Ok, maybe I have a translation problem :)
Will try to read more carefully and describe it better.
>I read the whole thread before replying and the above line was my summary
>of what I thought you wanted to do. Are you saying you do not want traffic
>from win7 to go over the VPN?
Good, my misunderstanding, I just need Win7 go over VPN "on demand".
cut....
.........
>On win7: change the default gateway to pfsense (192.168.30.?)
>>This was and still is the case.
I meant that Win7 already has 192.168.30.1 as gateway.
>Unless that is also the IP of ipfsense which you did
>not mention.
Yes, it`s also IP of pfSense.
>If it is, what do you mean by "unable to change the GW
>properly"?
When changing it, the metric is always higher and/or I loose connectivity.
Or maybe I should delete the default and add the new instead of having both?
>Do not get fixated by the on and off commands.
Point taken :)
>Once the routing starts
>working just make two bat files that changes the gateway on win7 and call
>them vpn_on.bat and vpn_off.bat or whatever, that's the easy part.
>Before that you have to set up the required routes on pfsense and NAT on the
>NAS
>or modem2.
>>What is not clear is existing route on win7 and whether you added a route
>>on pfsense for packets from win7 to go via the VPN. Only pfsense can route
>>the packets to NAS through the tunnel as those are the two connected by the
>>tunnel.
pfSense/OVPN already has/added the routes, it does so automatigally when
creating a server instance
and/or creating CSO/client specific overrides.
Or I misunderstand again? It does however not have a route to Modem2-WAN-IP and
I not yet try so.
After I got both LAN`s to see each other by MASQ on NAS, I thought that I would
only have to change
gateway to VPN on Win7 so it would route through the NAS to Modem2 and out to
WAN.
LAN to LAN routing is working flawless except off course using NAS->Modem2 as
exit point.
I hope it`s not a problem to make long post :)
### On Win7:
Netwerkadres Netmasker Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.30.1
192.168.30.9 21
127.0.0.0 255.0.0.0 On-link
127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1
306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.30.0 255.255.255.0 On-link 192.168.30.9
276
192.168.30.9 255.255.255.255 On-link 192.168.30.9 276
192.168.30.255 255.255.255.255 On-link 192.168.30.9 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1
306
224.0.0.0 240.0.0.0 On-link
192.168.30.9 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.30.9 276
### On pfS:
Destination Gateway Flags Netif Expire
default 192.168.11.10 UGS re0
10.10.10.1 link#2 UHS lo0
10.10.10.1/32 link#2 U re1
localhost link#6 UH lo0
192.168.5.0 192.168.158.2 UGS ovpns2
192.168.11.0 link#1 U re0
192.168.11.11 link#1 UHS lo0
192.168.20.0 link#2 U re1
pfsense link#2 UHS lo0
192.168.30.0 link#7 U re1_vlan
192.168.30.1 link#7 UHS lo0
192.168.40.0 link#8 U re1_vlan
192.168.40.1 link#8 UHS lo0
192.168.148.0 192.168.148.1 UGS ovpns3 # Remote Access TCP
192.168.148.1 link#11 UHS lo0
192.168.148.2 link#11 UH ovpns3
192.168.158.0 192.168.158.1 UGS ovpns2 # Site-to-Site UDP
192.168.158.1 link#10 UHS lo0
192.168.158.2 link#10 UH ovpns2
192.168.168.0 192.168.168.1 UGS ovpns1 # remote Access UDP
192.168.168.1 link#9 UHS lo0
192.168.168.2 link#9 UH ovpns1
### On NAS:
Destination Gateway Genmask Flags Metric Ref
Use Iface
0.0.0.0 192.168.5.1 0.0.0.0 UG
0 0 0 bond0
Modem1-WAN-IP 192.168.5.1 255.255.255.255 UGH 0 0 0 bond0
192.168.5.0 0.0.0.0 255.255.255.0 U 0
0 0 bond0
192.168.11.0 192.168.158.1 255.255.255.0 UG 0 0
0 tun0 # WAN side of pfS
192.168.20.0 192.168.158.1 255.255.255.0 UG 0 0
0 tun0 # LAN behind pfS
192.168.30.0 192.168.158.1 255.255.255.0 UG 0 0
0 tun0 # VLAN behind pfS
192.168.148.0 192.168.158.1 255.255.255.0 UG 0 0
0 tun0 # Remote acces UDP, working fine
192.168.158.0 0.0.0.0 255.255.255.0 U 0
0 0 tun0 # Site-to-Site to which NAS is connected
192.168.168.0 192.168.158.1 255.255.255.0 UG 0 0
0 tun0 # Remote access TCP, working fine
ip_forward=1
target prot opt in out source destination
MASQUERADE all -- * bond0 0.0.0.0/0 0.0.0.0/0 #
manually added
MASQUERADE all -- * tun0 0.0.0.0/0 0.0.0.0/0
# Generated by iptables-save v1.4.21 on Tue Aug 23 13:02:07 2016
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:DEFAULT_POSTROUTING
-A POSTROUTING -j DEFAULT_POSTROUTING
-A DEFAULT_POSTROUTING -o bond0 -j MASQUERADE
-A DEFAULT_POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Tue Aug 23 13:02:07 2016
# Generated by iptables-save v1.4.21 on Tue Aug 23 13:02:07 2016
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:DEFAULT_FORWARD
:DEFAULT_INPUT
:DOS_PROTECT
-A INPUT -j DOS_PROTECT
-A INPUT -j DEFAULT_INPUT
-A FORWARD -j DEFAULT_FORWARD
-A DEFAULT_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A DEFAULT_FORWARD -s 192.168.0.0/16 -j ACCEPT
-A DEFAULT_FORWARD -s WAN-IP-Modem1/32 -j ACCEPT
-A DEFAULT_INPUT -i lo -j ACCEPT
-A DEFAULT_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A DEFAULT_INPUT -s 192.168.0.0/16 -j ACCEPT
-A DEFAULT_INPUT -s WAN-IP-Modem1/32 -j ACCEPT
-A DEFAULT_INPUT -i bond0 -j DROP
#.... removed irrelevant DOS PROTECT entries
COMMIT
# Completed on Tue Aug 23 13:02:07 2016
Thanks.
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
