Jump to content
Not connected, Your IP: 34.227.112.145
pfSense_fan

How To Set Up pfSense 2.3 for AirVPN

Recommended Posts

It has been a couple of weeks since I setup my PFSense router, but I think the following steps are what I did to modify pfSense_fans’s 2.3 guide to use 3 interfaces. I don't think I am leaving out any steps, but I am not sure. Just try this and see if it works for you.

 

I followed pfSense_fans’s 2.3 guide up to step 6A. When I got to step Step 6-A: Configuring the AirVPN_LAN Interface, I did not change the name of the LAN interface to AIRVPN_LAN. Instead, I assigned a new AIRVPN_LAN interface from the Interfaces tab. Check Enable, Description = AIRVPN_LAN,  IPv4 Configuration Type = Static ipv4, IPV4 = 192.168.123.1, click SAVE and Apply.

 

I then I went back to following pfSense_fans’s  2.3 guide starting at Step 6-B: Setting up the DHCP Server for the AirVPN_LAN Interface. I just had to make sure when I created rules from that point forward, I changed the 192.168.1.x fields to 192.168.123.x. When I was done I had a working AIRVPN Lan interface in the 192.168.123.x range as well as a working LAN interface in the 192.168.1.x range.

 

I then added the BLOCK DNS LEAKS LAN rule to the top of the LAN firewall rules. That method worked for me.

 

 

Maybe this will help get you guys up and running with 3 interfaces until pfSense_fan provides a better or easier solution.

 

 

The following was copied directly from pfSense_fans’s old  2.1 guide. It is how I have my firewall rules setup for my LAN interface.

***************************************************************

 

 

Setting Basic Firewall Rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.

 

 

*NOTE: There are THREE necessary rules for the LAN interface. You should have two firewall rules here by default. The “anti-lockout rule” and a “default allow LAN to any” rule. Do not touch the anti-lockout rule. You can either delete or edit the default allow rule, it is up to you.

 

 

First LAN Firewall Rule:

 

"BLOCK_DNS_LEAKS_LAN"

 

 

The first LAN firewall rule will block all DNS requests that we do not explicitly allow. This rule will force all users on this interface to use the DNS forwarder and hence the servers we entered on the general settings page. Pay close attention to this one.

 

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php

-or-

https://192.168.1.1/firewall_rules.php

and Select your "LAN" interface.

 

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS_LAN".

 

Set as follows:

Action = [ Block ▼]

Disabled = [_] Disable this rule (UNCHECKED)

Interface = [LAN ▼]

TCP/IP Version = [iPv4 ▼]

Protocol = [TCP/UDP ▼]

Source = [_] Not (UNCHECKED)

              Type: [ Any ▼]

              Address: [______] (BLANK)

Destination = [✔] Not (CHECKED!!!!!!!!)

                     Type: [ LAN address ▼]

                     Address: [________]

Destination port range = From: [ DNS ▼]

                                      To: [ DNS ▼]

Log = [✔] (CHECKED)

Description = [✎ BLOCK_DNS_LEAKS_LAN]

*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ WAN_DHCP ▼]

 

3.) Click [ Save ]

 

4.) Click [ Apply Changes ]

 

Second LAN Firewall Rule:

 

 

"ALLOW LAN OUTBOUND"

 

 

1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php

-or-

https://192.168.1.1/firewall_rules.php

and select your "LAN" interface.

 

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW LAN OUTBOUND" (Note: There may already be a rule titled " Default Allow LAN Outbound" or similar. You certainly can just edit that entry to these settings, or delete and create this.)

