VMNerd Tech Tips was created to help visual learners by offering FREE step by step learning tutorials on topics that can get complicated fast. The goal for the learning tutorials is to provide high quality content with real world tips and examples for real world use cases. VMNerd Tutorials will leverage software that is typically FREE or reasonably inexpensive to everyone and can be downloaded from the creators or manufactures websites. VMNerd Tech Tips are always interested in learning something new so feel free to drop a line or two and share thoughts and if you have a topic that others may enjoy share that as well.
Hi VMNerd i have encountered problem with 1 of my new VPN Client Main Branch is established connections with site 1 and site 2. my problem is i cannot ping my site 2 while i can ping my site 1? when i tried to ping my site 2 it say "TLL Expired in Transit". can you help me please Thanks in advance
For whoever needs this! If you cannot ping/route between your various LAN networks....make sure to go onto each pfsense console and assign the interface IP again. Even after you've set up the full ipsec vpn tunnels. Then make sure to disconnect the ipsec vpn tunnel and reconnect it. In my case I followed this tutorial step by step but had my LAN interface IP set to /32 somehow. When I changed it to the correct /24 and reconnected the ipsec vpn tunnel in the web gui, it all started working. Thanks @vmnerd for a fantastic tutorial!
Thanks for sharing this video, I'm using this to save bandwidth and it works for http however I want to cache ssl/https (facebook and youtube videos etc.) is there any possible way not to install certificate on every device? Thanks.
That’s one of the better how to video’s I’ve ever seen so far. Maybe, adding the part how to use RSA certificates would make it even more unique. Thanks for sharing. Well done!
Thanks for the video, this is a great how to on configuring cache settings. I have a lot going on with my network including webservers under lagg, and lacp, so far after following your setup in this video i dont see any conflicting issues with my current webservers and them running their own personal ssl certificates,
I'm having a weird issue. Internally I can access the applications through the reverse proxy but externally (internet) I cannot access and I get a connection timed out error.
@@VMNerd I found out what it was. I accidently had a rule on port forward settings that was allowing traffic to another part of my network. For some reason port forward rules override firewall rules and once i deleted that it was all good.
I might be able to do something ... Simply I use a combination of VMWare Workstation, VMWare ESX and rented virtual private servers. Just depends on the application. I have been looking at a tool like EVENG.
I'm researching renting servers in order to set up labs like yours to practice on. Anything you would recommend based on experience. Also to give me an idea of how much $$ to put away a year/a month?
I think this warrants a video to review my lab setup. There are so many options out there and finding a setup for all of us techie folks can be a challenge when on a budget. I spent a few thousand dollars on my laptop and ssd drives and on a monthly basis I spend about $10 - $20 a month on cloud services like virtual private servers. I am always looking for other ways to save and improve my lab and testing infrastructure. Thank You for your questions ...
You say that you have a port 4002 predefined when doing the backend piece but never explained where that port was predefined or how that was done. Am I missing something here?
I personally like OpenVPN just a preference IPSec may require tuning when using certain types of applications like syncing active directory between multiple locations. I like to keep it simple.
Hello, I'm getting a bunch of loopback errors in the logs with pfsense running on ESXI vmx1: a looped back NS message is detected during DAD for fe80:2::250:56ff:feb2:55e8. Another DAD probes are being sent. Can you please help?
Every once in a while the VM just does not install correctly. Try reinstalling and follow the wizard to setup your interfaces. Make sure you install all the vNics before you install pfsense. Sometimes they get out of order based on type after install.
Great video thank you. I however can not get it to work, I am sure its a firewall issue.. I am just a little confused on the external client, what is that? Does the wan ip need to be private? do I need to have a cloud server with a static ip in order for this to work? any help would be much appreciated.. Chad
@@VMNerd thanks I got it working.. Are you going to do follow video on drive.example.com and some of the sub domains you had us create. you put out some awesome content, you must pretty busy with your day job.... I cant speak for everyone, I know I am anxiously awaiting..
Hi ! Thank you for the video. I problem i have though is that when i add an AD group under Administration/Access Control/Global Permissions, and that i put myself in that group (In AD directly) i can connect, but if i remove myself (Still in AD) from that group (Group that is still in Global Permissions but with no one in it) i still can connect ! I can't do much things as some of the windows are grayed but i'm still able to connect... Do you have any ideas pls ?
Saludos amigo y Gracias por el video, tengo una pregunta, como le coloco el tiempo restante que lleva conectado un amigo en portal cautivo, en pfsense (claves wifi pero con VOUCHERS) que les muestre, (Ejemplo: su tiempo restante es: 8minutos y 10segundos.) No encuentro solucion en los foros pfsense, Espero me ayuden, se los agradeceria inmensamente. (yo uso pfsense version 2.4.4 p3)
Hi VMnerd team, I am using pfsense as firewall and I am having issue unbound DNS. It stopped working and I have this error message: The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/unbound_server.pem: No such file or directory [1575213668] unbound-checkconf[65410:0] fatal error: server-cert-file: "/var/unbound/test/unbound_server.pem" does not exist Can you please help me to fix the issue. Thank you Chrismond
Hey Chris, Check and validate that the SSL you are trying to bound to in the local CA section. If not check and see if you can generate a new one using the ACME plugin.
Hi VMNerd, up to now im using a debian machine to do all my routing and open vpn site to site, but im running into huge networking performance issues. Hence ive been reading up and im going to try using pfsense instead. Ive read a lot about LRO and TRO, i was wondering if you knew anything about this. On this kind of a setup with the esx host being the remote i want to connect via site to site openvpn, have you run into this scenario where even though oyu have a gigabit connection the routing eats up and all i get is 30-40mbit Thanks in advance!
