The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Dave R

Pages: [1] 2
"persist-key" and "persist-tun" are already hard-coded in pfSense's OpenVPN implementation and are redundant if specified here.  They should be left out because all this does is list the directives twice in the config file.

It's worth noting  (and this may have been stated already in the previous 20 pages of thread) that the tutorial in this thread also configures /etc/openvpn-password.txt for the vpn user and password. I've omitted this portion since there is a configuration field in the UI for both of these (I presume earlier versions of pfSense did not have this feature). Either method *does* seem to work but I prefer keeping config items in one place when possible. Not to mention the added potential problems with cleartext files and permissions.


so are you saying on the standard PIA instructions your data is not routed correctly on the outgoing interface..?

My setup is a little different than "VPN all the things!" which is the direction given by all the tutorials I've found anyway. Straight off, yes all my traffic was egressing the VPN tunnel as it should but I don't want Steam going over it, and Netflix absolutely refuses to run as well. Fiddling around with splitting the traffic over multiple interfaces is inherently problematic because now I need to use IP addresses, protocol and port to determine what goes where. And that's not always a straightforward thing (Especially for Netflix. I'm a little surpised my setup is working at all with all the Aliases I had to configure.)

That said, I'm continually impressed by pfSense. It's enterprise grade software in features, quality and functionality. I'm very grateful for the tutorial in this thread and all the support from the forum folks. Thanks all.

PS: Um..not sure I follow what you mean about creating a new interface. Isn't it right there in the first post under "Create OpenVPN interface" ?

Thanks! Precisely what I was wanting. em0 egress is looking better now.

To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing

I'm assuming the screenshot is correct?

If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?

Good idea. Unfortunately, I have a mix of devices on the LAN which also access Netflix.  For now, I've added around 30+ subnets to my Netflix Alias. It's not great but it keeps the tablets/phones on the VPN for everything but Netflix.

180 is the static ip address of my tv

I'm not sure I understand. Are you just filtering by source IP rather than by a zillion Netflix destinations?

The rules are working, I think I'm just missing IP ranges. I'm using tcpdump on the PFsense box to see what's egressing the vpn interface. Even after adding a new range, I'll reload Netflix in my web browser and tcpdump shows it still hitting that IP on the vpn. If I wait a minute or so, then it seems to pick it up. Are rule changes only applied to new connections?

Thanks. Netflix won't work going over the vpn interface so I've created a hosts Alias containing the IP ranges for AS2906 (netflix) and created a second rule on the LAN to route the Netflix alias destinations over the WAN interface instead of the VPN interface. It doesn't seem to pick up the change though. I've reset under 'diagnostics > states > reset states' but the rule doesn't seem to be working. Tcpdump on the vpn interface shows the Aliased IP addresses still going over that interface. 

The docs say "first match wins" so if I have the Netflix rule at the top, and the VPN rule after that this should be working, correct? I'm assuming I'm missing some IP addresses Netflix is using but want to make sure I understand the rule ordering.

Ah, I think that works but only if I specify the VPN gateway in the LAN pass rule (under Advanced).  You mention "pass any without setting a gateway." but where else would I specify the VPN gateway for those ports?

Hrm, makes sense I guess. Got a link to something explaining how to route 80/443/53 over the VPN interface while leaving all other traffic egressing the WAN ?

NAT / Why doesn't my Auto-created rule for LAN->WAN work in AON mode?
« on: January 03, 2018, 10:33:49 am »
I added an OpenVPN client to a VPN provider today following the guide here:

I only want HTTP,HTTPS and DNS going over the VPN interface. All other (ssh, NTP, etc) should use the WAN interface.

As I understand, when switching to AON (I was using Automatic) the automatic rules which were in effect are now applied as regular rules in the AON table.  I was not able to connect anywhere over the VPN link however. When I finally added a NAT Alias for 80,443, and 53, and applied it to a new rule (PIA VPN PORTS in the picture), then things started working again.

I noticed I cannot browse any Steam game servers however. Also, ssh access to some of my external servers is not working. I don't see in the docs ( anything about adding explicit egress ports for AON, so I must be missing something.

I noticed however that there is a rule (2nd from bottom in picture) which allows all of my internal LAN to the WAN port "auto created rule - LAN to WAN" so why isn't this rule working?

Thanks for the guide. I was able to get this configured in about an hour or so. There are a couple of things to note:

1) OpenVPN server port numbers are different for PIA depending if you use a sha256 or sha128 cert:

2) I didn't want my Steam gaming traffic going over the VPN (ports 27000-27015,...) so I used a NAT Alias to create a list of ports to apply to the outbound NAT rule.

General Questions / Re: Disable IPv6
« on: May 27, 2017, 04:51:57 pm »
Nah, I don't want to recompile the kernel. Disabling ipv6 is a simple boot parameter on Linux, just wondering if there was  an equivalent. Thanks for the help!

General Questions / SMTP notifications over SSL?
« on: May 27, 2017, 11:35:26 am »
First day with pfsense. I'm trying to configure SMTP notifications. My mail server is behind a NAT on and uses SSL on port 62933. I can connect to the SSL service over telnet from pfsense, but the pfsense gui says "Could not send the message to user@host.localdomin -- Error: could not connect to the host "": ??

Do I need to load the SMTP cert (self-signed) into pfsense somehow?

General Questions / Re: Disable IPv6
« on: May 27, 2017, 11:16:43 am »
Maybe I'm wrong (first day with pfsense) but these look like both i4 and i6 services listening on the 'global' interface .  I'd really prefer to just turn them off but the i6 tics in System > Advanced > Networking don't really seem to do that. Is there another place to do this. What I have tic'd is in the attached pic

PS: How can I verify the WAN rules at the CLI?  I can't get `ipfw list` to work : "ipfw: Context is mandatory: No such file or directory" I followed the link here:  and `ipfw_context -l` just returns:
"ipfw_context: Command not found."  Do I need to enable ipfw like this?

tcp4       0      0          *.*                    LISTEN
tcp4       0      0 *.53                   *.*                    LISTEN
tcp6       0      0 *.53                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp6       0      0 *.443                  *.*                    LISTEN
tcp4       0      0 *.443                  *.*                    LISTEN
udp6       0      0 fe80::1%lo0.123        *.*                   
udp6       0      0 ::1.123                *.*                   
udp4       0      0          *.*                   
udp4       0      0       *.*                   
udp6       0      0 fe80::230:48ff:f.123   *.*                   
udp6       0      0 fe80::230:48ff:f.123   *.*                   
udp4       0      0 *.123                  *.*                   
udp6       0      0 *.123                  *.*                   
udp4       0      0 *.53                   *.*                   
udp6       0      0 *.53                   *.*                   
udp4       0      0 *.514                  *.*                   
udp6       0      0 *.514                  *.*                   
udp6       0      0 *.*                    *.*                   
udp4       0      0 *.*                    *.*                   
ip 4       0      0 *.*                    *.*                   
ip64       0      0 *.*                    *.*     

Pages: [1] 2