[Solved] Win10 + Virtualbox + PFSense + OpenVPN -- No Route to Host

I’m trying to install PFSense 2.4.2 in a Virtualbox guest machine on a Windows 10 Host machine with some out of date guides (e.g. this one) (doing it to make a proper VPN + kill switch + firewall / snort).

I have a physical card configured as em1 (LAN), and a Microsoft Loopback Adapter configured as em0 (WAN).

On the PFSense web GUI my WAN Interface status is:

Status
up
MAC Address
xxxxx - my mac from my physical card
IPv4 Address
10.0.0.1 - the default gateway and DHCP server from the internet connection plugged into my PC
Subnet mask IPv4
255.255.255.0 - correct
IPv6 Link Local
fe80::a00:27ff:fef6:12aa%em0 - not sure why I have this here, I did my best to disable all IPV6 things.
DNS servers
127.0.0.1 - I guess this is the default PFSense DNS server?
208.67.220.220 - opendns
xxxxx - dns from my vpn
xxxxx - dns from my vpn
208.68.222.222 - opendns
MTU
1500
Media
1000baseT
In/out packets
0/0 (0 B/0 B)
In/out packets (pass)
0/0 (0 B/0 B)
In/out packets (block)
17/5 (4 KiB/416 B)
In/out errors
0/0
Collisions
0

My LAN status is:

Status
up
MAC Address
08:00:27:4e:b3:62
IPv4 Address
192.168.1.1
Subnet mask IPv4
255.255.255.0
IPv6 Link Local
fe80::a00:27ff:fe4e:b362%em1
MTU
1500
Media
1000baseT
In/out packets
1561/2576 (182 KiB/2.90 MiB)
In/out packets (pass)
1561/2576 (182 KiB/2.90 MiB)
In/out packets (block)
0/4 (0 B/340 B)
In/out errors
0/0
Collisions
0

With this my Internet Connection in Windows (my host), through the Loopback Adapter, has No Internet Access. All I can access is 192.168.1.1 in the browser.

I entered my VPN’s data as OpenVPN (followed guide), and that kinda works. When I gave the “Server host or address” a domain name instead of an IP address it complained / failed, but with an IP and the right cryptography settings it “works”, the Client Instance Statistics for OpenVPN show the Service is running (but not connected). Status says this:

Feb 21 00:14:52 openvpn 6449 WARNING: file ‘/var/etc/openvpn/client1.up’ is group or others accessible
Feb 21 00:14:52 openvpn 6449 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 16 2017
Feb 21 00:14:52 openvpn 6449 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Feb 21 00:14:52 openvpn 6664 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 21 00:14:52 openvpn 6664 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Feb 21 00:14:52 openvpn 6664 UDPv4 link local (bound): [AF_INET]10.0.0.1:0
Feb 21 00:14:52 openvpn 6664 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx
Feb 21 00:14:52 openvpn 6664 write UDPv4: No route to host (code=65)
Feb 21 00:14:54 openvpn 6664 write UDPv4: No route to host (code=65)
Feb 21 00:14:58 openvpn 6664 write UDPv4: No route to host (code=65)
Feb 21 00:15:06 openvpn 6664 write UDPv4: No route to host (code=65)
Feb 21 00:15:22 openvpn 6664 write UDPv4: No route to host (code=65)
Feb 21 00:15:52 openvpn 6664 [UNDEF] Inactivity timeout (–ping-restart), restarting

My network administrator knowledge is patchy, can someone help me understand how to debug this? It should be straight forward and work almost out of the box.

Also I’m still new to PFSense so when you ask for printouts please tell me where I can find them in the menus :slight_smile:

PS:
Another weird thing is that if I leave my Loopback Adapter on Automatic, it gives me “Unidentified Network” and on an ipconfig/all the loopback adapter shows IPv4 Address: 169.254.30.217 - wtf is that? it should be 192.168.1.100 (100 is the start of the ip range in pfsense). If I set the values manually, it works, but who’s giving it that weird DHCP info?

This is a automatically assigned address if it doesn’t get a DHCP address from the server.

