Jump to content
Not connected, Your IP: 3.138.37.43
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

Hey

 

Is there a possibility that something in this guide causes a system to freez?

 

Here is my problem:

I have two small thin clients by zotac.

System 1 - ID91/i3-4130T/H81 Chipset/4GB RAM/250GB SSD - pfsense 2.3.2.1

System 2 -Nano CI323/N3150/Intel Chipset/8GB RAM/60GB SSD - pfsense 2.3.2.1

Both systems have this guide applied. System 1 completely, System 2 only to Step 7-C. The Reason why i did not fully applied the guide to System 2, because if i go further, something causes the system to loop an error (i think it is the option with ACPI... Power etc.) and the System reboots and repeats the errors (cant read anyway because it is much much much fast scrolling). Anyway, to my problem.

I already posted my problem into the troubleshot forum, but i could not solve it. Now the problem has gotten bigger, because at first i thought it was a issue only with System 1.

The system freezed, when i ussed Amazon Prime Video. All of a sudden, without a noticeable pattern, it freezes. I have no clue what causes it exactly, but it is always with Amazon Prime Video the case. Like i said, i thought it was only a problem of the System 1 (Zotac ID91).

After some weeks now, i had the idea lets just use the other PC, System 2 (Zotac Nano CI323). But to my fucking surprise even that system, which is not linked to the System 1 at all, also freezes on Amazon Prime Video.

 

I am no crack in pfsense at all. That is why i am very glad for this guide. But i am pretty desperated to get any clue how to solve the freezes.
The only thought i have is, it has something to do with a setting in the guide which causes such a behaviour.

 

What is wrong =(

Please help.

Share this post


Link to post

Thank you for this guide. I could not have worked out this config without it.

 

The problem I have is when working from home my work laptop uses Cisco Anyconnect IPSEC. I have left the 2 default ISAKMP outbound NAT rules but it doesn't work. My workaround is to restore my non VPN backup for work, then restore back afterwards.

 

I am a noob when it comes to this and I wondered if it is possible with pfsense_fan's setup to allow a work VPN tunnel through?

 

Thanks in advance

Share this post


Link to post

Thank you for this guide. I could not have worked out this config without it.

 

The problem I have is when working from home my work laptop uses Cisco Anyconnect IPSEC. I have left the 2 default ISAKMP outbound NAT rules but it doesn't work. My workaround is to restore my non VPN backup for work, then restore back afterwards.

 

I am a noob when it comes to this and I wondered if it is possible with pfsense_fan's setup to allow a work VPN tunnel through?

 

Thanks in advance

 

Create NAT and firewall rules that allow your work computer out via the WAN not VPN.

 

My suggestion is to create aliases.  One alias for devices you want through the VPN, another for devices you want through the WAN.  Or you might create just one alias for VPN devices and by default new devices will go via WAN.  I figured this was best for when I have guests they probably don't want to be going through VPN.

 

Then edit and/or create NAT and firewall rules using those aliases.

Share this post


Link to post

 

Thank you for this guide. I could not have worked out this config without it.

 

The problem I have is when working from home my work laptop uses Cisco Anyconnect IPSEC. I have left the 2 default ISAKMP outbound NAT rules but it doesn't work. My workaround is to restore my non VPN backup for work, then restore back afterwards.

 

I am a noob when it comes to this and I wondered if it is possible with pfsense_fan's setup to allow a work VPN tunnel through?

 

Thanks in advance

 

Create NAT and firewall rules that allow your work computer out via the WAN not VPN.

 

My suggestion is to create aliases.  One alias for devices you want through the VPN, another for devices you want through the WAN.  Or you might create just one alias for VPN devices and by default new devices will go via WAN.  I figured this was best for when I have guests they probably don't want to be going through VPN.

 

Then edit and/or create NAT and firewall rules using those aliases.

 

Thanks for your help go558a83nk

 

I think I have worked this out but I have not done this before, so its a bit of a learning curve.

 

I have static IP's with ARP entries.

 

1. Created a list of devices that I want to have a clear path to the WAN. Firewall / Aliases / IP with FQDN hostnames like "mydevice.localdomain"

 

2. Created an Outbound NAT at the top of the list using 

Interface: WAN

Source: My alias of devices

Source / destination / destination port: *

NAT Address: WAN_DHCP address

NAT Port: *

 

3. Created Firewall /  Rules / AirVPN_LAN using

Protocol: *

Source: My alias of devices:

Source Port: *

Destination: *

Destination Port: *

Gateway: *

 

Does this sound like the correct way of doing this? 

 

IPLEAK shows my AirVPN IP, I simply my device in my alias list and it shows my ISP's exp IP

 

Any new device or not listed in my alias automatically uses VPN. If it matches the FQDN / IP in my alias then it doesn't. Well this is what i intend anyway.

 

Although I haven't tried VPN on my work laptop yet. I'm wondering if I need to also open UDP 500?

 

Thanks for your help 

 

 

 

 

 

 

 

 

Does this sound like the correct way of doing this? 

