How To Set Up pfSense 2.1 for AirVPN

[dssguy11 4]

thanks so much, love the way you make it easy to visualize.. will set it up and report back!

[dssguy11 4]

was able to get it going by adding the rule to both interfaces.  there were a few other problems though.

 

Basically, I have a Plex media server that has all my HD movies on it, it's on the Clearnet subnet 192.168.1.xxx but my computers that need to access the media are all running through the VPN and are on a different subnet 192.168.2.xxx.  So I could not watch movies between subnets.

 

After i put the nat rules in, i still couldn't see the server. I could ping both gateways but couldn't see the server.  Turns out, from reading on the Pfsense board, if i turned off Windows firewall, i could ping the machine across subnets.  I had to make a scope rule in Windows firewall on the server, which allowed me to see the server in Windows explorer through the firewall.  I also had to add the server name and IP into the Hosts file of the computer trying to reach the server,  so now I can go to Windows explorer and type \\server and everything shows up. 

 

The server doesn't show up in Network neighborhood but it works in explorer if I type the name in.  Thanks very much for your guide, i am now going to pay AirVPN for the year

 

 

[pfSense_fan 181]

that is a great way to do it, i will copy and paste a bunch at the bottom.

 

Just wanted to say thanks for doing this guide, it has made my setup very stable, really liking it, so thanks a lot.

 

I have just one last question.  I tried plugging both networks (VPN/ClearNet) into the same switch and they were fighting to hand out IPs to my devices as they powered on, etc. Am i right in thinking that each network needs to be on their own switch and separated?  Like take everything I want to go out through the VPN and plug it into switch A, and take everything i don't want to go out the VPN and plug it into switch B?  Also, is there a way to make the different segments talk to each other?

 

Thanks again pfsense_fan.

 

Sorry, somehow I did not see this post and I had overlooked it earlier. I'm glad this guide has helped you, it's good to know it continues to help people.

 

As for the question... if you follow the method listed here, yes (unfortunately) you need more than one switch.  The idea was to isolate networks as much as possible for the beginner. It is possible to use a different method, which as of this week I am now using, that only requires one. I don't currently have the time to explain it, but I gave the gist of it in one of my recent posts in this thread. I am working on something new, as I will be announcing after this post.

 

 

thanks so much, love the way you make it easy to visualize.. will set it up and report back!

 

Again thank you! It's good to hear other feel I am explaining things well. Sometimes I struggle with words!

 

Please take a moment to like any post that has helped or rate the topic for other to see/know if the information was useful. It also lets me know it was well received! Thanks!

 

 

was able to get it going by adding the rule to both interfaces.  there were a few other problems though.

 

Basically, I have a Plex media server that has all my HD movies on it, it's on the Clearnet subnet 192.168.1.xxx but my computers that need to access the media are all running through the VPN and are on a different subnet 192.168.2.xxx.  So I could not watch movies between subnets.

 

After i put the nat rules in, i still couldn't see the server. I could ping both gateways but couldn't see the server.  Turns out, from reading on the Pfsense board, if i turned off Windows firewall, i could ping the machine across subnets.  I had to make a scope rule in Windows firewall on the server, which allowed me to see the server in Windows explorer through the firewall.  I also had to add the server name and IP into the Hosts file of the computer trying to reach the server,  so now I can go to Windows explorer and type \\server and everything shows up. 

 

The server doesn't show up in Network neighborhood but it works in explorer if I type the name in.  Thanks very much for your guide, i am now going to pay AirVPN for the year

 

I use Comodo and not the Windows firewall, but I have no issues seeing services across subnets. If you monitor you firewall logs (you will want to have the logs show more than 50 lines, more like 1000. You will also want them to show newest on top) you will likely learn why. Off the top of my head you may be inadvertently blocking multicast. There is always a way, it will just require tinkering.

 

Excellent choice on the year subscription! I'm on year two and have been pleased by the service the whole time.

[pfSense_fan 181]

---

---

---

---

 

 
ATTENTION!

All those who follow this guide, please be advised...

 

 

---

---

---

---

 

 

I just wanted to give everyone who follows this guide a heads up that in the next week or two i will be "ending support" for this guide as it now stands.

 

Over the next few days I will be making some tweaks to the guide that will require everyone's attention if you want to have the tidiest and most functional setup while using the method I described here.

