OpeVPN routing issue

[esupportsquirrel]

Hi everyone, feel like my posts are all about Networking issues but it's my weak point. So here's the issue:

Current Network setup: Internet -> Pfsense (with OpenVPN) -> Unifi USG -> Network

 

I have everything running smoothly and correctly EXCEPT my OpenVPN. I can still connect (I had it previously set up) and properly access devices on the same subnet as the pfsense router BUT I want to forward ALL traffic of anyone who connects via OpenVPN straight on through and allow access to the Unifi USG's internal network. I know it's probably a simple stupid routing rule or something (most likely on the pfsense side) but I haven't figured out how to do it. Any thoughts?

[Windows7ge]

I'm confused as to why you have a Unifi USG there. pfSense already acts as a router & firewall you're creating a double NAT here which is undesirable unless you put the Unifi USG in bridged mode.

[esupportsquirrel]

13 minutes ago, Windows7ge said:

I'm confused as to why you have a Unifi USG there. pfSense already acts as a router & firewall you're creating a double NAT here which is undesirable unless you put the Unifi USG in bridged mode.

Oh, I have a specific plan and NAT isn't an issue (it has been fixed). It's basically because I plan on hosting several servers at home but want my internal network physically segregated (I could do it virtually but defeats many of my intended purposes).

[Windows7ge]

27 minutes ago, esupportsquirrel said:

Oh, I have a specific plan and NAT isn't an issue (it has been fixed). It's basically because I plan on hosting several servers at home but want my internal network physically segregated (I could do it virtually but defeats many of my intended purposes).

Alrighty then. I don't have confidence in any of the answers I could provide you in regards to the issue at hand. It may be because I still don't fully understand what it is you're trying to do. I think I have an idea of what you're asking though and it does sound like a simple routing issue but at the same time if you setup a static route how would the router distinguish between traffic destined for the immediate network vs traffic going to the USG? A static route specifically for the OpenVPN service on pfSense I wouldn't know how to configure.

[esupportsquirrel]

Basically I am trying to make my pfsense a transparent firewall but ONLY on the VPN interface. So that pfsense authenticates the VPN connection but once connected to VPN, everything immediately bypasses pfsense and all the VPN user sees is direct connectivity to the internal network as if they were not remote.

[Michael Ducharme]

If you mean you want the OpenVPN client to get an address on the internal network (connected only to the USG), that is not possible. The pfsense would have to be given an IP address on your internal network as well (behind the USG) so that it could bypass it for the VPN clients. The problem is that then your internet would stop working for all of the other clients behind the USG because the regular internet traffic would go out via the USG and come back in via the pfsense (since it would then have a direct route to the destination network, so it would prefer that to the path through the USG), and this triggers reverse path filtering protection blocking the traffic.

 

I also don't understand the reason why you can't segment things virtually. Taking the USG out of the equation would fix everything. The only argument that I could see against that would be administrator control (ex. if you need to give other people access to manage the pfsense but not the USG).

 

If you do need to keep them separate like this, you have two options:

1. Continue to have the clients getting IPs on the pfsense network, but add a firewall rule on the USG to allow all traffic from those client IPs to the internal network. That way they would have access to the resources without actually being on the internal network.

2. Set up the VPN on the USG and do port forwarding for the VPN ports on the pfsense