PF Sense as a Firewall with OpenVPN (NEED HELP!!!)

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
erolon
OpenVpn Newbie
Posts: 3
Joined: Wed Nov 29, 2017 8:28 pm

PF Sense as a Firewall with OpenVPN (NEED HELP!!!)

Post by erolon » Wed Nov 29, 2017 9:02 pm

Not sure If I'm on the right place, but I was hoping someone could share some light here.

I want to explain my scenario quick before asking.

I'm working for a company that has 4 Sites, For the sake of this lets call them Site A (main servers, web servers, etc) Site B, C and D (this are mainly remote locations, workers from the company that need access to resources)

I have configured PFSense on Site A as a Firewall. (No routing, no NAT). Servers behind this firewall have assigned public IP addresses. This site has a OpenVPN Server Configured. (P2P PKI, TUN)

Site B-D have PF Sense as routers with OpenVPN Clients.

What Im trying to do is:

Have Site B - D connect to Site A via OpenVPN. (Site A will only accept connections on the VPN port) Once they all connected to the VPN on Site A, then they will have access to the servers behind the firewall. (Some services will be blocked for some users, but that's not the issue right now)

Sites B - D cannot see each other. Each of the sites can only access Site A (This hasn't been a problem so far. During my test, none of the sites can see each other behind their own firewall, just their virtual ip for now since I have any-any rules until I figured this out)

This VPN is just for accessing the servers. (Not to be used to hide public ip and browse the internet with it)

What I have accomplished so far. (So far Im still testing this)

Site B (which is the one Im testing right know) is connected via OpenVPN, Tunnel is up.

I setup rules for site to allow only traffic destined to site A only via VPN. (Regular browsing like Google, youtube, etc will not use the VPN as a gateway)

What I'm missing:

Once the connection is up, Packets make it to the firewall in Site A, but won't pass the firewall. If I traceroute to one of the servers ip, I can see the packets going through the VPN route but once they hit the firewall. It stops there. If I traceroute everything else. It goes on the default gateway (which is the ISP of each site of course) so I can't see any of the servers behind the firewall. I'm almost sure is just a route problem, but I have tried every tutorial that I have found and so far nothing.

So, Is this possible? Or am I trying something that can't be done.

Thanks in advance.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: PF Sense as a Firewall with OpenVPN (NEED HELP!!!)

Post by TiTex » Wed Nov 29, 2017 9:38 pm

I have configured PFSense on Site A as a Firewall. (No routing, no NAT)
does this mean that servers in Site A , don't have the pfsense as their default gateway ?

erolon
OpenVpn Newbie
Posts: 3
Joined: Wed Nov 29, 2017 8:28 pm

Re: PF Sense as a Firewall with OpenVPN (NEED HELP!!!)

Post by erolon » Wed Nov 29, 2017 10:43 pm

TiTex wrote:
Wed Nov 29, 2017 9:38 pm
I have configured PFSense on Site A as a Firewall. (No routing, no NAT)
does this mean that servers in Site A , don't have the pfsense as their default gateway ?
Correct. In Site A, I have a block of public IP addresses that I can use however I want. Some of the servers will be open to the public, like our own website, email servers, etc. But other services need to be accessible only through the vpn.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: PF Sense as a Firewall with OpenVPN (NEED HELP!!!)

Post by TiTex » Thu Nov 30, 2017 6:49 am

usually our ISPs do something like this: you get a main public IP , then if you request a public subnet they will give you one but the subnet will be routed to your main pubic IP by their routers.

so on our side we do something like:

Code: Select all

+---------------------------------------------------------+
|            Main Public IP (ie: 3.3.3.3)                 |  Main Router
| ================ ROUTING ============================== |
|         Public Subnet IP  (ie: 88.77.66.1)              |
+------------------------+---------------------------------+
                         +
                         +
                         +
+------------------------+--------------------------------+
|             LAN Public IP  (ie: 88.77.66.2)             | LAN Router
| ============== NAT/ROUTING ===========================  |
|              LAN GW (ie: 10.0.10.1)                     |
+------------------------+--------------------------------+
                         +
                         +
                         +
+------------------------+--------------------------------+
|            LAN Client (ie: 10.0.10.11)                  | LAN Client
+---------------------------------------------------------+

if all of these servers in Site A have a common default gateway in your network like above , then try to add a static route on that gateway
openvpn lan subnet/subnet mask via==> pfsense public ip
this will only work if your servers are in the same LAN , ie. they have public IP's in the same subnet and you control their default gateway.

otherwise i think you can only solve this using some kind of vpn tunneling (GRE p2p/ssh tunnel / as openvpn clients) , or do NAT on pfsense for openvpn subnet and allow connections on your servers from pfsense public ip

erolon
OpenVpn Newbie
Posts: 3
Joined: Wed Nov 29, 2017 8:28 pm

Re: PF Sense as a Firewall with OpenVPN (NEED HELP!!!)

Post by erolon » Fri Dec 01, 2017 5:39 am

Well, some of our servers in Site A do share the same gateway, but I have no control over the gateway. Still, I kept testing different methods and the only way I managed to do this was using the OpenVpn server on site A as a gateway and doing NAT with the public IP address in the same block.

Btw thanks for that explanation. It really helped me understand better the whole concept.

Post Reply