 

If anyone has any questions or suggestions, now is the time to speak up. Although I will still be "around" here and there and will gladly help, I am moving on to bigger and better things.

 

This guide works, but it could be better and I know that now. I don't however have the time to create a new one at this junction. I've spent a portion of each and every free day I've had over the last ten months researching and sharing what I've learned about this stuff.  That is way more time than I ever imagined or intended, way too much time... and now life beckons. I no longer have free time to spare so I leave you all with this guide as it is, which should suffice at least until pfSense 2.2 comes out.

 

I learned so much all along the way while making this guide. I hope you all did too!

[dssguy11 4]

all the best to you buddy, couldn't have done it without you.. can't wait to see and try the new way!!

[Lee47 23]

• Hot  179 replies

• 16880 views

Shows how popular this thread and guide really is !

 

To date I have yet to see any other VPN provider show such detailed and advanced pfsense guides, most don't in fact.

 

Would be awesome if Air staff/Air customers supported the progress and development of future pfsense guides

 

[Dr5GF7mKcX 1]

One question: the guide advises turning compression off, yet compression is turned on when setting up the OpenVPN client on DD-WRT amongst other configurations. Wouldn't turning this on increase efficiency and performance?

 

What a great guide; it made setting up my new pfSense box very straightforward! Thanks ever so.

[pfSense_fan 181]

 

One question: the guide advises turning compression off, yet compression is turned on when setting up the OpenVPN client on DD-WRT amongst other configurations. Wouldn't turning this on increase efficiency and performance?

 

What a great guide; it made setting up my new pfSense box very straightforward! Thanks ever so.

It is not turned "off" actaully. The setting AirVPN uses is "comp-lzo no", and that option is set manually by us in the string you should be entering in the advanced box on the pfSense OpenVPN client page.

 

"comp-lzo no" means compressionis  off by default, but the connection can enable it if needed.

 

Glad the guide helped.

[rickjames 106]

I was helping a friend who picked up a dell r200 for a pfsense setup and needed additional network adaptors. While surfing about he came across the intel pro/1000 pt dual port server adapter's cheap at amazon.

 

They're pci express 4x/8x/16/ only though, just a warning.

 

There's like 13 left in stock atm @ $48

http://www.amazon.com/Intel-1000-Dual-Server-Adapter/dp/B000BMZHX2/ref=cm_cr_pr_product_top/191-8936165-3265336

[pfSense_fan 181]

They are PCI-e 2.0 and require a x4 slot. I own a number of these and the quad port version as well.

 

A warning with those now older network cards, they are only compatible in PCI-expres 2.0 mode. If your bios does not have an option to run in that specific mode, it is a known issue with those cards that they may have compatibility issues. Most enterprise/server motherboards have this option, while many consumer level do not.

 

Another consideration is that the PRO/1000 PT run quite hot. They can draw 12 watts on their own. The newer I350 only max at about 5. You will need a well ventilated case with fans for the PRO/1000's. The I350 runs much cooler. Unfortuanately the I350 costs much more at this point.

 

This is why I recomend people buy server motherboards to build on. The price of these cards is silly really. The Rangeley Intel Atom boards have a quad port I350 variant on board. That motherboard which includes the 8 core processor and that quad port NIC is about $300-$350 depending where you look. $250-$300 if you opt for the quad core cpu version. A quad port I350 goes for $200 on ebay, $300+ retail. Rangeley also has a TDP rating of 20 watts as well.

 

Food for thought. The PRO/1000's do work well though, it just kills me to see people piece together old parts that add up to near the price of newer, faster and more enrgy efficeint builds.

[rickjames 106]

They are PCI-e 2.0 and require a x4 slot. I own a number of these and the quad port version as well.

 

Food for thought. The PRO/1000's do work well though, it just kills me to see people piece together old parts that add up to near the price of newer, faster and more enrgy efficeint builds.

 

Thus is why I gave the slot type warning.

 

As for the total cost / old parts, he picked the r200 off lease for sub 100 bucks shipped. 4gb ECC, sata drive and a xeon @ 3ghz. Everything on it is functional, and tbh even if it takes a crap for the price he could just get 4 more. He's not even remotely concerned about his electric bill nor is he the pc builder type so this was a quick solution.

