Hello all, I finally took the dive on PFSense hardware (to then later see an announcement that my processor will be outdated soon as it does not have AES-NI- fail) and spun up an OpenVPN server. I used my phone as a hotspot to test the server out and it does the job at giving me a tunnel to use my home internet service, but it doesn't allow my laptop access to other machines on my NAT.
Googling around there are threads that seem to pertain to older versions that simply had a "NAT" box to check (and my Asus router had this), but in this version (PFsense 2.3.3) I cannot find that box. I changed the VPN from tun to tap but still no avail. I'd really like to use vSphere client and plex over the VPN.
Oh, and time to turn on the pfSense 'bat signal'-- @Dexter_Kane
Do you mean lan, not nat? You want to keep it set to tun and make sure you're using a different subnet for the VPN network than what you're using for the lan. If should just work as long as you have firewall rules to allow the VPN network to any or atleast to the lan networks.
It might be helpful if you post screenshots of the VPN configuration and the firewall rules for lan and the VPN networks.
I suck at teh posting picks, what do you suggest is the easiest route? Been wanting to post in the "post what new thing you acquired" thread but always been too lazy on how to upload pics.
I don't know what I did but it works now- I played with some firewall rules, removed bridge = LAN in the openvpn menu and some other stabs as I went back and forth from hotspot/VPN connection and LAN connection to make changes. I'd still like to post pics to see if I opened some things up that I shouldn't have.
I used to use photobucket back in the day but as I got less and less involved with forums and technology changes, I haven't logged in for a looong time haha and am usually posting from my phone.
Set your source and destination dependent on what you are wanting to do and set to either pass or block. Just remember pfsense follows from top rule down.
Your LAN already has access to the DMZ because of the allow any rule. By the way, there's no point setting the source address as lan net on the lan interface, just use any or use something specific if you want to limit it. The source has to be on the lan network so lan net and any do the same thing.
On your DMZ you want to make a rule that rejects (reject is better than block for internal network traffic) from any to lan net and then under that make an allow any to any rule.
What I would suggest doing is creating an alias of your local networks (lan, dmz, vpn, etc.) and call it local_net or something then you can just make a rule on your dmz that allows from any to not local_net (there's a check box for not which inverts the rule). That way you are allowing traffic to the internet but not your lan and local networks which will be blocked by the default rule.
PPPoE is Point to Point Protocol over Ethernet and is used for dialing ADSL modems from the router. L2TP is Layer 2 Tunnelling Protocol, although technically relevant, its not here.
OpenVPN gets its routes for what local networks it can connect to via the server as upon connecting a user the server will push the routes to them. (see the openvpn server config -> IPv4 Local Networks) Although once you are connected you could push your own routes (but that's for another day)
The rules you are most likely looking for is something similar to mine for everyone else on the network
Onto the next problem, my email server is not sending or receiving mail (worked when port forwarding through Asus router). Things that have been done (not in order): - going to a pfSense router my ISP gave me a new public IP, updated my domain info. - created iRedMail alias, added ports 143, 993, 465, 25, 587- then later 80 and 22. Plugged in iRedMail server IP (172.16.0.1) - Gave the DMZ interface the IP 172.16.1.0, enabled DHCP. - iRedMail CentOS7 VM connected to NIC that is going strait to DMZ interface on pfSense router. - made some WAN, LAN and DMZ rules and varified I can ping the iRedMail IP from a LAN machine (iRedMail IP is 172.16.0.1 which seems odd), iRedMail cannot ping LAN machine but can ping 8.8.8.8. - Created NAT port forward using iRedMail alias
So on tap my Android phone could not use the VPN (net30 issue that strangely on tap does not have a drop down to change, but on tun the drop down appears), switching to tun fixes that, but then tun brakes my laptop from being able to access services on my LAN such as FreeNAS or anything else with a webui. Why is it rocket science to get the two things IMO are the top two reasons to VPN- secure web access on an open wifi connection and then access to machines on your home LAN?
Use tun, make sure the VPN subnet is different to your LAN and any other local subnets. Make sure you have firewall rules on the VPN interface to allow traffic to lan using the default gateway
It's under advanced, the default action is to use the default gateway. It's only important to set if you have other traffic using other gateways, you have to make sure that any traffic between local subnets uses the default gateway so that rule has to be above a rule which sets a different gateway if both rules would match the traffic.