Replacing Untangle with Pfsense

Good Afternoon fellow IT people! Running into a snag and would love your input.

I’m replacing an Untangle appliance that currently runs an OpenVPN sever for a number of employees. Before removing Untangle, I was wanting to roll out the change on a per user basis so I installed a PfSense on a separate Public Static IP and setup OpenVPN on it. So setup has the existing Untangle (192.168.20.1) and the new PfSense (192.168.20.2) on the LAN where VPN users connect to server (192.168.20.225) that has the original default Gateway of 192.168.20.1 (Untangle). I can connect OpenVPN users and user can ping 192.168.20.2 but cannot ping 192.168.20.225 (server) after some head scratching I believe the Servers default Gateway (192.168.20.1) is the cause of the ping not being returned. So would love to ask two questions…am I making this harder than it should be aka, better way? Second, if I were to keep this setup to roll users over, how could I make this work? Thanks for educating me! Cheers!

What does your firewall look like for the OpenVPN tab? Go to Firewall --> Rules --> OpenVPN. An example of mine looks like this. If you don’t have anything defined then traffic wont be able to go anywhere.

1 Like

I would do a lift and shift, that way if for some reason PfSense doesn’t work you can always go back to untangle. Would be easy to do if you are using physical devices and probably not too difficult in a vm either.

1 Like

The pfsense needs to be in the gateway list on the server and yes, you can have bothe pfsense and untangle as the gateways at the same time.

1 Like

Thanks LTS_TOM, I added a second gateway to the interface ipv4 settings under the advanced tab with a metric higher than the default, unfortunately I still couldn’t ping that server. I ended up adding a permanent route on the server “route -p ADD 192.168.70.0 MASK 255.255.255.0 192.168.20.2” so from the server interface traffic from the OpenVPN Tunnel Network (192.168.70.0) would be routed to Gateway 192.168.20.2. So did I do something wrong by adding a second default gateway to the interface, why didn’t that work? I was under the belief that if traffic failed to make its way through the first then it would fall back to the second. Hmmm. Love the input and still learning, obviously!

had to look up “Lift and Shift”…great idea and learned a new term! Yes always good to be able to fall back to the untangle. Thanks for the input.

First think I checked. Firewall Rule good to go. Thanks for the advice.

Just a sanity check - the IP range for your OpenVPN clients on untangle and pfsense are different, correct? I would keep the persistent route and get rid of the second gateway, because I assume you’re only pfsense for openvpn traffic at the moment.

1 Like

Yes thanks, removed second default gateway on interface, kept persistent route, and openvpn on each device are on separate networks. So easy to make a mistake, thanks for the advice.

1 Like