 

3.) Set as follows:

Action = [ Pass ▼]

Interface = [LAN ▼]

TCP/IP Version = [iPv4 ▼]

Protocol = [Any ▼]

Source = [_] Not (UNCHECKED)

              Type: [ LAN Subnet ▼]

              Address: [______] (BLANK)

Destination = [_] Not (UNCHECKED)

                     Type: [ Any ▼]

                     Address: [______] (BLANK)

Description = [✎ ALLOW LAN OUTBOUND]

*****IMPORTANT STEP: [ADVANCED FEATURES]  >  GATEWAY = [ WAN_DHCP ▼]

 

4.) Click [ SAVE ]

 

5.) Click [ Apply Changes ]

 

Third LAN Firewall Rule:

 

 

"BLOCK ALL ELSE LAN"

 

 

1.) Go to: Firewall > Rules

http://192.168.1.1/firewall_rules.php

-or-

https://192.168.1.1/firewall_rules.php

and select your "LAN" interface.

 

2.) Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"

 

3.) Set as follows:

Action = [block ▼]

Disabled = [_] (UNCHECKED)

Interface = [LAN ▼]

TCP/IP Version = [iPv4 ▼]

Protocol = [Any ▼]

Source = [_] Not (UNCHECKED)

              Type: [ Any ▼]

              Address: [______] (BLANK)

Destination = [_] Not (UNCHECKED)

                     Type: [ Any ▼]

                     Address: [______] (BLANK)

Log packets that are handled by this rule = [✔] (checked)

Description = [✎  BLOCK ALL ELSE LAN ]

*** For this rule we will NOT set the advanced setting for gateway, it should be left as default

 

4.) Click [ SAVE ]

 

5.) Click [ Apply Changes ]

 

E.) Checking That Our Firewall Rules Are In The Correct Order

1.) Go to Firewall > Rules

http://192.168.1.1/firewall_rules.php

-or-

https://192.168.1.1/firewall_rules.php

and Select your "LAN" interface.

 

2.) The order of the rules we just created is important!

They should appear in this following order when viewed:

 BLOCK DNS LEAKS LAN

ALLOW LAN OUTBOUND

BLOCK ALL ELSE LAN

 

ENSURE THE RULES ARE IN THIS PRECISE ORDER, IF THEY ARE NOT, ORGANIZE THEM AS NECCESSARY!

Share this post


Link to post

I set it up this way and it works but I have terrible VPN performance on a brand new i5 with 16gb of ram.  I wasn't sure on a couple of the steps.. When setting up the AIRVPN lan and choosing DNS servers, i put 192.168.1.1 but my AIRVPN lan is 192.168.2.1.. there were a few where I might have messed up..  Like I said both interfaces work, just VPN is very slow.   Also the DNS for the VPN returns 127.0.0.1  1600ms and 10.4.0.1 returns 77ms.

Share this post


Link to post

changed servers and now I am getting much better performance.. I have 60/6 internet but it speed tests normally at 70 and through the VPN i just got 65/6, pretty damn good..  Not sure all my setting are correct, i will play with it until the master adds the section to the guide  

Share this post


Link to post

Hi,

 

Thanks for your pfsense config guide(s). I used the 2.1 guide to configure pfsense and it had worked perfectly. I already upgraded towards 2.3 a while ago but didn't look for new configuration settings. So when I started looking, I found your new (2.3) guide.

 

The first time I used it, I had no internet whatsoever. But then I figured, I didn't use an ip-address for the AirVPN server, stupid me :')

 

After fixing that, it looked as if I had a perfectly working setup. Through the DNS lookup function, pfSense gives speedy results, with whatever site we enter. But if we're browsing, the same sites aren't loaded ("The connection has timed out"). We tried different browsers, different PC's, different operating systems, cleared DNS-caches, used googleDNS and openDNS, but no websites. My guess is, something is wrong with the NAT/firewall rules, but I have no idea where to look. I've started over 3 times now and we looked with two people seperately and we think all settings seem fine, but we must have overlooked something somewhere.

Share this post


Link to post

how do i get the clearnet to use different DNS?  i use a DNS company to get around geo blocking.. i want VPN to use AirVPN DNS and non VPN to use another specified DNS.

Share this post


Link to post

how do i get the clearnet to use different DNS?  i use a DNS company to get around geo blocking.. i want VPN to use AirVPN DNS and non VPN to use another specified DNS.

