clearsight 0 Posted ... Hey Is there a possibility that something in this guide causes a system to freez? Here is my problem:I have two small thin clients by zotac.System 1 - ID91/i3-4130T/H81 Chipset/4GB RAM/250GB SSD - pfsense 2.3.2.1System 2 -Nano CI323/N3150/Intel Chipset/8GB RAM/60GB SSD - pfsense 2.3.2.1Both systems have this guide applied. System 1 completely, System 2 only to Step 7-C. The Reason why i did not fully applied the guide to System 2, because if i go further, something causes the system to loop an error (i think it is the option with ACPI... Power etc.) and the System reboots and repeats the errors (cant read anyway because it is much much much fast scrolling). Anyway, to my problem.I already posted my problem into the troubleshot forum, but i could not solve it. Now the problem has gotten bigger, because at first i thought it was a issue only with System 1.The system freezed, when i ussed Amazon Prime Video. All of a sudden, without a noticeable pattern, it freezes. I have no clue what causes it exactly, but it is always with Amazon Prime Video the case. Like i said, i thought it was only a problem of the System 1 (Zotac ID91).After some weeks now, i had the idea lets just use the other PC, System 2 (Zotac Nano CI323). But to my fucking surprise even that system, which is not linked to the System 1 at all, also freezes on Amazon Prime Video. I am no crack in pfsense at all. That is why i am very glad for this guide. But i am pretty desperated to get any clue how to solve the freezes.The only thought i have is, it has something to do with a setting in the guide which causes such a behaviour. What is wrong =(Please help. Quote Share this post Link to post
AtariSoul 0 Posted ... Thank you for this guide. I could not have worked out this config without it. The problem I have is when working from home my work laptop uses Cisco Anyconnect IPSEC. I have left the 2 default ISAKMP outbound NAT rules but it doesn't work. My workaround is to restore my non VPN backup for work, then restore back afterwards. I am a noob when it comes to this and I wondered if it is possible with pfsense_fan's setup to allow a work VPN tunnel through? Thanks in advance Quote Share this post Link to post
go558a83nk 362 Posted ... Thank you for this guide. I could not have worked out this config without it. The problem I have is when working from home my work laptop uses Cisco Anyconnect IPSEC. I have left the 2 default ISAKMP outbound NAT rules but it doesn't work. My workaround is to restore my non VPN backup for work, then restore back afterwards. I am a noob when it comes to this and I wondered if it is possible with pfsense_fan's setup to allow a work VPN tunnel through? Thanks in advance Create NAT and firewall rules that allow your work computer out via the WAN not VPN. My suggestion is to create aliases. One alias for devices you want through the VPN, another for devices you want through the WAN. Or you might create just one alias for VPN devices and by default new devices will go via WAN. I figured this was best for when I have guests they probably don't want to be going through VPN. Then edit and/or create NAT and firewall rules using those aliases. 1 sndr reacted to this Quote Share this post Link to post
MrConducter 11 Posted ... I finally got this all done and it's working awesome. I couldn't have done it without your guide thank you so much! Quote Share this post Link to post
AtariSoul 0 Posted ... Thank you for this guide. I could not have worked out this config without it. The problem I have is when working from home my work laptop uses Cisco Anyconnect IPSEC. I have left the 2 default ISAKMP outbound NAT rules but it doesn't work. My workaround is to restore my non VPN backup for work, then restore back afterwards. I am a noob when it comes to this and I wondered if it is possible with pfsense_fan's setup to allow a work VPN tunnel through? Thanks in advance Create NAT and firewall rules that allow your work computer out via the WAN not VPN. My suggestion is to create aliases. One alias for devices you want through the VPN, another for devices you want through the WAN. Or you might create just one alias for VPN devices and by default new devices will go via WAN. I figured this was best for when I have guests they probably don't want to be going through VPN. Then edit and/or create NAT and firewall rules using those aliases. Thanks for your help go558a83nk I think I have worked this out but I have not done this before, so its a bit of a learning curve. I have static IP's with ARP entries. 