Mad_Max 15 Posted ... here is the openVPN config:https://imgur.com/a/BU60kUE Sorry its a screen shot from a mobile and uploaded to imgur and not here 😕 Quote Share this post Link to post
zapoteknico 8 Posted ... 9 minutes ago, Mad_Max said: My wan is 192.168.1.11 because its a cable from my router ( which has 10 clients connected to it and the pfsense is the 11th) i got a screen shot of the OpenVPN config, but whats the gateway xD? Gteways are under SYSTEM - - Routing Step 4 in the guide. About your VPN Client settings... At the bottom of the configuration set as show below. Quote Share this post Link to post
dIecbasC 38 Posted ... move your modem into bridged mode so it passes the connection through to pfSense. Alternatively allow RFC1918 addresses on WAN interface which might get stuff working for you. You'll be behind a double-NAT config like this and your life is going to be painful, especially if you try port forwarding. Quote Share this post Link to post
Mad_Max 15 Posted ... i did the openvpn config like u said @zapoteknico and her eis a photo of the gateway Thanks @dlecbasC, Im sorry for using these newbie terms but, the router was provided by my isp. It switches the net from fiber to Wireless + Lan. for pfsense, is it better to keep using this router? or should i get a small fiber to lan media convertor? Quote Share this post Link to post
zapoteknico 8 Posted ... I am quite sure your issue is related the ip addresses of your interfaces (WAN and LAN) and/or the DHCP server assignation settings and/or the NAT outbound rules. If i get it right you have the ISP router that gives IP 192.168.1.11 to your WAN via DHCP. Then tou have pfsense giving address 192.168.1.1 to your LAN network via DHCP.... Out of curiosity... What is the IP address of your ISP router? Quote Share this post Link to post
Mad_Max 15 Posted ... Here is a screen shot of the AirVPN Gateway and the Interfaces. Well, my setup is: In my neighbors house the main router the ips start from 192.168.1.1 ... and i got a cable from his house to my access point, but not i removed the access point and installed a pfsense instead Quote Share this post Link to post
Mad_Max 15 Posted ... I think the problm is with setting the Vpn configuration, as it doesnt show that its connected Quote Share this post Link to post
zapoteknico 8 Posted ... Your pfsense Lan 192.168.1.1 has the same ip of your ISP router. 192.168.1.1. It will never get connected... The easier solution on my point of view is to change the IP of the ISP router... The guide you have followed starts assuming that you have a pfsense box with a WAN configured to receive an ip from isp router via DHCP (i.e. 192.168.0.x) and then have a LAN that will be set to have address starting from 192.168.1.1 Because your starting situation (isp router with ip 192.168.1.1) you should change all the IP address in the guide with something like 192.168.2.1) If you only have devices connected to the isp router via lan or wireless and no port forwarding on the isp router, then just change the isp router address to 192.168.0.1 The isp router will reboot... All the devices will get a new IP address and the pfsense router will connect (unless there are other mistakes in how you followed the guide) Quote Share this post Link to post
zapoteknico 8 Posted ... I think this picture will explain better what i mean The isp router has ip 192.168.1.1 (like your isp. Router) It gives connection to clients (host machine) with ip 192.168.1.103 amd to the pfsense box with ip 192.168.1.106. (192.168.1.11 in your case) Then the pfsense box below has LAN ip 10.0.0.1 and gives IPs in the same range to other devices 10.0.0.5 - 10.0.07 Your pfsense LAN insted has IP 192.168.1.1 making any connection impossible due to duplicate ip on the network I think this also explains why your WAN_DHCP Gateway is not showing any Gateway or Monitor IP address. In my working setup, it shows the ISP router IP Address Quote Share this post Link to post
Mad_Max 15 Posted ... Thank you so much for your replies. But, i have changed the ISP ip and still no connection Quote Share this post Link to post