To use your company DNS settings, try going to System / General Setup / DNS Server Settings. Put your DNS company settings there; make sure that you choose WAN_DHCP WAN in the drop down menu to the right of where you enter your DNS company settings. DNS Server 1 should already be used by AIR_VPN WAN. Use the other three fields for your company DNS. Of course, Save and Apply after entering the new settings.

Share this post


Link to post

I tried that and it didn't work. I then put them in the DHCP server section on the LAN interface under DNS server and it worked.  Now it may have worked in the general section too because neither worked until I cleared my browser cache and flushed my DNS. 

Share this post


Link to post

having difficulty with port forwarding.

i tried the same technique used in the previous guide and it didn't work.

is there any extra step like adding a lan service port in the alias?

i'm just trying to set up port forwarding for torrents.

thanks

Share this post


Link to post

i had a few ports that I needed forwarded for my VOIP phone that I just entered as normal.  I thought they might not work because of the port aliases added in this guide.  Keep in mind though, the VOIP I was using was on the clearnet and did not go through the VPN tunnel but I assume it would be the same thing.

Share this post


Link to post

having difficulty with port forwarding.

i tried the same technique used in the previous guide and it didn't work.

is there any extra step like adding a lan service port in the alias?

i'm just trying to set up port forwarding for torrents.

thanks

Go to the client area at AirVpn. Then go to forward ports and reserve a port if you have not already done so.

 

I read a couple post here in the AirVpn forums on how to get port forwarding to work with AirVpn and PFSense and I could never get it working trying to follow those guides. I finally found the following link using Google and followed the instructions and port forwarding now works for me using utorrent.

 

http://www.ratzblog.com/2011/08/normal-0-false-false-false-en-us-x-none.html

Share this post


Link to post

Hi,

 

Thanks for your pfsense config guide(s). I used the 2.1 guide to configure pfsense and it had worked perfectly. I already upgraded towards 2.3 a while ago but didn't look for new configuration settings. So when I started looking, I found your new (2.3) guide.

 

The first time I used it, I had no internet whatsoever. But then I figured, I didn't use an ip-address for the AirVPN server, stupid me :')

 

After fixing that, it looked as if I had a perfectly working setup. Through the DNS lookup function, pfSense gives speedy results, with whatever site we enter. But if we're browsing, the same sites aren't loaded ("The connection has timed out"). We tried different browsers, different PC's, different operating systems, cleared DNS-caches, used googleDNS and openDNS, but no websites. My guess is, something is wrong with the NAT/firewall rules, but I have no idea where to look. I've started over 3 times now and we looked with two people seperately and we think all settings seem fine, but we must have overlooked something somewhere.

 

Worth going over the guide setting by setting, its so easy to make a mistake or one wrong check box or tick ! in fact I have yet to get it fully working myself. I had no websites when I first did the new updated 2.3 guide but then forgot I have 10.4.0.1 under my network adaptor DNS server settings under TCP/ipv4.

Share this post


Link to post

For pfsense_fan, just some minor stuff noticed on the new guide, probably not required for most but for total newbies to could be handy.

 

1:Step 2-A: Understanding Certificates and OpenVPN Config Files
scroll down and select direct protocol UDP, port 443 and then select Advanced mode, this will open Advanced mode where
you can select seperate keys/certs from .ovpn file<otherwise can't get your CA, cert, keys info etc


2:
DHCPv6 Server: Step 1-B: Disable DHCPv6 Server on LAN Interface
We uncheck : Enable DHCPv6 server on interface LAN   (uncheck the box) to disable DHCPv6  (assume that's right)


3:
Interface = [ WAN ?]
No wan showing but WAN_dhcp is (assume its same)


4:Step 6-F: Third AirVPN_LAN Firewall Rule
Perhaps put the *Note after step 1.) and select your "airVPN_Lan" interface
(I got confused with firewall rules/editing from previous step)

Also was seeing 5 firewall rules not 4 as suggested, the 2 I assume to delete were:

 Ipv4 "DEFAULT ALLOW LAN TO ANY" RULE AT THIS TIME. hit trash can icon to delete
 IPv6 "DEFAULT ALLOW LAN TO ANY" RULE AT THIS TIME. hit trash can icon to delete



6:Step 7-D: Block & Do Not Log
IPv6 Floating Firewall Rule
can we mention to hold control key and click to select all- some may not know how to select.