1. Created a list of devices that I want to have a clear path to the WAN. Firewall / Aliases / IP with FQDN hostnames like "mydevice.localdomain" 2. Created an Outbound NAT at the top of the list using Interface: WANSource: My alias of devicesSource / destination / destination port: *NAT Address: WAN_DHCP addressNAT Port: * 3. Created Firewall / Rules / AirVPN_LAN usingProtocol: *Source: My alias of devices:Source Port: *Destination: *Destination Port: *Gateway: * Does this sound like the correct way of doing this? IPLEAK shows my AirVPN IP, I simply my device in my alias list and it shows my ISP's exp IP Any new device or not listed in my alias automatically uses VPN. If it matches the FQDN / IP in my alias then it doesn't. Well this is what i intend anyway. Although I haven't tried VPN on my work laptop yet. I'm wondering if I need to also open UDP 500? Thanks for your help Does this sound like the correct way of doing this? Quote Share this post Link to post
go558a83nk 362 Posted ... looks good to me. the only thing I'm not sure about is your use of FQDN in the alias creation. I created my aliases with just IP address, and I'm using static with ARP like you. you shouldn't need to open any port for your work laptop VPN. my wife uses her work laptop VPN no problem. I'm betting it's the same stuff. Quote Share this post Link to post
AtariSoul 0 Posted ... Thanks I appreciate your help. When I added FQDN in the alias list I tried just the host name at first, but it needs .localdomain otherwise it doesnt work which makes sense.. I tried my work laptop and it worked! I just need the wife to try her work surface pro now. Cheers Quote Share this post Link to post
esoteric_aphorism 0 Posted ... Can't seem to find a guide to create a static IP pass rule; need to get some Macs watching Netflix past the firewall. Quote Share this post Link to post
SunshineSuperman 3 Posted ... Can't seem to find a guide to create a static IP pass rule; need to get some Macs watching Netflix past the firewall.Do a search for 'pfSense Selective Routing'. Essentially, you'll need to NAT the VPN_LAN to WAN as well (duplicate step 6C but interface is WAN)... and then set the appropriate gateways for each VPN_LAN & Floating firewall rule (under advanced options when you edit them). There may be additional changes to open this up - pfSense_fan appears to have locked down this guide pretty well. Be careful. Test well. SS Quote Share this post Link to post
SunshineSuperman 3 Posted ... Why isn't this stickied yet???Agreed. This thread should replace pfSense_fan's original "How to Set Up pfSense 2.1 for AirVPN" that is linked from the Enter page when you click "pfSense"... 1 pfSense_fan reacted to this Quote Share this post Link to post
Wolf666 17 Posted ... And the guide is still valid for pfSense 2.4 that I am using. Inviato dal mio iPad utilizzando Tapatalk 2 Lee47 and pfSense_fan reacted to this Quote Hide Wolf666's signature Hide all signatures - Router/Firewall pfSense 23.01 (11th Gen Intel(R) Core(TM) i5-11320H @ 3.20GHz) - Switch Cisco SG350-10 - AP Netgear RAX200 (Stock FW) - NAS Synology DS1621+ (5 x 5TB WD Red) - ISP: Fiber 1000/300 (PPPoE) Share this post Link to post
framura 0 Posted ... Hi, great guide: I followed it with my opnsense (pfsense's fork) box and all works very well. I would like also to use a forward proxy (squid) on my opnsense box and force it to use vpn connections but until now I dont'be able to get (squid uses always default gateway). I would like to know if you have any suggestions on this argument. Thanks in advance Quote Share this post Link to post
Mufasa 0 Posted ... Hi, great guide: I followed it with my opnsense (pfsense's fork) box and all works very well. I would like also to use a forward proxy (squid) on my opnsense box and force it to use vpn connections but until now I dont'be able to get (squid uses always default gateway). I would like to know if you have any suggestions on this argument. Thanks in advance I had the issue with squid, it would always leak no matter what i tried on the same instance, i got around the problem by installing win server 2012 on the machine, then creating 2 X Hyper-V machines one for the VPN using this tutorial and the 2nd handles the DHCP and squid, the author himself said on the old thread of this tutorial that getting both VPN and squid to work together does not work. Quote Share this post Link to post