[hinata 2]

VIRTUALBOX  FREAKEN  VERIFIED!!! AMAZING GUIDE, I can now create my heart's content of virtual machines that are routed through virtual pfsense and my VPN!!!! AMAZING JOB, I appreciate this post more than you can believe, if you had a bitcoin address donation I would have sent you some bitcoins... Well great job again! Here is a screenshot of my success. If you need help, I can help the folks with specific questions related to virtualbox! <3

xo - Hinata, Network Administrator at Hogwarts School of Witchcraft and Wizardry

 

[lydianajihah82 1]

Any ways to use this dns leak rules and configuration with captive portal?It seem with this config,captive portal is not directing.

 

best regards

[AlienBee 0]

I must say that this must be one of the most well written tutorial I'v seen in a long time. Good work, pfSense_fan! 

 

I know that you don't update this post, but I'll ask anyway. Maybe someone else have any ideas.

The problem is that I would like a way to excluded certain ports (applications) on a specific ip from going trough the VPN.

 

My setup is as follows:

em0 -> WAN

em1 -> Servers 192.168.10.0/24 (Clear-NET)

em2 -> LAN       192.168.20.0/24 (VPN)

em3 -> WLAN    192.168.30.0/24 (VPN)

 

This works well for the most part. But I would like to be able to use my gaming computer trough VPN and still be able to send game traffic on "Clear-NET".

Is this possible, or am I just tired?

 

Any suggestions are more then welcome! 

 

Regards

[darthanubis 1]

Thank you so much! I'm new to pfsense, coming from smoothwall,zentyal and clearos. These instructions just made me a pfsense fan!

 

I small point. Part 6D, where it says airvpn_lan, those of us using only two nics atm, never get to the part of the guide to create that interface, so for us it would just be lan. I had to take a guess there. I messed up and did not select tcp AND udp in the dns firewall, and leaked ip with reverse dns lookup. I learned reverse dns lookup is done via udp the hard way.

 

Thank you so much for allowing me to better enjoy AirVPN!

 

PS. I've tried using Squid with this, but Squid leaks the IP Address. Is there a way to use Squid without my real ip leaking?

 

 

ETA: Have you tried swapping Unbound as a DNS forwarder? I have had no success in doing so. DNS resolution fails of the clearnet.

 

Unbound was not working due to user error. I had not followed instructions and specified DNS server 192.168.1.1 for the LAN in DHCP settings.

 

All is perfect now!

 

 

Can't forward ports even after following your port forward guide.

[darthanubis 1]

I was helping a friend who picked up a dell r200 for a pfsense setup and needed additional network adaptors. While surfing about he came across the intel pro/1000 pt dual port server adapter's cheap at amazon.

 

They're pci express 4x/8x/16/ only though, just a warning.

 

There's like 13 left in stock atm @ $48

http://www.amazon.com/Intel-1000-Dual-Server-Adapter/dp/B000BMZHX2/ref=cm_cr_pr_product_top/191-8936165-3265336

 

 

I just got one of these and a Denon receiver for $20.00!!! I tipped the shop another $4. Best ste...deal ever!

[darthanubis 1]

 

hi,

 

still can't get it to work.

i have a static ip address set for my pc through pfsense.

i followed the steps here:

 

https://airvpn.eu/topic/10214-how-to-port-forward-pfsense-using-airvpn/?hl=+port++forward

 

for port forward settings  . . .

i have the interface set to airvpn_wan and i used create new associated filter rule.

but it's not too clear for the outbound rules . . .

 

it mentions "redirect target ip section" but i don't see that.

what are the correct settings for the outbound rules for the interface and destination address? it mentions the router ip address. does it matter if that's 192.168.1.1 or 192.168.123.1? or is the destination address that of the pc? i take it that all port entries should be the same?

should i be enabling upnp or does that make a difference?

 

 

You should not have to do anything to the outbound NAT for a port forward. Our outbound settings were taken care of in the guide. No further mods are necessary unless you are doing some other sorts of selective routing to a different gateway.. I whipped together a port forward guide, but have not had anyone test it yet. You can try it if you like.

 

If you don't see the redirect target ip, you may be in the wrong section. As far as the "router" ip address, those settings are "drop down" menus. Pick the one listed in my guide, EXACTLY. Aside from your redirect to your internal computer, tick for tick exactly as stated.

 

 

---

---

 

 

 

VPN Port Forwarding

 

The following is a basic guide on how to port forward on your AirVPN connection to a service running on your network. This will work for those of you using bittorrent, as I know how much you all like to download and share your favorite Linux and BSD distributions...