1 Like

Have you set up the proper firewall rules in PFSense to allow traffic to pass through it?

My Firewall > Rules > WAN says:

0 /3 KiB * RFC 1918 networks * * * * * Block private networks
0 /0 B * Reserved > Not assigned by IANA * * * * * Block bogon networks

Firewall > Rules > LAN:

8 /4.64 MiB * * * LAN Address 443 80 * * Anti-Lockout Rule
2 /4 KiB IPv4 * LAN net * * * * none Default allow LAN to any rule
0 /0 B IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule

Firewall > Rules > OpenVPN:

No rules are currently defined for this interface
All incoming connections on this interface will be blocked until pass rules are added. Click the button to add a new rule.

^ This last one is “fine”. I will have to figure it out afterwards but internet should work without OpenVPN either way.

My Firewall / NAT / Outbound

WAN 127.0.0.0/8 * * 500 WAN address * Auto created rule for ISAKMP - localhost to WAN
OpenVPN 127.0.0.0/8 * * 500 OpenVPN address * Auto created rule for ISAKMP - localhost to WAN
WAN 127.0.0.0/8 * * * WAN address * Auto created rule - localhost to WAN
OpenVPN 127.0.0.0/8 * * * OpenVPN address * Auto created rule - localhost to WAN
WAN 192.168.1.0/24 * * 500 WAN address * Auto created rule for ISAKMP - LAN to WAN
OpenVPN 192.168.1.0/24 * * 500 OpenVPN address * Auto created rule for ISAKMP - LAN to WAN
WAN 192.168.1.0/24 * * * WAN address * Auto created rule - LAN to WAN
OpenVPN 192.168.1.0/24 * * * OpenVPN address * Auto created rule - LAN to WAN

And they are all checked / on. So it should connect with or without OpenVPN.

Just to make sure I’m reading this correctly.

You are stating that this interface has received a DHCP address from your home network? The gateway is correctly set to point to your home network’s router?

That address is known as the Loopback address. It’s the address that points to “itself” for EVERY device on the planet. PFSense defaults to itself being a DNS resolver.

Looking at the instructions you linked, I want to make sure you removed the IPV4 and IPV6 from the “Ethernet Adapter” in windows.

Also, that you didn’t assign any IP addresses to the Loopback address in windows.

if you can hit the 192.168.1.1, you should be able to go further. Though you may have to set a default route on the windows machine to be 192.168.1.1
I haven’t done a setup like this before. May have to test it out.

Ah, no! :slight_smile: I have set it manually to 10.0.0.1/24 in the Static IPv4 Configuration under Interfaces / WAN. When I set it to DHCP, WAN reports IPv4 Address 0.0.0.0 and subnet mask 255.0.0.0 (wrong). Didn’t know where else to fix that than to assign a static IP and mask. Couldn’t find anything online about ipv4 being 0.0.0.0.

Now that you’ve said that, I remember 127.0.0.1 from network class years ago in college :stuck_out_tongue:

K. So I had assigned a manual IP address to the Loopback adapter. But now I left IP to Automatic, and DNS server manual to 192.168.1.1, and it works! The loopback adapter gets the correct IP automatically. Leaving DNS to Automatic as well, it defaults to IP 169.254.30.217 (wrong).

When I removed the IPV4 and IPV6 from the windows Ethernet adapter, I no longer had internet in windows and also no change in pfsense, even after a restart.

It’s so weird that you don’t find much online about Virtualbox + PFSense + Windows host. I would think it’s the obvious move for anyone that has a laptop but can’t install linux bare metal due to hardware driver issues (e.g. videocards) (which should be many people).