Otherwise congrats mate on a great guide, now just need to get it up and running !
 

Share this post


Link to post

Worth going over the guide setting by setting, its so easy to make a mistake or one wrong check box or tick ! in fact I have yet to get it fully working myself. I had no websites when I first did the new updated 2.3 guide but then forgot I have 10.4.0.1 under my network adaptor DNS server settings under TCP/ipv4.

 

Hi,

 

Thanks for the reply. Although it's not really helpful. I redid the settings 3 times (one time with a complete fresh install of pfsense). Our router and server are my responsilbility, but my girlfriend is actually much better with computers, so I put aside my pride and asked her to check the configuration. She also didn't find a wrong setting. I then decided to (temporarily) move back to the 2.1 settings, but this guide got updated ever since I first used it. So even with the less secure settings, we had the same problems.

 

I then googled for an alternative guide and found one by nvugu

I roughly followed the guide; I don't need vlans, so I combined the applicable firewall and nat rules from the VPN and MGNT (anti lockout) vlan. I also disabled ipv6 as mentioned in the beginning of this topics guide. We now have smooth internet browsing and all ports seem to be closed, unless I specify them in the port alias. I don't know a lot about firewalls, so I don't know what the exact differences between the guides are. What I did notice though was nvugu doesn't use 'DNSSEC' and the "Experimental Bit 0x20 Support" and the DNS firewall rules are different.

Share this post


Link to post

 

Worth going over the guide setting by setting, its so easy to make a mistake or one wrong check box or tick ! in fact I have yet to get it fully working myself. I had no websites when I first did the new updated 2.3 guide but then forgot I have 10.4.0.1 under my network adaptor DNS server settings under TCP/ipv4.

 

Hi,

 

Thanks for the reply. Although it's not really helpful. I redid the settings 3 times (one time with a complete fresh install of pfsense). Our router and server are my responsilbility, but my girlfriend is actually much better with computers, so I put aside my pride and asked her to check the configuration. She also didn't find a wrong setting. I then decided to (temporarily) move back to the 2.1 settings, but this guide got updated ever since I first used it. So even with the less secure settings, we had the same problems.

 

I then googled for an alternative guide and found one by nvugu

I roughly followed the guide; I don't need vlans, so I combined the applicable firewall and nat rules from the VPN and MGNT (anti lockout) vlan. I also disabled ipv6 as mentioned in the beginning of this topics guide. We now have smooth internet browsing and all ports seem to be closed, unless I specify them in the port alias. I don't know a lot about firewalls, so I don't know what the exact differences between the guides are. What I did notice though was nvugu doesn't use 'DNSSEC' and the "Experimental Bit 0x20 Support" and the DNS firewall rules are different.

 

 

After setting it up, how long did you let the DNS Resolver (Unbound) run before attempting to change a setting? DNSSEC requires a bit of time to negotiate. Another possibility is that DNSSEC is not available on all air servers, I can't be sure of that. I do use these settings so I know they work.

 

That being said the only appreciable difference between that guide and mine is DNSSEC. I am considering removing DNSSEC from the basic guide and moving the option to an additional/optional step.


Have my guides helped you? Help me keep helping you, use my referral: userbar.png

How to set up pfSense 2.3 for AirVPN

Friends don't let friends use consumer networking equipment!

Share this post


Link to post

 

 

Worth going over the guide setting by setting, its so easy to make a mistake or one wrong check box or tick ! in fact I have yet to get it fully working myself. I had no websites when I first did the new updated 2.3 guide but then forgot I have 10.4.0.1 under my network adaptor DNS server settings under TCP/ipv4.