 

1.) The first thing we need to do is log into airvpn.org and forward our port or ports.

 

2.) Next we need to navigate to Firewall > NAT > Port Forward

 

Go To:

http://192.168.1.1/firewall_nat.php
-or-
https://192.168.1.1/firewall_nat.php

 

3.) Set as follows:

 

Disabled = [_] (unchecked)

No RDR (NOT) = [_] (unchecked)

Interface = [ AirVPN_WAN ▼]

Protocol = [ TCP/UDP ▼] (TCP, UDP or TCP/UDP depending on your uses)

Source = [_] not (unchecked)

              Type: [ any ▼]

              Address: [______]/[ 31 ▼](Blank/Greyed out)

Source port Range = from: [ Any ▼]

                                   to: [ Any ▼]

Destination = [_] Not (UNCHECKED)

                     Type: [ AirVPN_WAN address ▼]

                     Address: [______]/[ 31 ▼](Blank/Greyed out)

Destination port Range = from: [ (other) ▼] [ NOTE *1]

                                          to: [ (other) ▼] [ NOTE *2 ]

*1: Port, first port of a range or Alias of ports you forwarded at AirVPN.org

*2: Same port as above or ending port of a range you forwarded at AirVPN.org

Redirect target IP = [ NOTE *3 ]

*3: IP of your target pc/device. This is best if you have your device assigned to a static IP

Redirect target port = [ (other) ▼] [ NOTE *4 ]

*4: Same port as “Destination port Range = from:” as entered above (Note 1)

Description = [✎ WHATEVER NAME YOU CHOOSE ]

No XMLRPC Sync = [_] (unchecked)

NAT reflection = [ Use system default ▼]

Filter rule association = [ Create new associated rule ▼]

 

4.) Click [ Save ]

 

5.) Click [ Apply Changes ]

 

MORE INFO AT PFSENSE DOCS

 

 

---

---

 

 

 

EDIT: Also, after setting the port forward, go over to your AirVPN_WAN firewall rules and make sure the associated rule is above/on top any other rules you may have, if any.

 

EDIT 2: Also consider you need to have the ports you forwarded on pfSense also opened on the firewall of the pc you have, if it has a firewall.

 

Edit 3: You also need to set the external AirVPN IP address (as shown on the overview page when you log into the client area on airvpn.org) in you bittorrent, FTP program etc or else it does not broadcast the proper return address.

 

I could really use some help at this point.  Particularly if Edit 3 could be clarified? Do I put the Mapped to public IP: or the Forwarded to:IP    in the Destination Address? Or where do I put that exactly, as there is no place in my torrent clients to specify my wan ip, and if Destination Type is set to AirVPN WAN address, nothing can be typed in the Destination Address field. Maybe hammerman can give me a screenshot of his working setup, sans ip addies of course?

[Lee47 23]

I did not bother with Edit 3 and it still works but yeah I saw no real place within the torrent apps I tried them in may have missed it though, otherwise give it a go just to see if it works and torrent apps show green and its forwarded?

 

The only thing I did was went to port forwarding under air client website and clicked add port and it auto gives a port, keep that jotted down for the pfsense pf guide.

 

Then I logged into pfsense>services>dhp server and clicked the air tab and scrolled to bottom where DHCP Static Mappings for this interface is mentioned and hit the +

and clicked copy my mac address and then added an IP address.

 

Remember the IP address you choose must be outside the range ie if your range is 192.168.1.100 - so you can choose below that ie 192.168.1.10

it was only after I added this IP address PFording worked fine for me. Now I can run any torrent client add that air forwarded port in settings and after a minute or 2 of downloading ubuntu iso it goes green and its forwarded and I get fuller speeds while downloading without its a red cross under the PF test and poorer speeds.

[darthanubis 1]

Appreciate the feedback. For ad blocking Ive configured SquidGuard with Shalla's blacklist. 

Works well enough and was very simple to configure. 

Nice advantage is it strips advertising out at a core network level so all mobile platforms like iPad and nexus browsing benefit too. 

 

I've found running squid on my airvpn lan will reveal my local IP! And you you can't seem to run squid on both connections with leaking your IP. Have you seen this in your implementation of squid on your network. If not, could you share which networks you have squid binded ?