I have not put much research into this as I do have enough data going through my systems that create that type of issue. I am assuming TCP Segmentation Offload and Large Receive Offload is what you are talking about in VMWare. In VMWare you still have hardware limits that could be bogging down your system and not giving the desired throughput. I am interested in learning more about your scenario please reply with some steps for me to try and create what you are seeing.
Do you know how can we configure site to site with multi wan ? for example i have 2 wan links at site 1 and 2 wan links at site 2 . Trying to set up multiwan for ipsec failover.
I do not know how to setup with multi WAN but I am assuming you can use route metrics to control which path then if one goes down the other can take over ...
Good instructional video. Off topic but I would like to ask how to configure this scenario; Existing nodes connected through ENDIAN openvpn. Now I would like another layer of VPN with pfsense. The packets should go through Endian VPN > Pfsense VPN to the internet. Any idea?
I think your biggest issue will be MTU inside the encapsulated tunnel and the devices that use it but should be doable. Might I ask why you want to route through another VPN inside a VPN? I am trying to envision a use case.
@@VMNerd Just a wild idea that it may add more security. Have not set it up yet.Perhaps, it is similar to site to site VPN, I don't know much technical detail. Thanks for the reply.
Great video and just what i was looking for, however i have an issue....since i dont use google domains..how do i find the similar thing in Cpanel. I.E i have my own domain and static IP from ISP
In the video I used google domain but there are other options for dns entries. Just check the pull down and find one that matches hosting environment. The one you are looking will be whoever your registrar for DNS. I will look in the am for cpanel support it might work.
VMNerd is it possible to make briidge with ipsec tunnel? HQ - Voip server and has dhcp server Branch - connect via ipsec tunnel but the ipphone can get ip from external dhcp from HQ? is this possible? can you help me please thanks
The IP is not associated with the certificate. If you change the IP as long as it resolves to your IP new or something else it should switch with no change to the client.
As a young professional building up a homelab - I have very little experience in PFSense or designing these things for myself. I didn't find the video very useful from an architecting standpoint, but I feel that the visio illustration was inspirational for my own notekeeping. I also appreciated the brief trip through some interface menus; the chance to see settings that don't actually break everything.
Awesome tutorial. I have this mostly working (traffic is going out of the VPN), however I have several interface assigments (VLANS). When I set the gateway to the regular WAN on some of those assignments, I get out to the internet and see my usual public IP but my devices can't communicate with each other internally. Any idea what would cause that? Thanks again for the tutorial.
when i create the certificate i get the following error Verify error:Fetching xxxxxx.xxxxx.net/.well-known/acme-challenge/N7ogiIDbYZO8irWrhnhnFwk9r3e1-wRC7NkmTaoNRLE: Error getting validation data
I am curious of the HAProxy config and I am assuming that you followed the video. If you would be willing to share your config let me know. You can send a response here and only I will see it make sure you put in the comments not to approve it.
I only have two interfaces. Is there a way I can program it to only send people on DHCP to the portal? I am renting our house out and want people to have to agree to a terms of service.
With this setup. Using the 'normal vpn user' will I be able to connect to the pfSense web portal when connected to the VPN? I'm about to Colocate my server and I'm thinking that this would be the perfect setup for me.
The content is great--I love your introductions with diagrams and objectives--but please, get a better microphone. Are you planning on making a video about IDS/IPS packages for pfSense? That would be very interesting!
Should you have a valid certificate when you setup your DNS resolver, or can you use a self signed/generated certificate? Would you not get an error or failure? What I'm asking is would the certificate only be used for encryption or validation as well when connecting/requesting to secure DNS? I have done everything as you explained, but I cant seem to capture packets to see whether any packets are sent on port 53 when making a DNS request.
Don’t think that is necessary as the cert is used to encrypt the traffic. It can be self signed as long as the remote end is valid. Can you tell me your layout for packet capturing.
VMNerd tbh, I’ve tried to use wireshark gui once and couldn’t make anything out about it, despite me having CCNA certification. And not tried it on CLI either. Maybe you can make a tut about how to use it and what to look for. I really like your tutorials. Like the explanation with outline in the beginning and then the conclusion at the end with what’s been covered.
This is really good - BUT, what if I want to block ANY off-LAN DNS (i.e. call home) from working at all in the first place? It's cool to put it into a TLS-wrapped query, but off-net DNS can be leveraged for attacks as well and for "call home" stuff like you mentioned. Personally, I block all DNS queries destined other than to my pfSense DNS Resolver... ;) Just sayin. Diagram reveal in PowerPoint is nice. Keep up the great work!
The real driver behind this video is to keep you ISP from snooping on your traffic based on your DNS queries. Today they can intercept your traffic even if you are using VPN as your DNS might be using your onsite DNS server revealing what content you are looking at.
@@VMNerd I totally agree and I have since configured my setup very similarly... I know you were doing it to illustrate but on an actual setup you can just use PFtop with the simple filter on the destination port in the out direction for all those DNS queries.
I don't see why not .. You are right I used that so people can see what it looks like once it leaves the WAN from the ISP perspective. It's good to see it from that view to show physical separation it can minimize confusion.
Fantastic video - I like the "out on the veranda at night" ambience with the crickets and stuff. New audio config / setup you have is much appreciated. More importantly, this is a great idea that would easily allow me to bypass any - er - "encumberances" - to streaming blacked-out sporting events, even while on the road, hahaha! :)
GREAT content - I'm a fan! :) Nice work - concise and to the point as it can be. Can you integrate ACME (LetsEncrypt) trusted certs with OpenVPN + NPS? How would that work - the same? This setup is what I'd love to have for myself...
Using your own CA is probably best as the OpenVPN will leverage the CA to pre talk before the user name and password is exchanged. You can use one certificate for anyone and use NPS with any Username and Password selected.