Jump to content
RESET Forums (homeservershow.com)
KrisseZ

A new router / firewall

Recommended Posts

jmwills

Anyone with experience on pfSense and VPN connections? I can't seem to make the work.

 

Enabled VPN services, made the necessary firewall adjustments and it's still a no go. :(

 

Mike Howard (GeekAccountant) is the resident expert on that program on these forums. Search him out.

Share this post


Link to post
Share on other sites
KrisseZ

Okay so here is where I'm at the moment. This is my current layout of the network.

 

ipsec.jpg

 

The basic layout is fine and working. I have the pfSense interfaces set up as such:

 

WAN = Vlan 1 on nic rl0

LAN = Vlan 10 on nic rl0

LAN2 = Vlan 20 on nic rl0

 

And they are all fine and operational

 

interfaces.jpg

 

I have a manual NAT entry for both lans and both are able to connect to the internet (which isn't relevant at all for this test)

The IPsec service is enabled and I have it configured and working, sorta, since the laptop can connect to the network and is seen

by the ipsec status, but it has no connectivity. Here is a screen of the IPsec settings. I know it doesn't show all of it, but I can post

more info if someone needs it.

 

ip_conf.jpg

 

And as of the firewall, in every interface except WAN i have rules to pass any protocol form any network to any destination and

at the end there is a manually configured implicit deny for the sake of logging. I also run a syslog server on the 192.168.0.3 PC.

 

firewall.jpg

 

While the mobile client is connected via IPsec the pings aren't showing on the syslog which is kinda funny, since it should either ping

or show on the syslog end on the implicit deny rule. So I'm thinking this has something to do with the IPsec configuration, but I'm

not sure. I've done IPsecs with cisco equipment but not with bsd or linux.

 

Some of you might wonder why do I want to establish a VPN tunnel inside my local network? The answer is throughput testing. My current

internet connection isn't nearly as fast as I will require in the future, so a 100mb LAN is a necessity.

 

Any insight or tips would be appreciated and thx Jimwills for the tip. I think I'll try to contact him tomorrow. I've done way too much today.

Share this post


Link to post
Share on other sites
jmwills

Yea, I was wondering about the inside VPN myself. I see you have 100Mbps NICs, why not GIG for all the internal traffic? This is one of my future projects and I can also see myself getting bogged down in this.

Share this post


Link to post
Share on other sites
KrisseZ

100mb is a restriction laid down by the switch. I don't own a Gbit switch with 802.1q trunking and the only one they were willing to lend me from school was an old 100mb switch. If I were to really build this setup it would be build on top of a gigabit network.

 

EDIT: old switch as in 2004 old. :D

Edited by KrisseZ

Share this post


Link to post
Share on other sites
coxhaus

I don't have an answer but have you tried to add a port to vlan 1 and see if you can access your resources from the extra port? This would allow you to take IPSEC out of the picture and test your switch setup. I am not sure about router on a stick and how it works. How about adding another nic to the pfsense box for testing to see if it is related to one nic in the pfsense box?

Share this post


Link to post
Share on other sites
itGeeks

Not interested in hamachi and I wouldn't consider myself as an average user either.

 

I got the IPsec tunnel working. (Let down with the PPTP since it seems have some sort of problem with version 2.0.0 and after. LCP negotiation failing with never windows' like vista, 7 etc.)

 

Still having a problem with the firewall rules or internal routing since the mobile vpn client is shoved into a virtual ip space and has no connectivity to other networks. If I try to tell IPSec to push

local network information to the client, the VPN breaks. If I try it without the virtual address space the VPN breaks. And I'm not even trying to set the client IP information manually, cause that

would be unacceptable from my point of view. Some of you might be thinking (What's the bigie in writing a IP address to a VPN client, but I want it automatically configured and that's the way I'm

going to have it.)

 

KrisseZ, I am not saying your an average user I am just saying hamachi is a much easyer solution. Please dont shoot the peaple that are trying to help, Good luck with your trouble.

Share this post


Link to post
Share on other sites
KrisseZ

KrisseZ, I am not saying your an average user I am just saying hamachi is a much easyer solution. Please dont shoot the peaple that are trying to help, Good luck with your trouble.

 

I'm sorry if I sounded rude. I had been tackling my issue for 8 hours straight and I felt rather irritated. My apologies Mr Fixit.

 

I really want to make this work with the standard VPN techniques, even better if the mobile access could be achieved with

Windows 7 / Mac OS X native VPN clients. Because this is something that might be used by my parents and brother in the future

and they require a certain ease of use. Windows 7 native VPN client support would be ideal for this.

 

 

I don't have an answer but have you tried to add a port to vlan 1 and see if you can access your resources from the extra port? This would allow you to take IPSEC out of the picture and test your switch setup. I am not sure about router on a stick and how it works. How about adding another nic to the pfsense box for testing to see if it is related to one nic in the pfsense box?

 

vlan 1 is the nat outside zone so no resources can be reached from it without the aid of a VPN, in this case IPsec. Since vlan 1 is directly connected to the ISP, I'd rather work within my own local lans to avoid any inconveniences to my ISP. And if by "router on a stick" you are referring to the trunk config, I wouldn't want to add an other nic, since it would take the whole meaning out of my experiment. :D If I the trunked conf is unable to function properly, then it simply means

pfSense won't be my next firewall. :)

Edited by KrisseZ

Share this post


Link to post
Share on other sites
KrisseZ

With some deeper searching of the pfSense forums, it seems that versions 2.0.0 and after have their VPN features badly messed up.

Many have problems trying to establish a mobile client VPN with IPsec, PPTP and L2TP VPNs have LCP negotiation problems with

Windows 7.

 

Doesn't seem good. :D

Share this post


Link to post
Share on other sites
KrisseZ

Good news and bad news.

 

I got the PPTP VPN working, so tomorrow I am able to finish my experiment and do the throughput testings.

 

Bad news is I've worked the whole day for nothing. pfSense indeed is broken atm and if only I had used

my Mac from the beginning I would have saved myself a lot of trouble.

 

Mac OS X native PPTP client to the rescue.

Share this post


Link to post
Share on other sites
coxhaus

I am glad you got it working. I thought by your diagram you had 192.168.0.1 255.255.255.0 assigned to vlan 1 with a network 192.168.0.0/24 and with trunking set up with the other vlans. I have seen addresses flow one way and not the other when using vlans. My old Cisco days. Routers tend to work better when 2 interfaces are used. Router on a stick is a router with one interface. I have seen problems in the old days with routers and one interface. I have not used pfsense so I was looking at it from a network point of view. I currently use a Cisco router with untangle behind it. I am considering using pfsense to reduce my response time on the WAN.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...