Web Proxy Filtering and Caching / A few squid questions and issues

« on: December 26, 2018, 07:59:07 pm »

New opnsense user here as of this past weekend and I am overall extremely happy with this project. Almost everything has just worked, and almost every bump along the way has been quickly solved by researching either the docs or forums. Excellent work. Of course, the downside to it going so well is I might not be much help yet to others here.

Most of the issues I haven't been able to resolve are related to squid. I've set up a transparent cache with ssl_bump and Linux package cache enabled. Here's what isn't working and/or I haven't been able to locate instructions for:
1. Remote ACLs will not download. The UT1 list in the instructions time out even with wget on my desktop system, but MESD, Shallalist, and yoyo (adblock) lists won't download either. I can download each one through my browser just fine.
2. Once I can download lists, I cannot locate instructions to separate filtering in any manner so that my wife and I can access certain sites while blocking access for the kids. On a related note, is there a method for blocking certain youtube channels without blocking the whole site?
3. Caching linux updates worked great for Arch linux and really sped up the process. For Fedora (and probably CentOS), I had to put fedoraproject.org in the SSL no bump list for it to be able to update at all. It looks like the rpms were cached, but then squid replaces them on the next update. I don't think this is an opnsense issue, but does anyone know a workaround for this?
4. I haven't been able to find instructions to make squid cache work offline. I live in a very remote area and when I have connectivity my bandwidth is good, but connectivity isn't the most reliable. Since we homeschool our kids there are a lot of static information sites we'd like to serve offline when necessary.

For the last two issues, I can setup another VM as a LAN webserver to host a repo and httrack mirror, but I don't know how to make squid redirect the urls to the lan host. Ideally I'd like to keep that a transparent process, and I'd rather use squid so we're only caching what's necessary.