pfsense vm doesn't detect passed thru nic


Recommended Posts

so I am connecting to the internet using my onboard gigabit which I passed thru as virtual bridge and it is detected just fine and I have a 2.5 gigabit pci-e network adaptor for lan and the 2.5 nic isn't detected. btw the activity leds on the nic are off and they turn on when i start the vm.

image.thumb.png.f5da818e39b258b33a829887fae35f27.png
here are my IOMMU groups

PCI Devices and IOMMU Groups

Warning: Your system has booted with the PCIe ACS Override setting enabled. The below list doesn't not reflect the way IOMMU would naturally group devices.
To see natural IOMMU groups for your hardware, go to the VM Manager page and set the PCIe ACS override setting to Disabled.

IOMMU group 0:				[1022:1452] 00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
IOMMU group 1:				[1022:1453] 00:01.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) PCIe GPP Bridge
IOMMU group 2:				[1022:1453] 00:01.3 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) PCIe GPP Bridge
IOMMU group 3:				[1022:1452] 00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
IOMMU group 4:				[1022:1452] 00:03.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
IOMMU group 5:				[1022:1453] 00:03.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) PCIe GPP Bridge
IOMMU group 6:				[1022:1452] 00:04.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
IOMMU group 7:				[1022:1452] 00:07.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
IOMMU group 8:				[1022:1454] 00:07.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Internal PCIe GPP Bridge 0 to Bus B
IOMMU group 9:				[1022:1452] 00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
IOMMU group 10:				[1022:1454] 00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Internal PCIe GPP Bridge 0 to Bus B
IOMMU group 11:			 	[1022:790b] 00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller (rev 59)
 	[1022:790e] 00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge (rev 51)
IOMMU group 12:				[1022:1460] 00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 0
[1022:1461] 00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 1
[1022:1462] 00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 2
[1022:1463] 00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 3
[1022:1464] 00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 4
[1022:1465] 00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 5
[1022:1466] 00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 6
[1022:1467] 00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 7
IOMMU group 13:			 	[144d:a80a] 01:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd NVMe SSD Controller PM9A1/980PRO
[N:0:6:1]    disk    Samsung SSD 980 PRO 1TB__1                 /dev/nvme0n1  1.00TB
IOMMU group 14:			 	[1022:43d0] 02:00.0 USB controller: Advanced Micro Devices, Inc. [AMD] Device 43d0 (rev 01)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 18a5:0302 Verbatim, Ltd Flash Drive
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
IOMMU group 15:			 	[1022:43c8] 02:00.1 SATA controller: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset SATA Controller (rev 01)
[1:0:0:0]    disk    ATA      ST12000NE0007-2G EN01  /dev/sdb   12.0TB
[2:0:0:0]    disk    ATA      TOSHIBA MG07ACA1 0101  /dev/sdc   12.0TB
[3:0:0:0]    disk    ATA      TOSHIBA HDWD130  ACF0  /dev/sdd   3.00TB
[4:0:0:0]    disk    ATA      WDC WD10EZEX-00B 1A01  /dev/sde   1.00TB
[5:0:0:0]    disk    ATA      TOSHIBA MG07ACA1 0101  /dev/sdf   12.0TB
IOMMU group 16:				[1022:43c6] 02:00.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset PCIe Bridge (rev 01)
IOMMU group 17:				[1022:43c7] 03:00.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset PCIe Port (rev 01)
IOMMU group 18:				[1022:43c7] 03:02.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset PCIe Port (rev 01)
 	[10ec:8125] 05:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller (rev 04)
IOMMU group 19:				[1022:43c7] 03:03.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset PCIe Port (rev 01)
IOMMU group 20:				[1022:43c7] 03:04.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset PCIe Port (rev 01)
 	[1b21:1242] 07:00.0 USB controller: ASMedia Technology Inc. ASM1142 USB 3.1 Host Controller
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
IOMMU group 21:				[1022:43c7] 03:06.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset PCIe Port (rev 01)
IOMMU group 22:				[1022:43c7] 03:07.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset PCIe Port (rev 01)
 	[8086:1539] 09:00.0 Ethernet controller: Intel Corporation I211 Gigabit Network Connection (rev 03)
IOMMU group 23:				[1022:43c7] 03:09.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 400 Series Chipset PCIe Port (rev 01)
IOMMU group 24:			 	[1002:6759] 0b:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Turks PRO [Radeon HD 6570/7570/8550 / R5 230]
IOMMU group 25:			 	[1002:aa90] 0b:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Turks HDMI Audio [Radeon HD 6500/6600 / 6700M Series]
IOMMU group 26:			 	[1022:145a] 0c:00.0 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc. [AMD] Zeppelin/Raven/Raven2 PCIe Dummy Function
IOMMU group 27:			 	[1022:1456] 0c:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Platform Security Processor
IOMMU group 28:			 	[1022:145f] 0c:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Zeppelin USB 3.0 Host controller
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
IOMMU group 29:			 	[1022:1455] 0d:00.0 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc. [AMD] Zeppelin/Renoir PCIe Dummy Function
IOMMU group 30:			 	[1022:7901] 0d:00.2 SATA controller: Advanced Micro Devices, Inc. [AMD] FCH SATA Controller [AHCI mode] (rev 51)
IOMMU group 31:			 	[1022:1457] 0d:00.3 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) HD Audio Controller

