How To Set Up pfSense 2.1 for AirVPN

[darthanubis 1]

thx refresh,....hmmm.....seems to be something to do with my OpenVPN client config getting confused when I added a OpenVPN server for my road trips.... (the interfaces seem to have mixed themselves up in a way I don't understand just yet.....)

 

 https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/?p=20948

 

I had the same issue. The pictures are not consistent with the text of the guide.

[dIecbasC 38]

Some coffe and a read of the pfsense manual helped me understand my issue. It was the prioritisation between some floating rules, interfaces and openvpn tab rules (I have server and clients running). I was going out my mind for a while there.....

[flat4 79]

Do you have to buy the manual?

[dIecbasC 38]

$100 for gold subscription buys you a copy and gives something back to the dev's.

 

https://portal.pfsense.org/gold-subscription.php

 

TBH, I learnt so much reading it I wish I had subscribed a year ago...would have saved a chunk of time and pain. Its pretty well written and fairly easy to understand unlike some networking books Ive seen. 

[SodaStream 7]

I used this guide to setup my pfsense, but Im having trouble duplicating it to create a second airvpn_lan interface named airvpn_lan2.

 

I have a dual port NIC and I want this nic to handle both the airvpn LANs ( 1+2 )

 

I dont get any LAN or internet access when Im connecting my PC through the newly created airvpn_lan2 interface.

[dIecbasC 38]

my money is on your missing a NAT rule.....

[emerillo 0]

Hmm anyone encountered this before?

 

On step 7c7 (Second we will set the Localhost outbound NAT)

 

After I enter the port range and click save (1024:65535) - I get the error message "You must supply either a valid port or port alias for the destination port entry.

 

Can't seem to get past this

 

 

UPDATE: Actually I found the problem, I was running pfsense 2.2 where this is apparently a known bug (worked in previous versions, but not 2.2) - I'm currently installing 2.2.1 to see if this resolves it as it should - will update again if it does.

 

UPDATE2: Yep - can confirm that updating to pfsense 2.2.1 resolves the issue.

[flat4 79]

Hmm anyone encountered this before?

 

On step 7c7 (Second we will set the Localhost outbound NAT)

 

After I enter the port range and click save (1024:65535) - I get the error message "You must supply either a valid port or port alias for the destination port entry.

 

Can't seem to get past this

 

 

UPDATE: Actully I found the problem, I was running pfsense 2.2 where this is apparently a known bug (worked in previous versions, but not 2.2) - I'm currently installing 2.2.1 to see if this resolves it as it should - will update again if it does.

Awesome

I appreciated you updating your post so everyone else will not struggle

[!T4Qf44w9y4^n#ye 0]

On my Pfsense router I have 2 built in NIC's (Gigabyte J1900). Internet goes in to one and the other one goes into my old router which act as a switch and wifi.

 

Pfsense ---> old router  ---> my PC's

 

Is there anything different I should do? Or can I follow this guide as it is?

[dIecbasC 38]

On my Pfsense router I have 2 built in NIC's (Gigabyte J1900). Internet goes in to one and the other one goes into my old router which act as a switch and wifi.

 

Pfsense ---> old router  ---> my PC's

 

Is there anything different I should do? Or can I follow this guide as it is?

 

just make sure you follow the section for machines with two NICS, theres a separate section under the main article. I used it before and it worked fine. 

You could use your second NIC with a VLAN config to provide the same functionality as the main guide but get the basics working first then you can bolt on the additional bits n bobs. 

[flat4 79]

 

On my Pfsense router I have 2 built in NIC's (Gigabyte J1900). Internet goes in to one and the other one goes into my old router which act as a switch and wifi.

 

Pfsense ---> old router  ---> my PC's

 

Is there anything different I should do? Or can I follow this guide as it is?

just make sure you follow the section for machines with two NICS, theres a separate section under the main article. I used it before and it worked fine. 

You could use your second NIC with a VLAN config to provide the same functionality as the main guide but get the basics working first then you can bolt on the additional bits n bobs. 

Read the whole thread, Please, I have read it more than others because as pfsense was updated, there's issues that pfsense_fan resolved or suggested after the initial guide was published.

[dogshivers 0]

This is an excellent guide, worked first go. 

 

I have one question however.

 

I am using a quad nic motherboard (supermicro rangely min-itx), currently assigned as follows WAN, LAN, AirVPN_LAN, spare.