Update: After changing things to what I/you said in my previous post (DHCP under Interfaces / WAN, removed IPV4 and IPV6 form win ethernet) and restarted my PFSense virtualbox, my wan says:

Status
up
MAC Address
xx:xx:xx:xx:xx:xx
IPv4 Address
127.0.0.1
Subnet mask IPv4
255.255.255.0
IPv6 Link Local
fe80::a00:27ff:fef6:12aa%em0
DNS servers
127.0.0.1
208.67.220.220
[vpn dns]
[vpn dns]
208.67.222.222
MTU
1500
Media
1000baseT
In/out packets
0/0 (0 B/0 B)
In/out packets (pass)
0/0 (0 B/0 B)
In/out packets (block)
9/5 (685 B/416 B)
In/out errors
0/0
Collisions
0

So it’s no longer IPv4 0.0.0.0. But no internet. And I’m going to bed now :slight_smile:

Update:

Setting Intefaces / WAN -> IPv4 Config to DHCP didn’t find my gateway router IP. But I scrolled down to DHCP Client Configuration and in the Alias IPv4 address I wrote my gateway (10.0.0.1/24). After restarting the VM, I got this WAN Interface status:

Status
up
DHCP
up Release Relinquish Lease
MAC Address
xx:xx:xx:xx:xx:xx
IPv4 Address
10.0.0.19 ----------------------------- GOOD!
Subnet mask IPv4
255.255.255.0 ---------------------- GOOD
Gateway IPv4
10.0.0.1 ------------------------------- GOOD
IPv6 Link Local
fe80::a00:27ff:fef6:12aa%em0 ------------ don’t know what this is about, IPV6 should be disabled
DNS servers
127.0.0.1
208.67.220.220
[vpn dns]
[vpn dns]
208.67.222.222
MTU
1500
Media
1000baseT
In/out packets
0/620 (0 B/40 KiB)
In/out packets (pass)
0/620 (0 B/40 KiB)
In/out packets (block)
1204/0 (98 KiB/0 B)
In/out errors
0/0
Collisions
0

Don’t know why I have to manually specify the gateway and why DHCP screws up so royally. Is it because it’s in a VM and it has trouble interfacing with the windows ethernet adapter? I would like a network independent setup.

Status / Gateways / Gateways tells me:

Name Gateway Monitor RTT RTTsd Loss Status Description
WAN_DHCP 10.0.0.1 10.0.0.1 0.091ms 0.057ms 0.0% Online Interface WAN_DHCP Gateway

“Online” how exactly? Online as in connected to the gateway router? Why don’t I has internets then?

Turning on the OpenVPN I get this in the Status / System Logs / OpenVPN:

|Feb 22 12:09:01|openvpn|14115|SIGUSR1[soft,ping-restart] received, process restarting|
|Feb 22 12:09:41|openvpn|14115|NOTE: the current --script-security setting may allow this configuration to call user-defined scripts|
|Feb 22 12:09:41|openvpn|14115|TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:xxxx|
|Feb 22 12:09:41|openvpn|14115|UDPv4 link local (bound): [AF_INET]10.0.0.19:0|
|Feb 22 12:09:41|openvpn|14115|UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:xxxx|
|Feb 22 12:09:01|openvpn|14115|[UNDEF] Inactivity timeout (–ping-restart), restarting|
|Feb 22 12:09:01|openvpn|14115|SIGUSR1[soft,ping-restart] received, process restarting|

It says [AF_INET]10.0.0.19:0 <- Port 0? Should that be port 0?

Since my gateway is a home router, I unchecked “Block private networks and loopback addresses” in the Interfaces / WAN.

And I added a custom rule to Firewall \ Rules \ WAN to allow TCP/UDP, port range any to any. - WHY IS PFSENSE NOT INCLUDING THIS RULE BY DEFAULT? (it can be disabled by default, just have it FFS - what else are they not including that is vital?)

