Problem in Connecting PC to Server across Different Subnet via VPN

Hello All,

I wish to connect iMac to an HTTPS server on different subnet and both networks are configured via different VPN services. However, with the rule below, I just can’t establish the connection.

In addition, the existing rules on LAN (igb1) are:

  1. LAN devices (iMac connected) can go everywhere without restrictions;
  2. Internet connection goes through LANVPN;
  3. Kill switch is enabled as floating rule if VPN is down.

The existing rules on SERVER (igb2) are:

  1. All devices can’t go to LAN network;
  2. All devices can’t go to APWIFI network;
  3. Internet connection goes through SERVERVPN;
  4. Kill switch is enabled as floating rule if VPN is down.

It is greatly appreciated if anyone can help me diagnose the problem. I feel this is such an easy setup but I am very new to pfSense and just can’t figure this out …

Thanks in advance.

Cheers,
Eric

If the device is starting from LAN then there needs to be a LAN to allow going to LANVPN.

1 Like

Hi Eric,
Can you reach the endpoint from the firewall itself?

SSH into pfSense and issue:
curl https://192.168.2.2

Thanks Tom and sorry to keep on banging on this setup again …

The existing rule for my LAN network is wide open, I would imagine this will allow my iMac to go everywhere.

Unfortunately, this still doesn’t work … I think it is because of virtual address that is introduced by VPN after doing some research.

Would you mind to provide some step-by-step instructions on how the communication can be established? Thank you so much.

Cheers,
Eric

Thanks chernobyl.

I have tried it and it doesn’t work … I also tried to use Ping under Diagnostics on pfSense and I can only ping the server via SERVER interface. I can’t ping the server via any of the VPN interfaces even after introducing firewall rules to pass the traffic …

Given you are having so many issues, I would start from fresh so you can understand what is happening. Just start with two vlans A and B making sure they can communicate, then layer on your rules, one by one.

Took me ages to suss it out, but using allow all conditions is a red herring. Understanding this section of Netgates docs helped me out https://docs.netgate.com/pfsense/en/latest/firewall/index.html#managing-firewall-rules

Using ‘Alias’ for your subnets also means you don’t need to have so many rules. Don’t even bother with entering ports, use the alias.

What I found was that all my interfaces had the same core rules with slight tweaks required for blocking external traffic from camvlan, different gateway for VPNvlan etc. The openvpn interface also has similar rules to my vlan interface.

Like the Chinese say “easy when you know how”

1 Like

You can also create a VPN that acts as a bridge to the server network, instead of offering a separate subnet. Then, your firewall rules wouldn’t come into play. You’ll need to carve out at least one IP address in the server network for the VPN client, but that’s really all you’d have to do.

@plrpilot when you do it this way, it passes multicast correct?

Yes. I believe this is the only way layer 2 multicasting will work, as it’s not routed – unless you have some specialized forwarding rules in place. If I’m wrong, I’m sure someone will correct me. :smiley:

We did this on a few networks that were isolated where pfSense was not the gateway. It basically enabled us to inject a VPN user on the network as a local connection.

Thanks plrpilot. I did try this method whereby the server was placed into the same subnet as other devices and I tried to curve out the server to access other part of the network for security reasons.

However, the firewall rule doesn’t allow me to curve out the server for connectivity and I could still ping the server with the rule in place. This is not what I wanted to achieve.

How did you curve out the server with your method?

If you’re placing the VPN user on the same subnet of the server, then there would be no rule to stop the traffic, as the traffic wouldn’t technically need gateway/firewall services.

However, if the VPN user is on a different subnet, then the firewall rules would apply. If you’re hitting the server, then your traffic is hitting an allow rule that allowsthe communication. I would recommend disabling all of the rules (remember, pfSense is deny by default), then enable each one until you find out what rule is allowing the traffic.

I hope this helps.

Thanks plrpilot.

I am very new to pfSense and I am out of clue to which interface should this allow rule to be placed in order to allow the communication between LANVPN network and SERVERVPN network. Would you mind to give me a direction?

Sorry, this might be a really really basic question …

Hi Eric,

pfSense manages traffic from the “From” interface. It’s assumed that traffic is already on that interface, and you’re trying to control where that traffic can go.

I’m a little confused on where your VPN user is, and what you’re trying to talk to. I’m not sure why you have two networks with VPN in the title.

Where is your VPN user? What network are they needing to talk to?

Thanks plrpilot.

Sorry for the confusion. Please see my network topology as below:

I used two VPNs just to provide complete separation between two networks. This is the same as Tom’s video where he configured Swiss and Chicago VPN interfaces.

My understanding is that the HTTPS traffic from iMac will arrive LAN net -> VPN1 Gateway and try to connect to Server, but I just can’t figure out how to direct the traffic as:

LAN net -> VPN1 Gateway -> VPN2 Gateway -> Server net -> Server (192.168.2.2)

Your advice is greatly appreciated!

Cheers,
Eric