the pfense club

[pio]

Well shoot, anybody want to give me a hand with figuring out why I can't port forward out through my LAN1 (VPN) setup?  Would be nice to NOT have to swap networks everytime I want to fire up a game.  My "naked" LAN2 setup is far from safe and secure lol.  AV and adblocking I usually just put on every "client" rig / device in the house.  So really my only issue is my DNS not working properly for some odd reason and I cannot get ports to forward at all.  It's more than likely just me getting confused because I have two LAN's setup, or maybe the DNS isn't setup properly causing problems, or I'm doing the ports wrong entirely.  This thing is also a LOT more technical than anything I've ever played with in the past.....that could have part to do with it too.

Even if not, no big deal.  My setup "works" as is, I just don't like gaming naked on the internet.

[ENTERPRISE]

4 hours ago, pioneerisloud said:

Well shoot, anybody want to give me a hand with figuring out why I can't port forward out through my LAN1 (VPN) setup?  Would be nice to NOT have to swap networks everytime I want to fire up a game.  My "naked" LAN2 setup is far from safe and secure lol.  AV and adblocking I usually just put on every "client" rig / device in the house.  So really my only issue is my DNS not working properly for some odd reason and I cannot get ports to forward at all.  It's more than likely just me getting confused because I have two LAN's setup, or maybe the DNS isn't setup properly causing problems, or I'm doing the ports wrong entirely.  This thing is also a LOT more technical than anything I've ever played with in the past.....that could have part to do with it too.

Even if not, no big deal.  My setup "works" as is, I just don't like gaming naked on the internet.

Ok. 

 

So your setup is: 

 

WAN 

LAN1 (VPN)

LAN2

 

Is this a correct representation on hour interfaces? 

 

So far as your DNS, is this resolving properly on LAN1 or LAN2 ? 

 

Do you have a screenshot of a configuration page for one of your port forwards ?

 

[pio]

3 hours ago, ENTERPRISE said:

Ok. 

 

So your setup is: 

 

WAN 

LAN1 (VPN)

LAN2

 

Is this a correct representation on hour interfaces? 

 

So far as your DNS, is this resolving properly on LAN1 or LAN2 ? 

 

Do you have a screenshot of a configuration page for one of your port forwards ?

 

That is how my setup is, yes.  LAN1 (VPN) is my normal LAN where daily use goes on because VPN.  LAN 2 literally just goes to a seperate wireless AP (old router) and is not on the VPN, no.  Firewall, best as I can tell is 100% disabled on it.

The DNS service I'm using is an entirely different bug of some kind of my missetup I'm sure.  Of course anything I'm trying to connect to via the DNS is going to be through the VPN'ed LAN1 network.  I can connect through the DNS on my LAN2 somehow, but actually over the internet the DNS cannot be seen.

Here's a screenshot of my port forwarding page under NAT's, which I believe is the correct spot here.  I tried swapping the ports around as well and didn't seem to do any good.  Ironically Plex still works outside the home, but only via transcoding.  Says I lack a direct connection.  I assume ports, but I suppose could be VPN related there.

EDIT:  The blacked out ones are RDP connections that do not work outside of the home but should.  The Minecraft servers don't work outside of the home either.  And the ports for "Steam Rig" were just me attempting to get Steam voice chat to work over the VPN, which it never did work.

 

Edited December 14, 2021 by pioneerisloud

[Diffident]

You don't need to have 2 LAN's to split VPN and WAN traffic, you can use Firewall rules to set what device you want to go through the WAN or the VPN.

I have some of my devices going through the VPN and others only through the WAN.  I also have a firewall rule just for my desktop that I use to switch between the VPN and the WAN.

 

Here's a guide from reddit

 

 

I didn't use that guide, I used what I learned from this.

 

 

[pio]

Well, I wasn't originally trying to go straight to WAN, I was just simply trying to port forward through the VPN.  When that didn't work, I setup the second LAN as a backup idea so I could still game on my main rig.  It just leaves my entire server behind the firewall, and not accessible outside of the house.  

[AllenG]

On 13/12/2021 at 14:35, ENTERPRISE said:

Just a small update. 

 

So I have everything setup and working well.  Other than PfSense handling DNS and DHCP for my network, I also have it doing a local cache of web pages via Squid Proxy Server with ClamAV enabled for additional security for all that incoming traffic. Lastly as I hate ads, I have installed and setup pfBlockerNG. This kind of finishes off everything I wanted to far as a box to handle the main network workload as well as other nice features for security.  

 

Fortunately with having 8GB RAM in this box it allows for me to stretch pfSense a little further, especially with ClamAV & pfBlockerNG with the larger definition tables and I can cache web pages into RAM depending upon defined limits.

 

I do not yet have Wireguard setup for VPN. Deciding whether I want the pfSense to handle that or stick to clients on the PC's. I am aware of the pro's and cons but have not made a decision. Thanks to all that helped, especially @AllenG !

Sounds like a solid setup! Glad i could be of help.

 

VPN routing is tricky, alot of vpn providers have interesting setups to route through and most want you to use their software clients.