zapoteknico 8 Posted ... It is 2.30 am where i am. Please review the step 2,3,4 of the guide. When you copy/paste the text for the certificates, ensure there are no spaces at the end. 1 Mad_Max reacted to this Quote Share this post Link to post
zapoteknico 8 Posted ... 16 hours ago, Mad_Max said: Thank you so much for your replies. But, i have changed the ISP ip and still no connection Hello i am available if you still need help. You can also try to contact me privately 1 Mad_Max reacted to this Quote Share this post Link to post
Air4141841 25 Posted ... On 4/30/2019 at 7:37 PM, Mad_Max said: here is the openVPN config:https://imgur.com/a/BU60kUE Sorry its a screen shot from a mobile and uploaded to imgur and not here 😕 i assume this still isn't working. i can see about 5 options to change 1. under NCP ADD aes 256 GCM 2. auth digest alg needs to be set to sha512 3. toppology needs to be changed to subnet 4. TOS service need to uncheck don't pull routes. 5. please change VERB to 4 so we can actually read issues i the log Quote Share this post Link to post
SumRndmDude 22 Posted ... I'm picking up the thread from the last page, so I apologize if this has already been addressed. Can you ping ANY outside sites, from the pfSense box itself? Diagnostics > Ping. Select the WAN as the source address and attempt to ping an Air server (i.e. ran.airvpn.org) and see what happens. If not, then there's another issue, likely NAT related that's preventing it from getting a connection to the VPN. If it works, then please try the following: VPN > OpenVPN > Clients. You have 4 buttons along the top: Settings, Related Status, Related Log Entries, Help. Click "Related Log Entries" and THAT will tell you what occurs when trying to connect to AirVPN. Quote Share this post Link to post
mcana77 0 Posted ... Hello All, My pfSense (ver 2.4.4) firewall is setup exactly as the original poster pfSense fan's guide (which by the pfSense fan, You Rock!) with the exception that I also added snort! to my pfSense. Thing is that I have never been able to send mail outgoing from my main desktop machine and I was hoping someone here can point me in the proper direction. I have added 465 and 587 to my WAN service ports but still no go. I have poured over my pfSense firewall logs but even filtering on my source IP has not led me to see where the packets are being blocked. So I started up Wireshark and sent a test email to see what is going on. (BTW - I am using Thunderbird for my email client and Ubuntu for my OS.) The initial SYN packet sent uses a random port between 1024:65535 in this case 58294 with a destination of 465 at 74.125.141.109 which obviously does not make it to its destination (or I would see the ACK from 74.125.141.109) but instead re-transmits that packet once again, and again until it fails. My Question is WHY? Registered and Ephemeral Ports should be open on the outgoing WAN. Am I missing something here? BTW thank you to all who take time from your day to respond!If anyone wants to setup SNORT on their 2.4.4 pfSense firewall this is the tutorial I followed - https://vorkbaard.nl/installing-snort-for-idsips-on-pfsense-2-4/ Quote Share this post Link to post
SumRndmDude 22 Posted ... Status -> System Logs -> Firewall - Now attempt to send the mail and then look at the log to see if pfSense is actually blocking the outgoing or incoming connection AND on what interface. You say you have holes punched in the WAN for allowable ports, but what LAN is your PC operating off of and what gateway does that LAN use. If you set it up like the original guide and your PC is operating off of the AirVPN_LAN, which sends traffic out of the AirVPN_WAN and therefore you've punched holes in the wrong place. If I'm wrong here, check the settings in Thunderbird to see if you can use a fixed port, rather than a random one for the initial packet. Sorry, but I haven't used TB in some years and can't give more info. Quote Share this post Link to post
