Selectively packet routing to AirVPN gateway on pfSense2.1

[tpursley 0]

 Right now the home internet gateway is a PFsense 2.1 FreeBsd firewall/router/proxy/VPN EXSi VM. So, I had everything working correctly in the following configuration.

 

Client A, B, or C --> Wireless Router/AP (also serves as DHCP/DNS server (DNSCrypt with opendns)) --> PFsense VM (Firewall-->Squid Cache Proxy-->HAVP Parent Proxy (socket virus scanner to help prevent viruses before they hit your network)-->WAN))

 

I had everything in the above scenario working successful to include NAT port forwards coming back in, Squid Proxy set to transparent mode, the only one I am going to have to remove from the picture (do not want to) is HAVP because it works once the VM is started after the initial package install, but after a restart the service will not stay up steady (further research shows the latest HAVP package has issues with the PFsense 2.1 version)

 

So the next step I would like to take this is the following scenarios if even technically possible with the listed components.

 

1) Client A:

a. Client A port 80/443 -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->VPN)

b. Client A all other ports and protocols -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->WAN)

 

 

2) Client B all traffic-->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->VPN)

 

3) Client C (Chromecast or Roku Streaming Device)-->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->WAN)

 

But this is what I have gotten when I tried this with VPN, note WAN interface is set as default gateway and VPN interface just as a normal gateway.

 

1) Client A, B, or C all traffic -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->VPN) with standard interface firewall rules and transparent mode enabled on squid. 

 

2) Client A, B, or C all traffic -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->WAN) with standard interface firewall rules and transparent mode disabled on squid. 

 

3) Client A, B, or C all traffic -->Wireless Router -->PFsense VM (Firewall-->Squid Cache Proxy-->VPN) with interface firewall rules change to pass traffic to the VPN gateway, the VPN gateway set to default,  and transparent mode disabled on squid. 

 

Configuration 3’s settings above are the least ideal as I would like squid in transparent mode and the WAN as the default gateway.  In configurations 1 and 2 I tried using Floating firewall rules which are supposed to be parsed before interface rules to pass data from the LAN interface under given desired scenarios to the appropriate gateway with no success. As I understand it PFsense firewall rules are just iptable routes on the backend BSD. Also as I understand squid proxy when install sets up “blind” invisible rules in the background, when transparent mode is enable it automatically routes all HTTP/s traffic on the LAN to its local port and passes it up to the upstream interface and when not enabled static rules have to be defined which could be a lot. From testing in transparent mode it seems squid overrides firewall rules, but maybe that is inaccurate since it has its own rules in the background. I may have to get rid of squid to route everything the way I want to or maybe I just need to setup floating rules that pass specific LAN traffic to the Squid port and then have a subsequent rule that passes it from the squid port to the WAN or VPN gateways. 

 

If I could get the above to work what would be really cool is if I was able to define somehow on the IPtables if one of the routes/rules to the VPN Gateway loses connection it automatically falls back to the WAN gateway.

 

Any ideas? Thanks 

 

[pfSense_fan 181]

First things first, pfSense does not use iptables. Iptables is a feature for the Linux Kernal.

 

pfSense uses "pf" hence it's name... making sense of pf. pfsense and pf are based off BSD and have nothing to do with Linux.

 

https://en.wikipedia.org/wiki/Iptables

https://en.wikipedia.org/wiki/PF_%28firewall%29

 

I have no experience with virtual machines and won't be much help in regards to trouble shooting, however I can tell you that when having more than one gateway active, my floating firewall rules are wonky at best. I stopped using them for rules on each intended interface.

[tpursley 0]

Thank you for the clarification, that is good information, I just assumed wrongly the rules correlated to back-end iptables. Do you know how a Squid proxy in transparent mode affects the rules? Also have you been able to successfully route traffic from individual IP endpoints to separate gateways? In order to route to a gateway does it have to be marked as default because you cannot seem to mark more than one as default? I read somewhere that you can setup multi-wan to rectify this, but I do not know if that would apply in this situation. I think that applies to to physically separate WAN connections, not a WAN and a VPN.

 

Thank you for your help.