Saturday, January 29, 2011

Routing traffic between home machines and remote machines over pfSense PPTP VPN...?

Hi All,

I'm having a bit of trouble routing my traffic through my VPN server. Basically I have a pfSense setup that works amazingly well for everything it's currently doing. However, now, I have need to set up a PPTP VPN. I've got the basic setup and login working fine. When I check my IP it says I'm on the remote network, etc. However, I can't seem to figure out how to properly route traffic to the internal network.

My current setup is as follows:

HOME SETUP
Trendnet Router:  192.168.1.1
1 MAC (192.168.1.101)
1 PC(192.168.1.148)

<------INTERNET------>

WORK SETUP
pfSense Firewall:  192.168.1.1
7 PC
3 Linux
all on 192.168.1.0 subnet

PFSENSE PPTP SETTINGS
Server Address: 192.168.2.1
Remote Address Range: 192.168.2.192/28
Require 128-bit Encryption:  True

As I said, I can connect to the PFSENSE VPN just fine and I'll receive an IP of 192.168.2.192 (or above). However I need to figure out what kind of rules I need in order to route traffic to the machines on the 192.168.1.0 WORK subnet so that they show up in network neighborhood, etc (and so that I can eventually VNC to them). I've added a rule to allow ALL traffic from the PPTP interface in, but I'm not sure where to go from here. Any assistance is most appreciated.

  • You're work and home networks are setup on the same subnet (192.168.1.0/24) You are going to need to switch one of them to another subnet otherwise the machines will never be able to route out to the machines on the other network, as they think they are local.

    If you still can't talk after you switch the subnet at one location, post back here and we can work with you from there.


    To clarify a little on how VPN works based on your comment.

    You don't assign the VPN clients to the same subnet as you office. They need to be on a unique subnet. For my example lets assume the following:

    • Home subnet is 192.168.1.0/24
    • Office subnet is 10.0.0.0/24
    • VPN subnet is 10.2.0.0./24

    What a connection to the office would look like is this:

    • Home computer: NIC1: 192.168.1.50; vNIC1-VPN: 10.2.0.50
    • pfSense: PublicNIC: 1.1.1.1; PrivateNIC: 10.0.0.10; vNIC1-VPN: 10.2.0.1
    • office server: NIC1: 10.0.0.100

    The vNICx-VPN nics will be setup by your vpn client/server

    After the user has established a VPN connection to the office, the traffic flow will look like:

    The Home Computer connects to 10.0.0.100 it will:

    1. Look up the route in the routing table
    2. see a route that specifies the VPN adapter as the gateway
    3. The VPN Client subsystem will encapsulate the packets
    4. The machine will then send them over the public internet to the pfSense router.

    Once the router gets a VPN encapsulated packet it:

    1. sends it to the VPN Daemon subsystem
    2. The VPN subsystem will decode the packet
    3. The host will look up the unencrypted destination
    4. The machine will then route it out the proper interface to be sent to the Server.

    The response from the server will be sent to the pfSense router (since the subnet is not directly connected and the machine doesn't have any routes to that machine)

    The pfSense router will:

    1. look up the Home computer VPN IP as that is what the server will see the packet as comming from.
    2. The routing table will tell it to send it through the VPN virtual adapter.
    3. The packet will be sent to the vpn Subsystem encapsulated, and sent over the internet to the client machine.

    Once at the client machine the VPN subsystem will decrypt the packet and send it up the networking stack to the application.

    Wash, rinse, repeat.

    humble_coder : Can I not "cross-route" with some specialized rules? Unfortunately I cannot change every employee's home subnet so as to be compatible with the work subnet. Nor can I change the office setup at this point in time. Is there anything else I can do?
    Goyuix : The problem is that you would potentially need to push the "cross-route" to the client machines as well were it even possible. Assuming this were even possible (which it isn't) - how on earth would you handle IP address collisions (home computers and work computers with the same IP address). This just isn't going to work without changing the network. I would recommend changing the work network - probably to something in the 10.x.y.z range.
    Zypher : @huble_coder: No, Connected routes take precedence that is why most companies try to avoid the 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24 ( the most common home networks ). A 10.0.0.0/8 or 172.16.0.0/20 would be most preferable. If you want to saty 192.168.0.0/16 then go with something like 192.168.200.0/24
    humble_coder : Alright, I will beg borrow and steal today in order to get approval for office IP change. That said, once I have them on a different subnet, I still face the challenge of not being able to assign the VPN clients to the same subnet as the office -- pfSense warns me that the address range I've chosen for VPN clients is in the same subnet as the office. So, how do I proceed from there?
    humble_coder : Ok so I got the office switched to 10.0.0.0/24. Everything works like a charm--mostly. I can map, ping, and manually mount remote drives. However it seems that no NETWORK NEIGHBORHOOD, or "zero-config" items work. Do I need to set up a rule to pass all traffic on the network (or maybe just UDP)?
    Zypher : RE: Network Neighborhood, If i remember correctly (I never trust it) uses NETBIOS which doesn't like to be routed. And zero-conf protocols use broadcast addressing to do their magic, which would never be routed outside of your broadcast domain.
    humble_coder : Hrm, alright. Well, my current setup is rather simple. I have no vNICs set up. I simply have the VPN Server showing itself as 10.0.1.1 and all VPN machines getting IPs 10.0.0.192/28. Is it absolutely necessary to set up vNICs in order to route traffic back? Potentially silly question, but is the PPTP VPN not 100% "bi-directional" by default?
    3dinfluence : You'll need a WINS server on the office network and the clients on the vpn subnets will need to be configured to use it for proper name resolution across broadcast domains.
    humble_coder : @3dinfluence: The odd thing is, name resolution works fine -- at least in the case of web services. For instance, I can say "http:// blueserver" and everything just works. As I said, it seems the only items not working are DISCOVERY related. I tried installing Avahi, but that didn't appear to change anything. I'll look into a WINS server. Thanks.
    Zypher : The 'vNics' where just placeholders for the backend of the VPN tunnel (if you look at your network adapters you'll see some extra nics for VPN). http://blueserver works because it's using DNS not NETBIOS
    From Zypher

0 comments:

Post a Comment