framura 0 Posted ... Hi, great guide: I followed it with my opnsense (pfsense's fork) box and all works very well. I would like also to use a forward proxy (squid) on my opnsense box and force it to use vpn connections but until now I dont'be able to get (squid uses always default gateway). I would like to know if you have any suggestions on this argument. Thanks in advance I had the issue with squid, it would always leak no matter what i tried on the same instance, i got around the problem by installing win server 2012 on the machine, then creating 2 X Hyper-V machines one for the VPN using this tutorial and the 2nd handles the DHCP and squid, the author himself said on the old thread of this tutorial that getting both VPN and squid to work together does not work. Thanks for your reply Mufasa, I adopted a similar solution (I used a linux virtual machine with squid proxy) but it seems very strange not being able to run squid proxy on pfsense/opnsense on the same machine: I tried with some firewall rules (both on LAN side and floating rule side) without success. I will try again (I do not give up). Quote Share this post Link to post
pfSense_fan 181 Posted ... Hi, great guide: I followed it with my opnsense (pfsense's fork) box and all works very well. I would like also to use a forward proxy (squid) on my opnsense box and force it to use vpn connections but until now I dont'be able to get (squid uses always default gateway). I would like to know if you have any suggestions on this argument. Thanks in advance I had the issue with squid, it would always leak no matter what i tried on the same instance, i got around the problem by installing win server 2012 on the machine, then creating 2 X Hyper-V machines one for the VPN using this tutorial and the 2nd handles the DHCP and squid, the author himself said on the old thread of this tutorial that getting both VPN and squid to work together does not work. Thanks for your reply Mufasa, I adopted a similar solution (I used a linux virtual machine with squid proxy) but it seems very strange not being able to run squid proxy on pfsense/opnsense on the same machine: I tried with some firewall rules (both on LAN side and floating rule side) without success. I will try again (I do not give up). It will not work and cannot work unless you manual program static routes. The proxy is coded to exit the WAN/default gateway and there is no setting to policy route it to the VPN. Setting this up is something that is well outside the scope of what this tutorial is intended for, and something that quite literally probably no one at this forum can assist with. If you truly want squid to work, ask questions over at the pfSense forums. This guide is meant to be entry level for beginners. Setting up Squid is very involved. Even if you get it to "work", it may leak. I personally gave up on it. If you were to ask me, I would tell you to look into pfblockerNG instead. I have it running and blocking roughly 600,000 known ad servers, malware servers and other junk on both a DNS and IP level. The lists auto update and reload on a schedule. But then again, I don't know what your use case is. For what it's worth, pfblockerNG is easier to use, set up and more reliable in my experience. EDIT: Then I noticed you are on opnsense. Consider moving back over to pfSense for pfblockerNG... it really is the game changer. 1 Wolf666 reacted to this Quote Hide pfSense_fan's signature Hide all signatures Have my guides helped you? Help me keep helping you, use my referral: How to set up pfSense 2.3 for AirVPNFriends don't let friends use consumer networking equipment! Share this post Link to post
DZMM 2 Posted ... Thanks for a brilliant guide. I've been trying to setup pfsense for around a month now and this is the first time I've completed a guide where I haven't been scared I've left a backdoor open somewhere. I have one small problem I'm hoping to fix. My modem 192.168.1.254 doesn't have an access point mode, so I've left DHCP on, and put my my pfsense box in its DMZ at 192.168.1.1 and then created a new network 172.30.xx.xx for devices connected to the pfsense. My problem is I can't connect to 192.168.1.254 anymore - did I get one of your rules slightly wrong or do I need to add 192.168.1.0/xx to PRIVATE_NETWORKS? Thanks in advance Quote Share this post Link to post
