Whole-network VPN with pfSense Router | Level One Techs

reefland · May 29, 2017, 6:37pm

Let me know if I should move this to a new post...

Scenario:

By default all pfSense (ver 2.3.4) traffic goes out WAN interface. I added 1 firewall rule, for 1 specific IP address that will use the VPN. Pings / HTTP from that machine work fine when the firewall rule is disabled. Fail once enabled.

VPN Status:

The pfSense dashboard shows the VPN as UP and shows an IP address.
The Interface statistics widget shows small but increment packet counts as does the interface graph.

NAT Rule

I duplicated the NAT rule for "192.168.0.0/24 LAN-WAN" and changed the interface to "OpenVPN". I'm not sure if this should be "OpenVPN" or "VPN" I tried both, neither worked, guides I found seemed to favor "OpenVPN" so I left it at this.
New NAT rule is set for Protocol: Any, Source Network 192.168.0.0/24, Address: Interface Address

The Firewall Rule:

Created on the LAN interface, placed at the top of the list.
Action: Pass, Interface: LAN, Address Family: IPv4, Protocol: Any, Source single host: 192.168.0.236, destination: Any
Advanced Options / Gateway is set to the VPN Gateway

Interface:

Named VPN previously OPT2 assigned to port "ovpn2". This is the UDP version of the client which is enabled. ("ovpn1" is the TCP client, and that is disabled.)

System > Routing >Gateway:

VPN_VPNV4, Interface: VPN, Gateway IP and Monitor IP show an External IP address of the VPN provider, Same IP address listed in the pfSense dashboard for the VPN.
NOTE: The host that the firewall rule applies to CAN PING this external IP address no problem, but is not able to ping www.google.com or a google IP such as 172.217.3.36.

The pfSesne box, is a physical machine. It is not in a VM. Client hosts are physical machines attached to an unmanaged switch on the pfsense LAN interface, thus no VLANS.

The pfSense WAN interface is connected to a Verizon FIOS router. Other than change Admin password this is mostly a default config from Verizon. I did make the IP Addresses assigned to pfSense static IP mapping to make sure it gets the same IP address every time. I currently use the Verizon WiFi as my guest network.

State Table:
The firewall rule, is picking up a state when I test PING from the machine.

If I test with "ping google.com" I get the following:
Interface: LAN
Protocol: udp
Source/Destination: 192.168.0.236:54555 -> 8.8.8.8:53
State: NO_TRAFFIC:SINGLE
Packets: 2 / 0

If I test with "ping 172.217.3.36" I get the following:
Interface: LAN
Protocol: icmp
Source/Destination: 192.168.0.236:60269 -> 172.217.3.36:60269
State: 0:0
Packets: 23 / 0

Tim_FreeD · July 7, 2017, 6:11pm

I cannot filter your question.

2 very great guides on how to set up and harden pfSense, additionally to the video, including DNS leak protection, can be found here. He is not very verbose on why these settings are done but they are fully legit.

https://nguvu.org/pfsense/pfsense-2.3-setup/
https://nguvu.org/pfsense/pfsense-multi-vpn-wan/

shanedel · June 19, 2018, 6:53pm

Is it possible to do the opposite of a whole network VPN and only specify what devices should use the VPN?

MichaelLindman · June 19, 2018, 7:29pm

Yes, you can setup firewall rules in pfSense that specify the devices you want on the VPN and you can set the gateway for the rule to use in the advanced options:

Here is an example, the first rule allows local lan to specifc wan sites on the normal gateway and the second rule allows trusted devices set by the alias to use the VPN gateway.

shanedel · June 19, 2018, 8:16pm

I have tried this and while I come out in the right place (Public IP wise), devices on different VLANS can no longer communicate with one another.
(Rule currently disabled)

Basically I just want all devices on only 1 VLAN to use to use the VPN.

Why does it default to the VPN gateway when nothing is specified in firewall rules? can this be changed so it uses the default WAN?

MichaelLindman · June 19, 2018, 10:02pm

When you say the device can’t communicate with each other were you using ping? the disabled rule only allows TCP/UDP and ping uses the ICMP protocol and with that rule enabled pings to those deviecs will be blocked but TCP/UDP connections will still work.

Also a good apporch is to have an alias with all your local networks and have one rule for local networking and another for outbound with an inverse match on the alias so anything the first rule doesn’t catch will go to the second rule and be forwarded out through the gateway you set inside the rule.

How are your VLANs setup and are these all your firewall rules? you should have a seperate interface for each VLAN with its own set of firewall rules, from there you could set a rule from LAN net with the gateway as WAN_DHCP and a seperate rule on your VLAN interface with the gateway set as the VPN.

Dexter_Kane · June 19, 2018, 11:42pm

You need to a have rule for Internet traffic which uses the VPN gateway and a rule for local traffic which uses the default gateway.

The easiest was to do this is make an alias with all your local networks in it and then have an allow any to local (alias) rule using the default gateway and an allow any to not local (use the invert match check box) using the VPN gateway. Or any variation on that.