Share this post


Link to post

looks good to me.  the only thing I'm not sure about is your use of FQDN in the alias creation.  I created my aliases with just IP address, and I'm using static with ARP like you.

 

you shouldn't need to open any port for your work laptop VPN.  my wife uses her work laptop VPN no problem.  I'm betting it's the same stuff.

Share this post


Link to post

Thanks I appreciate your help.

 

When I added FQDN in the alias list I tried just the host name at first, but it needs .localdomain otherwise it doesnt work which makes sense..

 

I tried my work laptop and it worked!  I just need the wife to try her work surface pro now.

 

Cheers

Share this post


Link to post

Can't seem to find a guide to create a static IP pass rule; need to get some Macs watching Netflix past the firewall.

Do a search for 'pfSense Selective Routing'.

 

Essentially, you'll need to NAT the VPN_LAN to WAN as well (duplicate step 6C but interface is WAN)... and then set the appropriate gateways for each VPN_LAN & Floating firewall rule (under advanced options when you edit them). There may be additional changes to open this up - pfSense_fan appears to have locked down this guide pretty well. Be careful. Test well.

 

SS

Share this post


Link to post

And the guide is still valid for pfSense 2.4 that I am using.

 

 

Inviato dal mio iPad utilizzando Tapatalk


- Router/Firewall pfSense 23.01 (11th Gen Intel(R) Core(TM) i5-11320H @ 3.20GHz)

- Switch Cisco SG350-10

- AP Netgear RAX200 (Stock FW)

- NAS Synology DS1621+ (5 x 5TB WD Red)

- ISP: Fiber 1000/300 (PPPoE)

 

Share this post


Link to post

Hi,

 

great guide: I followed it with my opnsense (pfsense's fork) box and all works very well.

 

I would like also to use a forward proxy (squid) on my opnsense box and force it to use vpn connections but until now I dont'be able to get (squid uses always default gateway).

 

I would like to know if you have any suggestions on this argument.

 

Thanks in advance

Share this post


Link to post

Hi,

 

great guide: I followed it with my opnsense (pfsense's fork) box and all works very well.

 

I would like also to use a forward proxy (squid) on my opnsense box and force it to use vpn connections but until now I dont'be able to get (squid uses always default gateway).

 

I would like to know if you have any suggestions on this argument.

 

Thanks in advance

 

I had the issue with squid, it would always leak no matter what i tried on the same instance, i got around the problem by installing win server 2012 on the machine, then creating 2 X Hyper-V machines one for the VPN using this tutorial and the 2nd handles the DHCP and squid, the author himself said on the old thread of this tutorial that getting both VPN and squid to work together does not work.

Share this post


Link to post

 

Hi,

 

great guide: I followed it with my opnsense (pfsense's fork) box and all works very well.

 

I would like also to use a forward proxy (squid) on my opnsense box and force it to use vpn connections but until now I dont'be able to get (squid uses always default gateway).

 

I would like to know if you have any suggestions on this argument.

 

Thanks in advance

 

I had the issue with squid, it would always leak no matter what i tried on the same instance, i got around the problem by installing win server 2012 on the machine, then creating 2 X Hyper-V machines one for the VPN using this tutorial and the 2nd handles the DHCP and squid, the author himself said on the old thread of this tutorial that getting both VPN and squid to work together does not work.

 

Thanks for your reply Mufasa,

 

I adopted a similar solution (I used a linux virtual machine with squid proxy) but it seems very strange not being able to run squid proxy on pfsense/opnsense on the same machine: I tried with some firewall rules (both on LAN side and floating rule side) without success.

 

I will try again (I do not give up).

Share this post


Link to post

 

 

Hi,

 

great guide: I followed it with my opnsense (pfsense's fork) box and all works very well.

 

I would like also to use a forward proxy (squid) on my opnsense box and force it to use vpn connections but until now I dont'be able to get (squid uses always default gateway).

 

I would like to know if you have any suggestions on this argument.

 

Thanks in advance

 

I had the issue with squid, it would always leak no matter what i tried on the same instance, i got around the problem by installing win server 2012 on the machine, then creating 2 X Hyper-V machines one for the VPN using this tutorial and the 2nd handles the DHCP and squid, the author himself said on the old thread of this tutorial that getting both VPN and squid to work together does not work.

 

Thanks for your reply Mufasa,

 

I adopted a similar solution (I used a linux virtual machine with squid proxy) but it seems very strange not being able to run squid proxy on pfsense/opnsense on the same machine: I tried with some firewall rules (both on LAN side and floating rule side) without success.

 

I will try again (I do not give up).

 

 

It will not work and cannot work unless you manual program static routes. The proxy is coded to exit the WAN/default gateway and there is no setting to policy route it to the VPN. Setting this up is something that is well outside the scope of what this tutorial is intended for, and something that quite literally probably no one at this forum can assist with. If you truly want squid to work, ask questions over at the pfSense forums. This guide is meant to be entry level for beginners. Setting up Squid is very involved. Even if you get it to "work", it may leak. I personally gave up on it.