go558a83nk 362 Posted ... Thanks for a brilliant guide. I've been trying to setup pfsense for around a month now and this is the first time I've completed a guide where I haven't been scared I've left a backdoor open somewhere. I have one small problem I'm hoping to fix. My modem 192.168.1.254 doesn't have an access point mode, so I've left DHCP on, and put my my pfsense box in its DMZ at 192.168.1.1 and then created a new network 172.30.xx.xx for devices connected to the pfsense. My problem is I can't connect to 192.168.1.254 anymore - did I get one of your rules slightly wrong or do I need to add 192.168.1.0/xx to PRIVATE_NETWORKS? Thanks in advance you'll need to allow access to the WAN interface for destination 192.168.1.254 in your outgoing NAT rules and in LAN firewall rules. Quote Share this post Link to post
DZMM 2 Posted ... I managed to get access by adding one rule rather than two... - did I do it safely? Quote Share this post Link to post
go558a83nk 362 Posted ... I managed to get access by adding one rule rather than two... - did I do it safely? router.png I said you'd need a NAT rule and a LAN firewall rule. That is, firewall>rules>LAN and allow outgoing via WAN interface to router. Since it works already I'm concerned that something is wrong with your rules as this guide makes everything go out via VPN interface only if I recall correctly. Quote Share this post Link to post
DZMM 2 Posted ... I managed to get access by adding one rule rather than two... - did I do it safely? router.png I said you'd need a NAT rule and a LAN firewall rule. That is, firewall>rules>LAN and allow outgoing via WAN interface to router. Since it works already I'm concerned that something is wrong with your rules as this guide makes everything go out via VPN interface only if I recall correctly.I've just walked through the guide to be sure and the only steps I diverged were: - "Step 6-A: Configuring the AirVPN_LAN Interface" where I set my IPV4 address as 172.30.12.1 so I have to leave my router's DHCP on - "Step 6-B: Setting up the DHCP Server for the AirVPN_LAN Interface" as my LAN DCHP range is 172.30.12.100 - 172.30.12.199 Re-reading the guide has been useful as I've tweaked my outbound rule and I think it makes sense and is safe: If I'm correct: - Rule 1 allows traffic from the LAN to go out over the VPN connection- Rule 2 allows traffic from the firewall to go out over the VPN connection- Rule 3 allows traffic from the firewall only to go over the WAN- New Rule 4 allows traffic from the LAN to go to 192.168.1.254 - i.e. rule added because 192.168.1.254 isn't on my LAN or the WAN and is kind of sitting in no-mans land on another local network on its own. I've changed to 192.168.1.254/32 so that only 192.168.1.254 can be reached rather than 192.168.1.1-192.168.1.254. My remaining concern is though, does this allow devices to connect to the router and bypass the VPN? If so, then I can disable this rule and only enable it if I need to connect to the router - rare now that pfSense is my firewall and handles DHCP. Quote Share this post Link to post
go558a83nk 362 Posted ... you're still only looking at NAT outbound. I told you I'm concerned about your firewall>rules>LAN (NOT firewall>NAT>outbound.) Quote Share this post Link to post
DZMM 2 Posted ... you're still only looking at NAT outbound. I told you I'm concerned about your firewall>rules>LAN (NOT firewall>NAT>outbound.) I've double-checked and I think they are right Quote Share this post Link to post
go558a83nk 362 Posted ... you're still only looking at NAT outbound. I told you I'm concerned about your firewall>rules>LAN (NOT firewall>NAT>outbound.)download (1).png I've double-checked and I think they are right OK. My setup is different from the guide so I'm not familiar with what rules are suggested. The rule allowing destination "private networks" and "LAN service ports" is what is allowing access to the modem already. 1 DZMM reacted to this Quote Share this post Link to post
Not connected, Your IP: 18.188.227.108
Online: 26394 users - 328323 Mbit/s total BW