mcana77 0 Posted ... Thanks for taking the time to look. I thought the exact same as you but I've verified that on both the AirVPN_LAN and the AirVPN_WAN those ports are open. Initially I wasn't logging those packets but I've turned logging on and I can see the packet match the rule and pass. So it is definitely being blocked after being passed at the LAN. As far as ports that are open, they are for the most part mirrored on both the WAN and LAN side so I'm wondering if it is a firewall rule. Thunderbird is using a fixed port as far as I can see but it obviously is randomizing the initial port internally unless 465 is just the stated destination. Aside from the first 3 rules (Anti-lock out, NAT-AirVPN DNS REDIRECT and AirVPN LAN NTP REDIRECT) here are the rest. As a test I paused the REJECT LOCAL just to see if that was the issue but it still blocked. So it must be blocking at the outbound WAN. Obviously I'm missing something but I can't figure out what. Quote Share this post Link to post
fluffymegatron 0 Posted ... Has anyone tried setting this up so you multiple VLANs? One with the VPN and one without? Quote Share this post Link to post
Wolke68 5 Posted ... Do you see this?https://nguvu.org/pfsense/pfsense-baseline-setup/ Quote Share this post Link to post
SumRndmDude 22 Posted ... On 7/22/2019 at 5:59 PM, mcana77 said: Thanks for taking the time to look. I thought the exact same as you but I've verified that on both the AirVPN_LAN and the AirVPN_WAN those ports are open. Initially I wasn't logging those packets but I've turned logging on and I can see the packet match the rule and pass. So it is definitely being blocked after being passed at the LAN. As far as ports that are open, they are for the most part mirrored on both the WAN and LAN side so I'm wondering if it is a firewall rule. Thunderbird is using a fixed port as far as I can see but it obviously is randomizing the initial port internally unless 465 is just the stated destination. Aside from the first 3 rules (Anti-lock out, NAT-AirVPN DNS REDIRECT and AirVPN LAN NTP REDIRECT) here are the rest. As a test I paused the REJECT LOCAL just to see if that was the issue but it still blocked. So it must be blocking at the outbound WAN. Obviously I'm missing something but I can't figure out what. Ok, I think I see the error here now. Under your firewall rule for your LAN to LAN communication (3rd from the bottom), remove the 1024-65535 and change it to any under the source. Your LAN to LAN chatter is usually going to run in the lower ranges generally speaking. You can of course add additional ports for various services (i.e. Plex I believe uses 32400), but add them to the LAN_SERVICE_PORTS alias. You're effectively saying that if the traffic on your LAN originates from a port between 1024-65535 and is going to a private address with one of those ports in the alias, then allow it. Otherwise, pfSense will enact it's default behavior, which is, "If it's not explicitly allowed, block it".. Quote Share this post Link to post
mcana77 0 Posted ... Totally works!! SumRndmDude, you are my hero! Quote Share this post Link to post
rob77 0 Posted ... Thanks for the guide, I now have pfsense and AirVPN setup and working One little niggle that I have is that on reboot the openvpn client claims to be up when it is actually not passing through any traffic. A quick restart of the openvpn client solves this and it works great until next reboot. Is anyone else seeing similar? Edit: This is fixed in 2.5.0 experimental build Quote Share this post Link to post
joebywan 0 Posted ... Followed the guide, and the VPN isn't coming up. The status page shows reconnecting; process-push-msg-failed Below I've pasted the logs. I had to remove the custom options the guide had listed because it was freaking out about them. Quote Share this post Link to post
go558a83nk 364 Posted ... 57 minutes ago, joebywan said: Followed the guide, and the VPN isn't coming up. The status page shows reconnecting; process-push-msg-failed Below I've pasted the logs. I had to remove the custom options the guide had listed because it was freaking out about them. You just need to add AES-256-GCM to your list of allowed ciphers in the NCP algorithms section. Quote Share this post Link to post
joebywan 0 Posted ... On 9/16/2019 at 9:38 AM, go558a83nk said: You just need to add AES-256-GCM to your list of allowed ciphers in the NCP algorithms section. Thanks for that, worked. What's the DNS server we're supposed to be using? Status>OpenVPN says it's up, but I can't do the dnslookup to airvpn.org Quote Share this post Link to post