 

I have an AirVPN_LAN (192.168.123.1/24) and a LAN (192.168.1.1/24), however I am unable to get to the AirVPN_LAN from the LAN. 

 

For example;

Using the 'Diagnostic -> Ping' feature I can ping 192.168.123.23 from LAN and AirVPN_LAN, so I am confident the machine is running, and that it doesnt have a local firewall blocking packets.

Interestingly I can ping 192.168.123.1 from the LAN.

however, I cannot however ping from a computer on the LAN to the computer on the AirVPN_LAN.  192.168.1.20 -> 192.168.123.23. 

 

I never get a response.  There is no information in the pfsense firewall logs, so I am wondering if a route or something is missing??

 

thanks for any help,

 

si

[dogshivers 0]

This is an excellent guide, worked first go. 

 

I have one question however.

 

I am using a quad nic motherboard (supermicro rangely min-itx), currently assigned as follows WAN, LAN, AirVPN_LAN, spare.

 

I have an AirVPN_LAN (192.168.123.1/24) and a LAN (192.168.1.1/24), however I am unable to get to the AirVPN_LAN from the LAN. 

 

For example;

Using the 'Diagnostic -> Ping' feature I can ping 192.168.123.23 from LAN and AirVPN_LAN, so I am confident the machine is running, and that it doesnt have a local firewall blocking packets.

Interestingly I can ping 192.168.123.1 from the LAN.

however, I cannot however ping from a computer on the LAN to the computer on the AirVPN_LAN.  192.168.1.20 -> 192.168.123.23. 

 

I never get a response.  There is no information in the pfsense firewall logs, so I am wondering if a route or something is missing??

 

thanks for any help,

 

si

 

I've managed to work out a solution, not sure if it's the best, but I'll post it on here in the event someone else has a similar requirement;

 

I have added an additional firewall rule on the LAN tab;

Action: Pass

Interface: Lan

TCP/IP: IPv4

Protocol: any

Source: LAN net

Destination: AIRVPN_LAN net

 

everything else default.

 

Si.

[nova9099 0]

Gentlemen,

 

Thank you for putting together, and maintaining such a good guide.

I manged to get all the steps of the guide working, but failed when I had to do some configuration on my own. Several issues, so if anybody could help me out i'd appriciate it.

Please keep in mind that I had to dismantle the pfSense setup because the connection was not working satisfactory, and the GF would not have liked several days without proper web connection

 

My Setup:

PC Engines APU w/3 NIC + WiFi Card and pfSense 2.2.1.

"Clear" Internet: 192.168.1.X

"AirVPN" Internet: 192.168.2.X

 

1) My clearnet has a server (Synology NAS) running several services (web, cloud, etc) and i could not get, now matter how hard I tried, to get WAN traffic to get properly NAT'ed. I added "basic" NAT rules (automatically adding FW rules) based on http://hubpages.com/hub/Port-Forwarding-in-pfSense-How-to-Configure-NAT

 

2) The Clearnet has a WiFi AP handeling WiFi (DD-WRT). Seemed to work fine, but i have devices on it with their own VPN Connection, and no VPN connection was allowed though. This was not a problem at all with my previos setup (just an ZyXEL AP). The VPN traffic was routed though. I am assuming it has something to do with the Firewall, but I have no Idea where to start.

 

3) I could not get the AirVPN port forwarding to work either. I used this guide: https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/page-6?do=findComment&comment=17580

 

Thank you for any help

 

[hammerman 3]

Has anyone had a problem with the 2.2.1 update?

specifically when i follow the guide and get to step 6 about setting the dns forwarders?

 

i enable the dns forwarder

ensure that only localhost is selected

check off strict interface binding

 

then when i attempt to save i get the following error:

 

"the dns resolver is enabled using this port. choose a non-conflicting port, or disable dns resolver."

 

any ideas?

[dIecbasC 38]

Have you tried following the advise in the error, i.e "the dns resolver is enabled using this port. choose a non-conflicting port, or disable dns resolver." 

 

 I would suggest disabling the DNS resolver (not the forwarder) 

[hammerman 3]

ok, thanks.

after doing some searching . . .

 

"To configure Unbound on pfSense 2.2, visit Services > DNS Resolver. By default the service is enabled for new installations. Systems upgraded from earlier versions of pfSense would have upgraded with the DNS Forwarder enabled."

 

for me it is a new installation, so all i have to do is uncheck that and i should be good to go?