had to run PCIe ACS override to multi-function in order to get it to split the network adapter into a different group

unraid os flash config

kernel /bzimage
append vfio-pci.ids=10ec:8125 pcie_acs_override=multifunction initrd=/bzroot

vm xml template and screenshot

<?xml version='1.0' encoding='UTF-8'?>
<domain type='kvm'>
  <name>pfsense virual adapter</name>
  <uuid>bf242d42-a4c6-b714-7d68-c089b7bddf6a</uuid>
  <metadata>
    <vmtemplate xmlns="unraid" name="FreeBSD" icon="freebsd.png" os="freebsd"/>
  </metadata>
  <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <memoryBacking>
    <nosharepages/>
  </memoryBacking>
  <vcpu placement='static'>4</vcpu>
  <cputune>
    <vcpupin vcpu='0' cpuset='5'/>
    <vcpupin vcpu='1' cpuset='13'/>
    <vcpupin vcpu='2' cpuset='7'/>
    <vcpupin vcpu='3' cpuset='15'/>
  </cputune>
  <os>
    <type arch='x86_64' machine='pc-q35-2.6'>hvm</type>
    <loader readonly='yes' type='pflash'>/usr/share/qemu/ovmf-x64/OVMF_CODE-pure-efi.fd</loader>
    <nvram>/etc/libvirt/qemu/nvram/bf242d42-a4c6-b714-7d68-c089b7bddf6a_VARS-pure-efi.fd</nvram>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='host-passthrough' check='none' migratable='on'>
    <topology sockets='1' dies='1' cores='2' threads='2'/>
    <cache mode='passthrough'/>
    <feature policy='require' name='topoext'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/local/sbin/qemu</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='writeback'/>
      <source file='/mnt/user/domains/pfsense/vdisk1.img'/>
      <target dev='hdc' bus='virtio'/>
      <boot order='1'/>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/>
    </controller>
    <controller type='sata' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'/>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x10'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x11'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0x12'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0x13'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
    </controller>
    <controller type='pci' index='5' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='5' port='0x14'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
    </controller>
    <interface type='bridge'>
      <mac address='4c:ed:fb:77:50:eb'/>
      <source bridge='br0'/>
      <model type='virtio-net'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='unix'>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='tablet' bus='usb'>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes' websocket='-1' listen='0.0.0.0' keymap='en-us'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
      </source>
      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
    </hostdev>
    <memballoon model='none'/>
  </devices>
</domain>

image.thumb.png.ee4b0619f69be587f671f3240b90cd84.png

unraid network config

image.thumb.png.1c7f8302e6e55c263d0481016ffe3300.png

Link to comment
29 minutes ago, Ford Prefect said:

...its a virtual NIC, hence it is not passed through in that sense...it is attached to a network bridge on unraid.

Running a firewall, like pfsense, with a virtual NIC(s) instead of a physical one(s) - especially for WAN - is a big mistake and calling for trouble.

