Netgate SG-1000 microFirewall

Author Topic: Multi VPN client/device bypass  (Read 158 times)

0 Members and 1 Guest are viewing this topic.

Offline papafife

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Multi VPN client/device bypass
« on: October 29, 2017, 09:59:33 am »
I would like to

1. Use multiple VPN clients
    Ideally these would be grouped together as a single WAN and would allow for a fallback in case one client goes down.

2. Host a VPN server
    To provide access to my network so I access my NAS from outside my network.  I would like to setup DDNS to update my public IP. 

3.  Allow certain devices to bypass the VPN or force devices to use the VPN clients.
    Not all my devices need to use the VPN client WANs.  This will improve latency times.  I can give devices static address reservations based off a MAC address.  Items like my Arlo baby camera and the devices used to watch the feed do not need to go through the VPN.

Network Setup
I live in Germany and have a 50MB DSL connection.  I see 20 MB speeds most the time.   :(   My DSL modem is required due to my home phone capabilities are built into the modem.  It has no option to create a DMZ.  Currently there is an ethernet cable from my DSL modem to the WAN side of my pfsense machine 192.168.3.0 255.255.255.0  Then an ethernet cable feeding my internal network 192.168.1.0 255.255.255.0

I have networking experience but not firewall experience. 

I can provide any other information that is needed.  Thank you



PFSENSE 2.4.0 running on ESXI machine with

4 CPUs x Intel(R) Core(TM) i5-3450 CPU @ 3.10GHz     
 
20 GB RAM   

Offline papafife

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Multi VPN client/device bypass
« Reply #1 on: October 29, 2017, 10:00:56 am »
I currently have a single VPN client setup and it works but has latency issues at times and disconnects randomly while the ISP connection is still up.

I have had multiple clients setup and running but my network stops passing traffic.

With my network operational I have created a floating rule and assigned a single ip address to use the WAN and it still sends traffic out the VPN connection.  Under advanced/gateway my VPN is not an available selection.

« Last Edit: October 29, 2017, 03:24:43 pm by papafife »

Offline Georget27

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +3/-0
    • View Profile
Re: Multi VPN client/device bypass
« Reply #2 on: October 29, 2017, 04:47:55 pm »
There are a lot of questions like yours in the openvpn section. Some of them are by me. 🙂

There are three sources I keep coming back to :

1. https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
2. pfSense Gold Hangout on OpenVPN covers this setup

My two cents : take your time an make sure you understand what you are doing.  I had the basic config running in 4 hours with the document above and then started reading the forum. There are a lot of tweaks that can or cannot be interesting for an environment.






Offline papafife

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Multi VPN client/device bypass
« Reply #3 on: October 29, 2017, 05:01:50 pm »
Thank you. Apparently I was on the right track somewhat. I now have traffic pointed to different exits based on the source IP address.

I was creating the interfaces, but they were not being displayed as gateways when creating my rules. I did not realize I needed to enable the interface after I created it.

Now I am working my way through setting up a VPN server. But that will be a project for another night.

Offline Georget27

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +3/-0
    • View Profile
Re: Multi VPN client/device bypass
« Reply #4 on: October 31, 2017, 12:36:06 am »
What I learned from the forum after fighting with OpenVPN server and client :

1. Make sure your servercertificate is actually a server certificate and users in usermanager have client certificates. So prettig obvious Iíve lost an hour troubleshooting why there were no clients available to export in the OpenVPN Client Export package. See attachment.

2. Define the OpenVPN Server as an interface and configure access rules there. If you leave the rule created by the OpenVPN Server Wizar under Firewall/ Rules / OpenVPN untouched, you open up the internal LAN to all traffic originating from your VPN-provider. Not a good idea.

3. Once you created the interface go to system / routing / gateways and disable monitoring on this gateway.

4. If you want to use the pfSense DNS Resolver (so you specify the firewall interface as DNS under the OpenVPN server), you have to add the IP-range of your OpenVPN-clients to Services / DNS Resolver/ Access Lists.

Hope this helps to give you a bit more sleep.  :) :)


Kind regards.

Offline papafife

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Multi VPN client/device bypass
« Reply #5 on: October 31, 2017, 12:51:46 am »
Thank you for your reply.  I have the VPN server and I have multiple VPN client tunnels.  Now I just let them sit for a bit and see if I find issues with any traffic routing.  Thank you

Offline Georget27

  • Jr. Member
  • **
  • Posts: 33
  • Karma: +3/-0
    • View Profile
Re: Multi VPN client/device bypass
« Reply #6 on: October 31, 2017, 01:17:14 am »
I did the same. All kind of interesting questions come up and resolve themselves by the passing of time. 🙂