[dIecbasC 38]

Your thinking is correct. The error is because port 53 which is used for DNS is already being used by the DNS Resolver so the DNS Forwarder can't start. Disable the Resolver and enable the Forwarder will fix this for you I expect, if it doesn't come back with the logs and we'll try and help you. If you are starting out with this stuff stick to the guide exactly to get the foundations working, then play with DNS once you have it up and running. 

 

I'd encourage anyone following this guide and learning about networking to read the pfSense manual as it explains a lot of the concepts behind making this work clearly and concisely. 

[Guest]

This is a WONDERFUL guide!  Thank you so much for taking the time to set it up and maintain it.

 

I have but one issue, and I'm sure it has to do with something I've incorrectly configured.  I've been back through the guide several times, and I just can't figure out where I am going wrong.

 

I cannot resolve DNS on a PC connected to AirVPN_LAN.  I grab a valid 192.168.123.x address.  /etc/resolv.conf shows that the DNS server is 192.168.123.1.  I can ping a DNS server out in the world (IE OpenDNS @ 207.67.222.222) and get a reply.  However, that doesn't really prove anything, as DNS and ICMP are two different ports.  I can ping 10.4.0.1.

 

In short, I can ping any address out in the world, but ALL traffic on port 53 seems to be blocked, so DNS resolution is impossible.

 

Any suggestions?

 

Thank you in advance!

[dIecbasC 38]

check your DNS is working on the right interface and verify firewall rules aren't blocking port 53

[mlp 10]

Just a quick note to say that things haven't changed substantially with 2.2.2.  Just did a fresh reload with it and it went quite smoothly for the 3 NIC version described here.  A few minor changes in the layout, but easy to figure out.

 

Also found these helpful - 

 

Setting up PFSense and AIRVPN - http://irj972.co.uk/articles/pfSense-VPN-setup  (although would set up the DNS Forwarder as described in this thread, not as in this link)

Using squid/squidguard as an adblocking proxy - http://irj972.co.uk/articles/pfSense-proxy

 

Can't say thank you enough for putting this together PFSense_fan!

[rickjames 106]

Has anyone tried OpenSense yet? https://opnsense.org/

 

It looks to be a cleaner fork of PfSense.

I've only done minimal testing in vm's but I love the ui and the fact that the system is based on a straight forward FreeBSD layout.

 

They've also added a few of the security features from hardenedbsd. If they continue adding the hardenedBSD patches/enhancements the end result will be far more secure than a standard pfsense install.

[flat4 79]

I've tried it and while the UI is more refined i also notice that it requirements more resources for a minimal install. In the 2 weeks i was trying it they release 2 or 3 patches.

for me that is to risky to put in production and expect it to work as good as pfSense.

 

I read they why we decided to fork from pfSense, and one of the things they stated that was wrong with pf is that they went commercial and were catering to paying customers rather than have a good solid product, I am fine with that but then i notice they have also partner with hardware companies to do the same like pf so really they are no different.

 

I'll stick tio product that has plenty of support.

[rickjames 106]

I've tried it and while the UI is more refined i also notice that it requirements more resources for a minimal install. In the 2 weeks i was trying it they release 2 or 3 patches.

for me that is to risky to put in production and expect it to work as good as pfSense.

 

I read they why we decided to fork from pfSense, and one of the things they stated that was wrong with pf is that they went commercial and were catering to paying customers rather than have a good solid product, I am fine with that but then i notice they have also partner with hardware companies to do the same like pf so really they are no different.

 

I'll stick tio product that has plenty of support.

 

There's a bit more to it than that:

https://wiki.opnsense.org/index.php/OPNsense:So_why_did_we_fork%3F

 

From the above link.

Transparency A real concern with pfSense is transparency. Since Netgate bought the majority share of pfSense and renamed the company to ESF it has been difficult to understand the direction they want the project to go. Removing the tools from github without prior warning and using the brand name to fence of competitors has scared quite a lot of people. Also the license has changed for no apparent reason…

 

I still use pfsense, but its far from bulletproof and slow to patch. As much as I hate updating frequently its worth it imo if the patches are security based.

 

However I agree, it does seem to use a bit more resources. -Still testing it

[zhang888 1066]

Actually, the reason behind the fork seems to be completely another URL 

 

https://opnsense.org/support-overview/commercial-support/

 

 

 

So far I didn't see any changes except the GUI and build-tools. And the wallet for commercial support of course.