I have 2 nics the onboard and the pcie
only the onboard for the wan is virtual the lan is a passed thru

Link to comment

...if the NIC model is supported under freebsd, then try running another PCI Bridge mode (edit: this is called the "machine " in the vm template, I think) and bios in the vm template. Maybe start with legacy, non uefi bios (seabios) and PCH 44 or similar

Gesendet von meinem SM-G780G mit Tapatalk





Link to comment
1 hour ago, Ford Prefect said:

...if the NIC model is supported under freebsd, then try running another PCI Bridge mode and bios in the vm template. Maybe start with legacy, non uefi bios (seabios) and PCH 44 or similar

Gesendet von meinem SM-G780G mit Tapatalk


 

ok so I made a freebsd vm and i can see it

image.thumb.png.e953f7e473a115345946371da095da20.png

this is the nic but I found from amazon.com reviews says that its not compatible with freebsd

but i found drivers from realtek website for freebsd 7 and 8 and i am trying to get them to work

Link to comment
1 hour ago, Ford Prefect said:

OK, looks nice...glad you solved it...nevertheless, running WAN via a vNIC in your main firewall is not a good thing to do.

so is the correct way to get another nic and pass it in for wan. have my lan on the 2.5gb port?
 

if I do this can I connect my unraid server to the lan thru a virual nic so i can use the full 2.5gb rather than connecting it to the lan thru the mobo gigabit?

Link to comment

The best next option, besides running a dedicated, non-virtual pfsense box, is to have all NICs physical passed through for the pfsense-VM.

 

11 minutes ago, technomancer__ said:

so is the correct way to get another nic and pass it in for wan. have my lan on the 2.5gb port?
 

if I do this can I connect my unraid server to the lan thru a virual nic so i can use the full 2.5gb rather than connecting it to the lan thru the mobo gigabit?

pfsense is for routing and firewall.

Hence it should at least have two NICs passed through (maybe a third for a DMZ)...one for WAN to your ISP(-modem) and one for LAN.

The NIC dedicated in the pfsense for LAN should go into a physical Switch.

When adding another NIC (for WAN), the one for LAN should be your 1Gbps on-board NIC. 

There is no need to use a higher spped than 1Gbps NIC for LAN in pfsense unless, either

  • your WAN (ISP) is above a 1Gbps connection
  • you want to route internally, like inter--(V)LAN routing, between clients on diffent networks.

You then connect unraid with its dedicated NIC to the physical Switch as well.

Should you wish to use the 2.5G for unraid,  your switch should support that.

 

As a hybrid solution, with only your two onboard NICs, you could go with:

  • use the 1Gbps NIC for WAN, physically passed through to pfsense-VM
  • use the 2.5G NIC for LAN/unraid...configure this as a bridge (even enable VLANs, if you wish) - AND connect it to the physical switch
    This is the only option to provide 2.5 for clients in your network
  • connect LAN port of pfsense-VM via virtio to the unraid bridge - use this IP as default gateway.

 

  • Thanks 1
Link to comment
4 hours ago, Ford Prefect said:

The best next option, besides running a dedicated, non-virtual pfsense box, is to have all NICs physical passed through for the pfsense-VM.

 

pfsense is for routing and firewall.

Hence it should at least have two NICs passed through (maybe a third for a DMZ)...one for WAN to your ISP(-modem) and one for LAN.

The NIC dedicated in the pfsense for LAN should go into a physical Switch.

When adding another NIC (for WAN), the one for LAN should be your 1Gbps on-board NIC. 

There is no need to use a higher spped than 1Gbps NIC for LAN in pfsense unless, either

  • your WAN (ISP) is above a 1Gbps connection
  • you want to route internally, like inter--(V)LAN routing, between clients on diffent networks.

You then connect unraid with its dedicated NIC to the physical Switch as well.

Should you wish to use the 2.5G for unraid,  your switch should support that.

 

As a hybrid solution, with only your two onboard NICs, you could go with:

  • use the 1Gbps NIC for WAN, physically passed through to pfsense-VM
  • use the 2.5G NIC for LAN/unraid...configure this as a bridge (even enable VLANs, if you wish) - AND connect it to the physical switch
    This is the only option to provide 2.5 for clients in your network
  • connect LAN port of pfsense-VM via virtio to the unraid bridge - use this IP as default gateway.

