pfSense - Multiple Adapters with Multiple Subnets with Multiple Gateways

Discussion in 'Networking' started by SycoPath, Dec 7, 2016.

  1. SycoPath

    SycoPath Active Member

    Joined:
    Oct 8, 2014
    Messages:
    135
    Likes Received:
    45
    OK, I've been poking at this for 2 hours now and I can't figure out what I'm missing.

    Internet-----------------WAN (em0)-------- |-----------|--------VMX0-----------(192.168.248.0/21)
    | pfSense |​
    Internet-----WAN (em0)----OpenVPN----|-----------|--------VMX1----------(192.168.0.0/24)

    Interfaces in pfSense:
    WAN (em0)
    LAN (VMX0, 192.168.248.0/21)
    VPN (VMX1, 192.168.0.0/24)
    ovpnc1 (Virtual openvpn adapter)

    My goal is for any traffic from the 192.168.0.1/24 network to only go through OpenVPN. I have also segregated this network on it's own adapter (VMX1) and vSwitch in ESXi. I do want to enable SELECTIVE traffic on specific ports to specific IPs to cross from 192.168.248.0/21 to 192.168.0.0/24. For now though, I'll settle for all traffic passing and restrict it later. I do want to make a DENY rule for anything on 192.168.0.0/24 to never be able to leave without passing through the ovnc1 adapter.

    I have pfSense running as a VM, Everything works as expected but I can't get VMX1 (192.168.0.0/24) to connect to the internet. I know OpenVPN works because if I set a gateway in Firewall-->Rules-->LAN pass Any rule to the ovpnc1 gateway, all traffic from VMX0 (192.168.248.0/21) goes through it and my public IP changes (verified with WTF is my IP?!?!?? ). I also turned on Manual Outbound NAT and copied the rules to the ovpnc1 interface and NAT works for the 192.168.248.0 network.

    The DHCP server on VPN (VMX1) is working assigns 192.168.0.100 to my ubuntu host, but it has no internet connectivity. ping 192.168.0.1 (address set in Interfaces-->VPN-->Static IPv4) works. ping 8.8.8.8 results in "Network is unreachable". I created a pass ANY protocol ANY destination from source network 192.168.0.0/24 in Firewall-->Rules-->VPN and set the gateway of ovpnc1.

    What did I do wrong here or what did I forget to do? I thought about using static routes, but the ovnc1 adapter is a dynamic IP so I don't want my static routes to break every time it changes. I can screenshot stuff if needed, just let me know.

    Thanks much!
     
    #1
    Last edited: Dec 7, 2016
  2. gigatexal

    gigatexal I'm here to learn

    Joined:
    Nov 25, 2012
    Messages:
    2,697
    Likes Received:
    499
    sub'd because i am curious, too.
     
    #2
  3. fractal

    fractal Active Member

    Joined:
    Jun 7, 2016
    Messages:
    309
    Likes Received:
    67
    I am no expert but pfSense static routes go to gateways, not IP addresses. I have routes going to gateways associated with interfaces that get a DHCP address and they "just work". I don't know enough about OpenVPN to know whether it creates a gateway you can add to a route.

    The one "trick" was writing the firewall rule. I had to experiment to use the alias / gateway name in a firewall rule, but eventually got it to work.
     
    #3
  4. dlasher

    dlasher New Member

    Joined:
    Dec 9, 2016
    Messages:
    4
    Likes Received:
    0
    So what I'm doing is more like your original subject, than what your explanation turned out to be.. but I figured I'd share anyway.

    INTERFACES:
    ISP1->INTERFACE
    ISP2->INTERFACE
    PARENT LAN->INTERFACE
    KID LAN ->INTERFACE

    GATEWAYS:
    ISP1
    ISP2

    GATEWAY GROUPS:
    LOADBALANCE: ISP1 - tier1, ISP2 - tier1
    FAILOVER : ISP1 - tier2, ISP2 - tier1

    FIREWALL RULES:
    PARENT LAN: IPv4 Default - Advanced - Gateway - Load Balance
    KID LAN :IPv4 Default - Advanced - Gateway - Failover


    So the parents get to use both ISP's, in a load balanced fashion, that auto-magically fails over/back/forth. The kids get ISP2, which will fail over to ISP1, and back if it needs.
     
    #4
Similar Threads: pfSense Multiple
Forum Title Date
Networking pfSense NAT multiple identical ports from single WAN connection conundrum Sep 28, 2016
Networking pfSense on Physical Switch Nov 25, 2019
Networking Intel D-1518 build for PFSense 10Gb SFP+ router Nov 8, 2019
Networking pFsense pros Oct 20, 2019
Networking Supermicro SYS-5018A-LTN4 for last Pfsense ? Oct 7, 2019

Share This Page