 

Hi,

 

Thanks for the reply. Although it's not really helpful. I redid the settings 3 times (one time with a complete fresh install of pfsense). Our router and server are my responsilbility, but my girlfriend is actually much better with computers, so I put aside my pride and asked her to check the configuration. She also didn't find a wrong setting. I then decided to (temporarily) move back to the 2.1 settings, but this guide got updated ever since I first used it. So even with the less secure settings, we had the same problems.

 

I then googled for an alternative guide and found one by nvugu

I roughly followed the guide; I don't need vlans, so I combined the applicable firewall and nat rules from the VPN and MGNT (anti lockout) vlan. I also disabled ipv6 as mentioned in the beginning of this topics guide. We now have smooth internet browsing and all ports seem to be closed, unless I specify them in the port alias. I don't know a lot about firewalls, so I don't know what the exact differences between the guides are. What I did notice though was nvugu doesn't use 'DNSSEC' and the "Experimental Bit 0x20 Support" and the DNS firewall rules are different.

 

 

After setting it up, how long did you let the DNS Resolver (Unbound) run before attempting to change a setting? DNSSEC requires a bit of time to negotiate. Another possibility is that DNSSEC is not available on all air servers, I can't be sure of that. I do use these settings so I know they work.

 

That being said the only appreciable difference between that guide and mine is DNSSEC. I am considering removing DNSSEC from the basic guide and moving the option to an additional/optional step.

I know from my own experience that there is a difference in DNS-leakage.Because of the forwarding rule-introduced by Pfsence_fan- for the DNS (and NTS),there is no leakage at all.

I use Mr.Johnson guide for the vlan ,because I wanted to use "smart" -switches .

Btw works great.

 

Gr,Casper

Share this post


Link to post

having difficulty with port forwarding.

i tried the same technique used in the previous guide and it didn't work.

is there any extra step like adding a lan service port in the alias?

i'm just trying to set up port forwarding for torrents.

thanks

 

 

I am also struggling with Port Forwarding with the 2.3 guide, I tried the old working one here:

 

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/?p=17580

Only real differences with the 2.3 setup was In the field:

Redirect target IP

I put in my pfsense IP box : 192.168.1.1

and in

Redirect target port

I left it with "other" and put my forwarded port and saved it.

 

The above settings could be wrong, but on my last working pfs 2.2.x I left with with the same IP and it passed all port

forward test.

 

Did you do similar on your set up or have others got it working ?

 

Mine could also not be working since I am having DNS/Web page loading failure at the moment so guess one issue at a time!

 

Share this post


Link to post

Question for other recent 2.3 updated guide users.

 

has your ipleak.net site been loading correctly for yourself ?

 

Also does ipleak display the 2nd DNS address detection correctly ?

 

I am seeing no DNS address detection displayed most of the time, but my air IP is showing correctly on top, Could just be myself due to my setup.

Share this post


Link to post

 

having difficulty with port forwarding.

i tried the same technique used in the previous guide and it didn't work.

is there any extra step like adding a lan service port in the alias?

i'm just trying to set up port forwarding for torrents.

thanks

 

 

I am also struggling with Port Forwarding with the 2.3 guide, I tried the old working one here:

 

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/?p=17580

Only real differences with the 2.3 setup was In the field:

Redirect target IP

I put in my pfsense IP box : 192.168.1.1

and in

Redirect target port

I left it with "other" and put my forwarded port and saved it.

 

The above settings could be wrong, but on my last working pfs 2.2.x I left with with the same IP and it passed all port

forward test.

 

Did you do similar on your set up or have others got it working ?

 

Mine could also not be working since I am having DNS/Web page loading failure at the moment so guess one issue at a time!