 

thanks the hybrid solution worked great
I just wanted to build a functioning network for my dorm that's it. the 2.5G NIC is connected to my laptop and I can now access both my server and the internet.

another reason I wanted this is to be able to re-route some stuff like plex on my ovpn server back home so my brothers can watch.

Link to comment

When at a dorm, most likely the WAN connection will stay tied to that MAC address. I found this the default behavior in many sites, when I stayed there during my university time....which is a couple of years back, but these things tend to be resilient to change.

With the WAN NIC passed through, you are at least not as vulnerable as with your initial setup.

Whether you can provide services to others outside will depend on how the real WAN Setup is designed by your dorm Administrator.
Most likely you are in a double NAT situation, where this will not be as easy as with the regular setups. Look into using an external VPN service for you and your friends, if this is the case.

Gesendet von meinem SM-G780G mit Tapatalk

Link to comment
On 10/19/2021 at 5:44 PM, Ford Prefect said:

When at a dorm, most likely the WAN connection will stay tied to that MAC address. I found this the default behavior in many sites, when I stayed there during my university time....which is a couple of years back, but these things tend to be resilient to change.

With the WAN NIC passed through, you are at least not as vulnerable as with your initial setup.

Whether you can provide services to others outside will depend on how the real WAN Setup is designed by your dorm Administrator.
Most likely you are in a double NAT situation, where this will not be as easy as with the regular setups. Look into using an external VPN service for you and your friends, if this is the case.

Gesendet von meinem SM-G780G mit Tapatalk
 

ok now I got

local LAN 192.168.1.0/24

home LAN 192.168.0.0/24 (got openvpn running on a ubuntu server at home)

I want to connect those networks so i can access my home networks resources, let my family access my recourses and forward plex and nextcloud from there.

 

as of now I managed to connect to my vpn server

image.thumb.png.99bde38d1e1dae6f8307ba79d1fd5aae.png

create a gateway

image.thumb.png.b8e7c0b79425b2cad9329688450e7e27.png

make my interface

image.thumb.png.4fe5821ad32c080ccb2b410bac34c56c.png

setup my static route

image.thumb.png.49eeea6f3562e905c44f2b27f677a413.png

added a default allow to any rule for home

image.thumb.png.56e9f19aea310f4262bb5ab3f0380193.png 

 

but Its not working

any ideas?

Link to comment


 

6 hours ago, technomancer__ said:
ok now I got
local LAN 192.168.1.0/24
home LAN 192.168.0.0/24 (got openvpn running on a ubuntu server at home)
I want to connect those networks so i can access my home networks resources, let my family access my recourses and forward plex and nextcloud from there.

 


Ok, so the WAN IP of your pfsense at your dorm is a non public IP, right?
And your going to use the OVPN server at your home as the Internet edge point and a site-2-site connection between your home- and local pfsense installations.

....that should work.
 

 

 

Quote
as of now I managed to connect to my vpn
 
but Its not working
any ideas?



So, both vpn links are up and running.
What exactly is not working?

What IPs in which networks - local/dorm, remote/home and ovpn/transition are you able to ping from a client in your local network?

Home-pfsense (192.168.1.1)?
Other hosts in your home network (192.168.1.xx)?

What IPs are others in your family able to ping, when connected to your home ovpn server?
Best guess, as this is the typical mistake in a site-2-site setup is, that both sites need a route defined to the respective remote network.
So the pfsense-home needs the route to your local net (192.168.1.0/24) as well when your local/dorm client connects.

Also, this route needs to be populated to the other ovpn clients, should they not use the ovpn server IP as new default route, when connected.

family clients are mobile/edge, not site-2-site, but your local ovpn client is.





Gesendet von meinem SM-G780G mit Tapatalk
 

Edited by Ford Prefect
  • Like 1
Link to comment
9 hours ago, Ford Prefect said:

Ok, so the WAN IP of your pfsense at your dorm is a non public IP, right?
And your going to use the OVPN server at your home as the Internet edge point and a site-2-site connection between your home- and local pfsense installations.

