Netgate SG-1000 microFirewall

Author Topic: can connect on VPN server, but no internet access.  (Read 139 times)

0 Members and 1 Guest are viewing this topic.

Offline aristosv

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
can connect on VPN server, but no internet access.
« on: April 01, 2018, 10:49:48 pm »
I have a box running pfSense v2.4.3. I 've configured IPsec VPN access using this guide and this guide, and this is how I configured it.

Code: [Select]
VPN > IPSec > Mobile Clients > Enable IPsec Mobile Client Support
User Authentication > Local Database
Provide a virtual IP address to clients > 192.168.50.32 / 27
Provide a DNS server list to clients > 8.8.8.8 / 8.8.4.4
Save > Apply Changes

Create Phase 1
Description > VPN
Authentication Method > Mutual PSK + Xauth
Peer Identifier > Distinguished name > vpn
Pre-Shared Key > password_here
NAT Traversal > Force
Save > Apply Changes

Show Phase 2 Entries > Add P2
Local Network > Network > 0.0.0.0/0
Save > Apply Changes

System > User Manager > Add > Username > Password > Save
Edit user
Effective Privileges > Add > User VPN: IPSec xauth Dialin > Save

Firewall > Rules > IPSec > Add
Description > VPN
Save > Apply Changes

My iPhone can connect on the VPN server and I can access resources on my network. The problem is that while I'm connected, I don't have internet access. What I'm I doing wrong here?


Offline aristosv

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: can connect on VPN server, but no internet access.
« Reply #2 on: April 04, 2018, 12:04:46 am »
Well, this fixed it for me.
https://forum.pfsense.org/index.php?topic=117858.0

Firewall > Rules > IPSec > Add > Protocol > TCP/UDP (initially only TCP was selected)
I don't know why UDP was important, but now I can access local network resources and the internet.

Offline Redmac

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: can connect on VPN server, but no internet access.
« Reply #3 on: April 16, 2018, 08:18:15 pm »
UDP is needed for DNS lookup.

Easiest to just set it for *any* (if your IPSEC clients are trusted of course)