[AllenG]

On 14/12/2021 at 17:06, pioneerisloud said:

Well, I wasn't originally trying to go straight to WAN, I was just simply trying to port forward through the VPN.  When that didn't work, I setup the second LAN as a backup idea so I could still game on my main rig.  It just leaves my entire server behind the firewall, and not accessible outside of the house.  

You will need to segregate your clients in some sort of way (there are a multitude of ways to accomplish this, all have their up sides and down sides.) Then modify your outbound rules to send the traffic not meant for your local networks out the VPN's assigned gateway.

 

Port forwarding as you are thinking probably will not work, most vpn services will be blocking ALL traffic IN at their end and you have no control of that, so port forwarding though the vpn service isn't really going to work. If you want to host something real world you will have to port forward to your real WAN address.

 

To be honest, i think you may be mistaking the need of port forwarding for the reason of improper outbound rules. I take it you are having a hard time getting traffic to pass out the VPN connection as most traffic is trying to take the path of the standard WAN?

 

Another note, when you do get your issues above sorted out then there is still the issue of DNS leaks. By default, when making a DNS request it will ask all upstream dns servers to respond to the query (including your ones on the WAN port). Effectively you wont be fully routing all requests and traffic out the VPN. You will have to play with the DNS forwarder or resolver configurations (again different ways to get it done and they all have their ups and downs.) The easiest way i can think of to get around this is configure the clients you wish to use the VPN only, to look directly at the VPN's dns servers instead of your local opnsense dns forwarder.

[ENTERPRISE]

2 hours ago, AllenG said:

Sounds like a solid setup! Glad i could be of help.

 

VPN routing is tricky, alot of vpn providers have interesting setups to route through and most want you to use their software clients.

I am finding that it may be easier to stick with the software clients on a machine basis for VPN to be honest. 

[ENTERPRISE]

Hey all, 

 

So I am having a hard time with getting my Plex server sorted with PfSense. Thus far I have the ports forwarded and double checked they are correct as per the screenshot below. 

 

 

For the sake of safety I also allowed these ports to be forwarded out via UPnP as the screenshot below. 

 

 

The issue I have is that for a while, Plex will state it has access to the outer internet and for a little while I can access Plex from an outside network, however eventually the Plex server loses connection and I have to sort of manually reset the connection for it to see the outside internet again.  

 

 

For disclosure the current security packaged (other than standard Firewall) running are: 

 

Snort 

PfBlockerNG (Devel) 

 

I also have Squid Proxy Server enabled, but this was for page caching and ClamAV. 

 

To make sure Plex functions correctly so it works over LAN rather than PfSense sending it out to the open web and back due to how its DNS works, I did add the following entry into the DNS Resolver custom options :

 

Quote

server:private-domain: "plex.direct"

 

 

It should be working always, as opposed to intermittently. I have checked blocking and firewall logs and none of the logs will mention any blocks happening on my Plex machine IP. So I am a little stumped.

 

Just thought I would put this here to see if anyone had any ideas. 

 

Thanks,

E

[AllenG]

I'd be curious as to see if your issues arise around the same time as your real world ip address updates via dhcp upstream?

[ENTERPRISE]

3 hours ago, AllenG said:

I'd be curious as to see if your issues arise around the same time as your real world ip address updates via dhcp upstream?

Good shout. I will have to keep an eye out. I may with my internet swap see about getting a business package where I can get a static IP which I would like anyway for other use cases.

[ENTERPRISE]

I have reached out on the Netgate forums as I am stumped on this one. If I get anything from them, I will share the resolution here. 

[pio]

Well guys, it was fun but I'm no longer a member of the pfsense club.   There's just too many options to mess with in there, I was never able to resolve my issues I was having.  Bought myself a copy of Minecraft Bedrock (Win 10) edition last night, and I couldn't connect outside of the house with it.  Swapped to my Netgear R7000 and all is well again.  There was too many services I try to utilize that just weren't working with OPNsense.  Not the router at fault by any means, its just too complicated for somebody who's only ever used consumer routers.  I could probably get it going again and not use a separate VPN network like I had going.....but that kind of defeats the purpose of why I wanted it to begin with.

[EHW Ai]

I'm looking at building myself a router with old parts. My choices are a Supermicro X9SRH-7F-B and a Xeon E5-2697 v2 with 64gb+ ram or a Asus RAMPAGE V with a 5930k and 16gb of ram. What would be the more powerful option? Would be adding 10gb cards to either option. 

Looking to support a Plex server with say 4 users streaming in 4k, with enough bandwidth for me to download 20 torrents, surf the net and game at the same time. 

 

Otherwise I have little to no clue what I'm doing. I'm sure I could find better options but I have no other use for either and will likely throw them out if I don't use them for something. Already got a plex server, figured a router is next

 

[Diffident]

Your most energy efficient option would be the best.  Half the appliances that Netgate (Maintainers of pfsense) sells only use an Intel Atom processor.

 

I'm using an i3-6100T with 16gb of ram.  I don't think my CPU usage has ever gone over 10%.