I reverted to Outbound NAT Mode: Automatic outbound NAT rule generation. (IPsec passthrough included)

Still no internet connection. I need help with this firewall log:

Feb 22 16:20:09 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:09 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:A
Feb 22 16:20:09 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:09 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:10 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:A
Feb 22 16:20:10 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:11 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:11 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:A
Feb 22 16:20:12 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:14 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:A
Feb 22 16:20:16 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:17 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:57412 83.136.250.51:443 TCP:A
Feb 22 16:20:17 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:57412 83.136.250.51:443 TCP:PA
Feb 22 16:20:20 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:A
Feb 22 16:20:23 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:33 WAN Default deny rule IPv4 (1000000103) 10.0.0.3:51133 108.177.126.188:5228 TCP:A
Feb 22 16:20:38 WAN (1000105583) 10.0.0.3:51133 108.177.126.188:5228 TCP:PA
Feb 22 16:20:46 WAN (1000105583) 10.0.0.3:50845 83.136.250.51:443 TCP:A
Feb 22 16:20:46 WAN (1000105583) 10.0.0.3:50845 83.136.250.51:443 TCP:A
Feb 22 16:20:46 WAN (1000105583) 10.0.0.3:50845 83.136.250.51:443 TCP:A
Feb 22 16:20:46 WAN (1000105583) 10.0.0.3:57412 83.136.250.51:443 TCP:FPA
Feb 22 16:20:46 WAN (1000107050) 10.0.0.1 224.0.0.1 IGMP
Feb 22 16:20:47 WAN (1000105583) 10.0.0.3:50845 83.136.250.51:443 TCP:A

10.0.0.1 is my internet gateway (router). the IP the router assigned to my virtualbox PFSense WAN is 10.0.0.19.

I don’t know what this code means: (1000105583), nor how to track down where the rule for this message is coming from: Default deny rule IPv4 (1000000103)

SOLVED.

Alright so after taking each of the million logs and pages in PFSense one by one and reading everything (they should look into collapsing newbie-irrelevant information, UX and hints), I am online.

Here are most of the problems I had:

  • dhcp wasn’t finding the gateway and subnet mask (and trying to fix it got things messed up).
  • default firewall example rules to allow internet are missing by default, and you don’t know wtf is wrong or what to do.
  • interface (lan wan) config settings (by default won’t let you connect PFSense to a home router, assumes modem only (blocks home ip ranges)).
  • hard to figure out openvpn settings and firewall / nat / outbound settings.
  • most frustrating: some changes kinda get applied, but sometimes not fully until you restart the BSD OS (and maybe also your windows adapters) - sometimes applying settings never quite finishes applying things in background or god knows what else happens b/w pfsense and the host adapters and you think your changes didn’t fix the problem.

Glad you got it mostly sorted.

To be fair to PFSense, you are using it in a scenario that it wasn’t exactly designed for.

By default it’s designed to be between a private network and a public network. Not between two private networks. Doesn’t really have anything to do with a home router/modem.

Yes, OpenVPN can be tricky. Mainly because it’s not designed to be used as an identity/privacy proxy as with most of these public “VPN” services.

I agree that it’s frustrating for things to not apply as expected, but I refer back to the fact that it’s not designed (nor really supported) as a Virtual machine.

The DHCP bit, I’m a little confused by, unless it has something to do with it being in a virtual machine with hardware pass-through.

All in all, good job.

2 Likes

One annoyance I still have is that if any change occurs on the ethernet adapter that I use as WAN input for the PFSense VM, then PFSense won’t reconnect on its own until I restart the VM. I don’t know if there is a command to force PFSense/FreeBSD to do whatever it is it only does on a reboot.

The crazy/cool thing I’m trying to do now, is have another VM (Debian) which gets access to a USB ethernet adapter and a USB WiFi adapter (because PFSense doesn’t like WiFi as WAN, and BSD doesn’t have great WiFi driver support), and I share Debian’s Internet Connection out the VM through Windows to the PFSense VM as WAN. :wink: - This works, but if I switch betwee Ethernet and Wifi inside Debian, or go to another WiFi hotspot, then the aforementioned problem happens where PFSense can’t reconnect to WAN. :frowning:

PS: Good points, yeah PFSense was totally not made for all this “shit”. But that’s not gonna stop me :stuck_out_tongue:

DHCP works now. I didn’t catch what I had done wrong when it wasn’t assigning correctly. I just triplechecked all my settings with 3 somewhat applicable youtube guides, and I remember not changin anything, and then it worked :slight_smile:

1 Like