 

If you were to ask me, I would tell you to look into pfblockerNG instead. I have it running and blocking roughly 600,000 known ad servers, malware servers and other junk on both a DNS and IP level. The lists auto update and reload on a schedule. But then again, I don't know what your use case is. For what it's worth, pfblockerNG is easier to use, set up and more reliable in my experience.

 

EDIT: Then I noticed you are on opnsense. Consider moving back over to pfSense for pfblockerNG... it really is the game changer.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

Thanks for a brilliant guide.  I've been trying to setup pfsense for around a month now and this is the first time I've completed a guide where I haven't been scared I've left a backdoor open somewhere.

 

I have one small problem I'm hoping to fix.  My modem 192.168.1.254 doesn't have an access point mode, so I've left DHCP on,  and put my my pfsense box in its DMZ at 192.168.1.1 and then created a new network 172.30.xx.xx for devices connected to the pfsense.

 

My problem is I can't connect to 192.168.1.254 anymore - did I get one of your rules slightly wrong or do I need to add 192.168.1.0/xx to PRIVATE_NETWORKS?

 

Thanks in advance

Share this post


Link to post

Thanks for a brilliant guide.  I've been trying to setup pfsense for around a month now and this is the first time I've completed a guide where I haven't been scared I've left a backdoor open somewhere.

 

I have one small problem I'm hoping to fix.  My modem 192.168.1.254 doesn't have an access point mode, so I've left DHCP on,  and put my my pfsense box in its DMZ at 192.168.1.1 and then created a new network 172.30.xx.xx for devices connected to the pfsense.

 

My problem is I can't connect to 192.168.1.254 anymore - did I get one of your rules slightly wrong or do I need to add 192.168.1.0/xx to PRIVATE_NETWORKS?

 

Thanks in advance

 

you'll need to allow access to the WAN interface for destination 192.168.1.254 in your outgoing NAT rules and in LAN firewall rules.

Share this post


Link to post

I managed to get access by adding one rule rather than two... - did I do it safely?

 

 

 

Share this post


Link to post

I managed to get access by adding one rule rather than two... - did I do it safely?

 

attachicon.gifrouter.png

 

I said you'd need a NAT rule and a LAN firewall rule.  That is, firewall>rules>LAN and allow outgoing via WAN interface to router.  Since it works already I'm concerned that something is wrong with your rules as this guide makes everything go out via VPN interface only if I recall correctly.

Share this post


Link to post

I managed to get access by adding one rule rather than two... - did I do it safely?

 

attachicon.gifrouter.png

 

I said you'd need a NAT rule and a LAN firewall rule.  That is, firewall>rules>LAN and allow outgoing via WAN interface to router.  Since it works already I'm concerned that something is wrong with your rules as this guide makes everything go out via VPN interface only if I recall correctly.

I've just walked through the guide to be sure and the only steps I diverged were:

 

- "Step 6-A: Configuring the AirVPN_LAN Interface" where I set my IPV4 address as 172.30.12.1 so I have to leave my router's DHCP on
 
- "Step 6-B: Setting up the DHCP Server for the AirVPN_LAN Interface" as my LAN DCHP range is 172.30.12.100 - 172.30.12.199
 
Re-reading the guide has been useful as I've tweaked my outbound rule and I think it makes sense and is safe:
 
 

 

If I'm correct:

 

- Rule 1 allows traffic from the LAN to go out over the VPN connection

- Rule 2 allows traffic from the firewall to go out over the VPN connection

- Rule 3 allows traffic from the firewall only  to go over the WAN

- New Rule 4 allows traffic from the LAN to go to 192.168.1.254 - i.e. rule added because 192.168.1.254 isn't on my LAN or the WAN and is kind of sitting in no-mans land on another local network on its own.

 

I've changed to 192.168.1.254/32 so that only 192.168.1.254 can be reached rather than 192.168.1.1-192.168.1.254.

 

My remaining concern is though, does this allow devices to connect to the router and bypass the VPN?  If so, then I can disable this rule and only enable it if I need to connect to the router - rare now that pfSense is my firewall and handles DHCP.

Share this post


Link to post

you're still only looking at NAT outbound.

 

I told you I'm concerned about your firewall>rules>LAN      (NOT firewall>NAT>outbound.)

Share this post


Link to post

you're still only looking at NAT outbound.

 

I told you I'm concerned about your firewall>rules>LAN      (NOT firewall>NAT>outbound.)

 

I've double-checked and I think they are right

Share this post


Link to post

 

you're still only looking at NAT outbound.

 

I told you I'm concerned about your firewall>rules>LAN      (NOT firewall>NAT>outbound.)

attachicon.gifdownload (1).png

 

I've double-checked and I think they are right

 

OK.  My setup is different from the guide so I'm not familiar with what rules are suggested.

 

The rule allowing destination "private networks" and "LAN service ports" is what is allowing access to the modem already.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...