....that should work.

yea wan port is connected to the dorms network

9 hours ago, Ford Prefect said:

So, both vpn links are up and running.
What exactly is not working?

What IPs in which networks - local/dorm, remote/home and ovpn/transition are you able to ping from a client in your local network?

Home-pfsense (192.168.1.1)?
Other hosts in your home network (192.168.1.xx)?

What IPs are others in your family able to ping, when connected to your home ovpn server?
Best guess, as this is the typical mistake in a site-2-site setup is, that both sites need a route defined to the respective remote network.
So the pfsense-home needs the route to your local net (192.168.1.0/24) as well when your local/dorm client connects.

Also, this route needs to be populated to the other ovpn clients, should they not use the ovpn server IP as new default route, when connected.

family clients are mobile/edge, not site-2-site, but your local ovpn client is.

so my home network is just a standard isp router and a arm64 ubuntu server running openvpn. from the home server I just generated a ovpn file that I opened and imported into pfsense ovpn client here. the network home is 192.168.0.0/24

here I have my unraid server with pfsense vm. the intergraded gigabit port is passed thru and used as a wan port connected to the dorm internet. then i have my lan port which a virtual adapter bridged with the actual adapter that has a network 192.168.1.0/24

 

I am not able to ping anything on the home network.

Link to comment
46 minutes ago, technomancer__ said:

I am not able to ping anything on the home network.

When the ovp-client in your local pfsense states, that it is connected to the home ovpn-server, at least you should be able to ping the ovpn-server IP when originating the ping from inside your pfense.

 

For all aother routes, you need to set up these in both sites. Also populate the routes of either side to the ovpn-clients.

  • Like 1
Link to comment
8 hours ago, Ford Prefect said:

When the ovp-client in your local pfsense states, that it is connected to the home ovpn-server, at least you should be able to ping the ovpn-server IP when originating the ping from inside your pfense.

here's the ip i get

image.thumb.png.6a5468a1f904b94fa7a93cc7bcb4b05b.png

and heres me pinging them

image.png.1b30be5da3ce6333f56aa7d086c7798d.png

btw I dont know why but after i added the gateway by pressing this

image.thumb.png.865aaf219106fd1f82afeeee7ba8ca35.png

I loose my internet connection. so for the time being i have the openvpn service disabled. Also I can't delete the gateway and if i do by removing the interface and re-adding it it comes back because there is no way to un-press the gateway creation button. but I should loose my connection i doesn't make sense since my wan is my default gateway and my only static route is that above.

image.thumb.png.5f62b061629a55852d8977c83a9b7bd9.png

 

8 hours ago, Ford Prefect said:

For all aother routes, you need to set up these in both sites. Also populate the routes of either side to the ovpn-clients.

since at home I am not running ovpn on pfsense just on linux don't I do it from the tunnel settings of the client here in my local pfsense?
image.thumb.png.83423516b7e8fc20b6e4d9b03eb69dd2.png

Link to comment

...the respective external IPs you can slways ping, of course.
I was referring to the internal IPs here, local/dorm, home and ovpn/transition.

You should be able to ping the gateway IP of each remote interface when using the local gateway-IP as source.
That is the the first, basic think you need to be able to establish.
Then start using other clients in the respect network to ping remote IPs, gateways and other clients..to test routes.

Yes, in your home cobfig, without a ofsense, networks and routing/routes pushed/published need to be configured in the ovpn-server config.

...it's hard to do a quote of your message via Tapatalk here, on my small phone, sorry.
You need to get your head around the way how interfaces, gateways and routing works across IP networks and from the different perspectives of a client and a gateway. This is independent of the tools/parts used ... when you know how your logic setup works, transfer the concept to the individual setup of pfsense and ovpn client and server.
Maybe start by drawing a diagram, with interfaces, IPs, routes...then walk yourself through what paths a packet will take and what routes and gateways apply when doing a ping fram A to B.
Remember that for a IP connection, even that for a single packet like a ping, you need a path from source-IP to destination-IP *and* a return path back from destination to source. On the destination site. This applies to all networks involved on the paths.

Gesendet von meinem SM-G780G mit Tapatalk

  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.