 

 

 

I have never gotten it to work using 2.2 or 2.3 so if you can share the knowlege

Share this post


Link to post

 

 

having difficulty with port forwarding.

i tried the same technique used in the previous guide and it didn't work.

is there any extra step like adding a lan service port in the alias?

i'm just trying to set up port forwarding for torrents.

thanks

 

 

I am also struggling with Port Forwarding with the 2.3 guide, I tried the old working one here:

 

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/?p=17580

Only real differences with the 2.3 setup was In the field:

Redirect target IP

I put in my pfsense IP box : 192.168.1.1

and in

Redirect target port

I left it with "other" and put my forwarded port and saved it.

 

The above settings could be wrong, but on my last working pfs 2.2.x I left with with the same IP and it passed all port

forward test.

 

Did you do similar on your set up or have others got it working ?

 

Mine could also not be working since I am having DNS/Web page loading failure at the moment so guess one issue at a time!

 

 

 

I have never gotten it to work using 2.2 or 2.3 so if you can share the knowlege

 

 

I had it working flawless with 2.2.2 pfsense build it really was just a matter of following the instructions from here:

 

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/page-6?do=findComment&comment=17580

 

At the bottom there are 4 steps you need to do, 1,2 are just entering the ports you already forwarded on air site here:

 

https://airvpn.org/ports/

 

for example 68435 making sure its for tcp/udp protocol.

 

step 3 is the tricky one but I just entered my pfsense machines IP address ie the one I use to connect to usually by default 192.168.1.1

 

step 4 is just the same port number you forwarded like in step 1,2 ie 68435 like my example above.

 

You can then download a program such as port check tool from here:

 

http://portforward.com/help/portcheck.htm

 

and run the program, hit trial, click port checker app and put in your forwarded port, select udp as the main test and click "check me"

if it goes green its golden.

 

I recommend qbittorent, far more easier and fast and you can check options and connections and in incoming box add your forwarded port in there. Qbittorent also has a small green or yellow icon on bottom telling you if its forwarding ports or not. ie working or not, green is good.

 

That was all I did, did not need to add static ip, mac, any rules or alias or anything extra but this was 2.2.2 build and the old guide.

 

In qbittorent you can goto options advanced>network interface and even ip address to report to trackers and add your pfs machine ip address mine was the default 192.168.1.1 and network interface mine was lan 1 since only one nic on pc. You can play around with both settings see if it improves or works, these 2 last steps I did not have to do since qbittorent it went green icon on bottom indicating connections was fine and I hit top speeds but they could help you.

 

If someone spots mistakes in what I have done above please correct me, don't fancy getting it wrong for the next guy !

Share this post


Link to post

still a negative ghost rider

 

Pretty much gave all my ideas unless anyone else has ?

 

Just a shot in the dark have you disabled your firewall or peerblocking/blocking type software ? 

 

I can't get my ports to forward in 2.3 also, but the 2.2 and older guide no issues, so your not fully alone we may have to wait for 2.3 to become bit more common before others post guides or show us how they got it fully working.

 

Did you get 2.3 working ok despite port forwarding by chance? and did ipleak show air ip and detected dns properly ?

Share this post


Link to post

ahh must be doing something wrong with my 2.3 setup then seems majority are having no issues getting the l new pfs 2.3 guide to work.

 

Mine is erratic at best with website failure and ipleak does not even load most of the time.

 

2.3.1 I think is experimental, least that is what the notes suggested. Long as you saved the good working config you can whack on 2.3 on flash and redo it if hosed.

 

I found this guide posted earlier on here :

 

https://nguvu.org/pfsense/pfsense-port-forward/

 

Its an alternative guide, perhaps you can give it a shot and let us know ? I am still trying to get my 2.3 basics working for now.

Share this post


Link to post

The box is not hosed, I did not do a back up. What's happening is the block-all-dns rule is blocking the devices on that lan segment. If I disabled that rule devices get Internet but I leak dns.

 

I also have a 3 nic setup and I believe the guide is made for a 2 nic. I will check out the other guide and report back.

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

Share this post


Link to post

Ok good luck can get a bit tricky fault finding, pfsfan does mention this guide is for 2 or more nics so I think he is correct for now

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...