[EHW Ai]

I'm aware the most energy efficient option would be best. I'm just looking to make use of what I have without buying anything new. Best case I find a use for this hard ware is some fore or the locals scrap yard can have. I'm going to a fire sale, everything must go or it's trash sale soon. 

 

I got a gaming PC I shouldn't need to upgrade much for years, same should go for my media sever. So last thing I can think of is a super over powered router.  That can handle SM QOS with ease and can scale to stay great for 5+ Years.

 

So what I am looking at getting  if I can't use what I have now

[maddangerous]

Is this club still alive, and how does it feel about opnsense?

[ENTERPRISE]

It is still alive, just not posted in for a while. I still use pfsense, love it. I have zero experience with Opensense though.

[maddangerous]

20 hours ago, ENTERPRISE said:

It is still alive, just not posted in for a while. I still use pfsense, love it. I have zero experience with Opensense though.

 

I was a pfsense user for many years, and loved it. I ended up giving opnsense a try, and enjoy the gui much more.

I felt like some things were a little more intuitive as well.

 

I'll be getting my network back in shape this weekend, opsense is gonna live in a VM on a NUC 11 pro running esxi, so I'll have to post about that once it's up and running.

[Avacado]

3 minutes ago, maddangerous said:

 

I was a pfsense user for many years, and loved it. I ended up giving opnsense a try, and enjoy the gui much more.

I felt like some things were a little more intuitive as well.

 

I'll be getting my network back in shape this weekend, opsense is gonna live in a VM on a NUC 11 pro running esxi, so I'll have to post about that once it's up and running.

It's amazing that I know a ton about computers and yet everything that you just said is Chinese to me. Sounds interesting though. 

Edited April 27, 2023 by Avacado

[maddangerous]

2 minutes ago, Avacado said:

It's amazing that I know a ton about computers and yet everything that you just said is Chinese to me. Sounds interesting though. 

 

hahaha well, stay tuned for more info saturday/sunday!

[ENTERPRISE]

2 hours ago, maddangerous said:

 

I was a pfsense user for many years, and loved it. I ended up giving opnsense a try, and enjoy the gui much more.

I felt like some things were a little more intuitive as well.

 

I'll be getting my network back in shape this weekend, opsense is gonna live in a VM on a NUC 11 pro running esxi, so I'll have to post about that once it's up and running.

I look forward to it, some extra insight would be great. I am really happy with pfsense and works well for me. I would likely only entertain moving to something "Better" if some catastrophic happened. But if there was a time a move would make sense, it would be nice to be well informed on opnsense

[maddangerous]

On 27/04/2023 at 13:18, ENTERPRISE said:

I look forward to it, some extra insight would be great. I am really happy with pfsense and works well for me. I would likely only entertain moving to something "Better" if some catastrophic happened. But if there was a time a move would make sense, it would be nice to be well informed on opnsense

 

Didn't get to this over the weekend, but still planning for getting to it soon. maybe the next couple of nights, hopefully.

[maddangerous]

On 02/05/2023 at 13:57, maddangerous said:

 

Didn't get to this over the weekend, but still planning for getting to it soon. maybe the next couple of nights, hopefully.

holy crap, life got in the way and I totally forgot about this.

 

I’ll have something in here later this afternoon.

 

especially since the NUC is actually in prod now.

[maddangerous]

ok, so the host specs are as follows:

 

Intel NUC11TNHi50L

Intel i5-1135G7 (4c/8t) bsae clock 2.4 GHz, turbo is 4.2GHz

32 GB (2x16GB) Mushkin Redline DDR4 3200MHz, CL16

1TB Samsung 970 Evo Plus

2x 2.5Gb Intel i225-LM NIC

 

I'm currently using ESXi v8.0U1a, but I'm considering moving to Proxmox (working on getting a test system up with Proxmox).

 

OPNsense is running as a VM. Originally I had it running with 2 vCPU, 512 MB RAM, and 30 GB HDD space. Recently I bumped it up to 4vCPU, and 1 GB RAM, due to using openvpn and having several concurrently connected users, I was seeing higher utilization and wanted more headroom. I may need to assign more RAM still, I'm at 60% utilization there still.

 

Having this as a VM is nice, because:

• Resource assignment changes are easy. shut down the VM, add/remove CPU/RAM, power up.
• Rolling back from a failed upgrade is easy. Take a snapshot of the VM, install update(s), test, roll back to snapshot if needed. Delete snapshot if everything works fine.
• My favorite part... the VM reboots in ~23 seconds.

 

I don't do anything too crazy right now in OPNsense, here's what it's doing:

• OpenVPN setup for some friends to connect to game servers.
• VLANs are routed here so I can use firewall rules instead of switch ACLs to manage traffic.
• QoS to manage bufferbloat is in place.
• Everything in my home that uses NTP syncs to OPNsense as the local time server (for now).
• I've got netflow setup, but that really needs to be ingested elsewhere instead of it running on the firewall. Basically I need to setup another stack for monitoring and export netflow data from the firewall.
• DDNS configured to update cloudflare for my domain
• GeoIP filtering

In progress project is getting Wireguard configured for my phone, as OpenVPN, while nice, dstroys battery life on mobile devices in my experience.