[darthanubis 1]

Hey Refresh.

I've only been up and running for about 12 hours so too early to report on performance metrics right now. 

 

What I can say is that the i5-3470T I went with (cheapest vPro, AES-NI capable) sits at 1-5% and hardly breaks a sweat. Currently idling at 41degC in a Euler case. I'll put the build thread on my blog in the next day or two.  Power consumption is 18W on minimum (i.e max power saving) and 20w when run without any PowerD stuff. 10% but in literal terms, next to nothing in it. 

 

Currently configured snort, squid, squid guard and playing about optimising their performance areas. Even 8MB of RAM which seemed like I cheaped out (it was meant to be cheap!) seems like total overkill right now. Dashboard reporting I'm using 6% of 7983MB. Really liking being able to strip adverts at the gateway to my home network as it makes browsing on tablets a much more enjoyable experience. 

 

Using Squid, is your IP leaking? If I use squid for my AirVPN connection , speedtest.net will reveal my real IP!

 

Snort works on the connection, but barnyard2 does not, nor does suratica. pfsense 2.15.

[rickjames 106]

 

Hey Refresh.

I've only been up and running for about 12 hours so too early to report on performance metrics right now.

 

What I can say is that the i5-3470T I went with (cheapest vPro, AES-NI capable) sits at 1-5% and hardly breaks a sweat. Currently idling at 41degC in a Euler case. I'll put the build thread on my blog in the next day or two. Power consumption is 18W on minimum (i.e max power saving) and 20w when run without any PowerD stuff. 10% but in literal terms, next to nothing in it.

 

Currently configured snort, squid, squid guard and playing about optimising their performance areas. Even 8MB of RAM which seemed like I cheaped out (it was meant to be cheap!) seems like total overkill right now. Dashboard reporting I'm using 6% of 7983MB. Really liking being able to strip adverts at the gateway to my home network as it makes browsing on tablets a much more enjoyable experience.

Using Squid is your IP leaking? If I use squid for my AirVPN connection , speedtest.net will reveal my real IP!

 

Snort works on the connection, but barnyard2 does not, nor does suratica. pfsense 2.15.

 

Just setup a pass list for the suratica interface and pass the airvpn ip.

 

Might also wanna set suratica to suppress alerts/logging from:

pfsense wan -> airvpn / airvpn -> pfsense wan.

 

I setup a friends firewall similar to this but he also runs openvpn on a machine behind pfsense. In his case pfsense is just a brutal perimeter firewall and a secondary block incase the vpn drops.

[darthanubis 1]

 

I did not bother with Edit 3 and it still works but yeah I saw no real place within the torrent apps I tried them in may have missed it though, otherwise give it a go just to see if it works and torrent apps show green and its forwarded?

 

The only thing I did was went to port forwarding under air client website and clicked add port and it auto gives a port, keep that jotted down for the pfsense pf guide.

 

Then I logged into pfsense>services>dhp server and clicked the air tab and scrolled to bottom where DHCP Static Mappings for this interface is mentioned and hit the +

and clicked copy my mac address and then added an IP address.

 

Remember the IP address you choose must be outside the range ie if your range is 192.168.1.100 - so you can choose below that ie 192.168.1.10

it was only after I added this IP address PFording worked fine for me. Now I can run any torrent client add that air forwarded port in settings and after a minute or 2 of downloading ubuntu iso it goes green and its forwarded and I get fuller speeds while downloading without its a red cross under the PF test and poorer speeds.

 

Thank you for your reply. This is driving me mad, because I have done exactly what you have detailed. 

 

 

Something must be different with my setup, but I keep going over the guide so see if I missed anything, and I just can't open a port. Utorrent in windows gives me two green checks only if I turn on upnp in pfsense.

 

Is there anything anyone can think of that would be preventing me from opening a port?

Edited ... by darthanubis

[darthanubis 1]

Ok, so I can forward ports via clear-lan + airvpn client, windows and linux. But I cannot forward ports from airlan-airwan via pfsense. WTF?!?

 

Anybody have any idea how that can be? I can download watch youtube videos, everything, but open a port. So, I'm going to go through this setup for the 6th time. I can't imagine how my setup varies from you guys? 

[darthanubis 1]

Syn-ack is getting send out the wan while it should go out the ovpn.

 

Now I need to figure out why?

[Wolf666 17]

I am stuck with port forwardings too.