pfSense Multi-WAN Configuration: Part Five

pfSense multi-WAN

Viewing the load balancer status in pfSense 2.2.4.

Once you have configured your multi-WAN setup, you will want to verify its functionality. In this article, we will cover how to test each component of your multi-WAN setup.

If you have configured failover, you will want to test it after completing your configuration to ensure it functions as you desire, otherwise you might be in for an unpleasant surprise when one of your Internet connections fail. Navigate to Status -> Load Balancer and ensure all your WAN connections show as “Online“ under Status. If they do not, verify your monitoring IP configuration as discussed in previous articles on this site.

pfSense Multi-WAN: Simulating a Failure

There are a number of ways you can simulate a WAN failure, depending on the type of Internet connection being used. In most cases, the easiest way to simulate it is to unplug the target WAN interface’s Ethernet cable from the firewall.

For cable and DSL connections, you will also want to try powering off your modem, and unplugging the coax or phone line from the modem. For T1 and other types of connections with a router outside of pfSense, try unplugging the Internet connection from the router and also turning off the router itself.

All of the abovementioned testing scenarios will likely end with the same result, but there are some circumstances where trying all these things individually will find a fault you might not have otherwise noticed until an actual failure. For example, assume you are using a monitor IP assigned to your DLS or cable modem. Thus when the coax or phone line is disconnected, simulating a provider failure rather than an Ethernet or modem failure, the monitor ping still succeeds since it is pinging the modem. As far as pfSense is concerned, the connection is still up, so it will not fail over even if the connection is actually down. There are other types of failure that can similarly only be detected by testing all the individual cases where failure is possible. After creating a WAN failure, refresh the Status -> Load Balancer screen to check the current status.

The easiest way to verify a HTTP load balancing configuration is to visit one of the websites that displays the public IP address from which you are coming. There is a page on the pfSense website for this purpose, and there are other sites that serve the same function. Search for “what is my IP address” and you will find numerous websites that will show you what public IP address from which the HTTP request is coming.

If you load one of these pages, and refresh your browser a number of times, you should see your IP address changing if your load balancing configuration is correct. Note if you have any other traffic on your network, you probably will not see your IP address change on every page refresh. Refresh the page 20-30 times and you should see the IP change at least a few times. if the IP never changes, try several different sites, and make sure your browser is really requesting the page again,and not returning something from its cache or using a persistent connection to the server. Manually deleting the cache and trying multiple web browsers are good things to try before troubleshooting your load balancer configuration further.

You can use traceroute to test load balancing (or tracert in Windows). Traceroute allows you to see the network path taken to a given destination.

The real time traffic graphs under Status -> Traffic Graph are useful for showing the real time throughput on your WAN interfaces. You can only show one graph at a time per browser window, but you can open additional windows or tabs in your browser and show all your WAN interfaces simultaneously. The Dashboard widget enables the simultaneous display of multiple traffic graphs on a single page. The RRD traffic graphs accessible under Status -> RRD Graphs are useful for longer-term and historical evaluation of your individual WAN utilization.

External Links:

Network Load Balancing on Wikipedia

pfSense Load Balancing

pfSense load balancing

Creating a load balancing pool in pfSense 2.2.4.

In the previous article, we covered how to set up load balancing for a multi-WAN configuration. In this article, we will cover load balancing and failover in cases that don’t involve multiple WAN interfaces.

pfSense Load Balancing

To configure a pfSense load balancing pool, log into the pfSense web GUI and navigate to Services -> Load Balancer. On the Pools tab, click the plus button. This will take you to the Load Balancer configuration page.

In the Name field, fill in a name for the failover pool up to 16 characters in length. This will be the name used to refer to this pool in the Gateway field in the firewall rules. In the Description field, you may enter a description for your own reference. The Description field is optional and does not affect functionality, while the Name field is required. For Mode, select either Load Balance to set up a load balancing pool. In Port, enter the port your servers are listening on, and in Retry specify how many times to check a server before declaring it to be down. In Monitor, select the protocol to be used for monitoring the servers (usually ICMP). In Server IP Address, you enter the IP address that will determine whether the chosen interface is available. If pings to this address fail, this interface is marked as down and is no longer used until it is accessible again.

After selecting an interface and choosing a monitor IP, you can press the Add to pool button to add the interface. After adding the first interface to the pool, select the second interface, sselect its monitor IP, and press Add to pool again. When finished adding interfaces to the pool, press save, and then press Apply changes on the next page.

Failover refers to the ability to use only one WAN connection, but switch to another WAN if the preferred connection fails. This is useful in situations where you want certain traffic, or all of your traffic to utilize one specific WAN connection unless it is unavailable.

To set up a failover group, navigate to Services -> Load Balancer, and click on the plus button, the same as you would when configuring a load balancing pool. In the Name field, fill in a name for the failover pool (again, up to 16 characters in length). In the Description field, you may enter a descripton for your reference.

For the Mode, select Failover. In Port, enter the port your servers are listening on, and in Retry, enter the number of times the server should be checked before being declared to be down. In the Monitor field, set a protocol for monitoring, and in Server IP Address, set the monitor IP. Once you have entered all this information, you can press the Add to pool button. You have added the first interface.

Since this is a failover pool, the first interface aded while be used as long as its monitor IP is responding to pings. If the first interface added to the pool fails, the second interface in the pool will be used. Make sure you add the interfaces to the pool in order of preference. The first in the list will always be used unless it fails, at which point the remaining interfaces in the list are fallen back on in top down order.

Additional interfaces can be added by entering the information for them and clicking Add to pool again. When finished adding interfaces to the pool, press Save, and then Apply Changes on the next page.

External Links:

Inbound Load Balancing on
How to Use pfSense to Load Balance Your Servers on

pfSense Multi-WAN Configuration: Part Four

pfSense multi-WAN

Setting up multi-WAN load balancing with failover in pfSense 2.2.4

The load balancing functionality in pfSense allows you to distribute traffic over multiple WAN connections in a round-robin fashion. This is done on a per-connection basis. A monitoring IP is configured for each connection, which pfSense will ping, if the pings fail, the interface is marked as down and removed from all pools until the pings succeed again.

pfSense Multi-WAN: Load Balancing 

In pfSense 2.0 and above, Services -> Load Balancer is not used to configure load balancing with a multi-WAN setup. Instead, we use Gateway Groups by navigating to System -> Routing and clicking on the Groups tab. Click the plus button to add a new gateway group.

In the Group Name field, you can enter a group name. The Gateway Priority section is where you configure load balancing. The Tier field determines the link priority in the failover group. Lower-numbered tiers have priority over higher-numbered tiers. Multiple links of the same priority will balance connections until all links at that level are exhausted. If all links in a priority level are exhausted, pfSense will use the next available link in the next priority level.

To illustrate how this works, I created three gateways: WAN, WAN1 and WAN2, as can be seen in the screen capture. Let’s assume that the WAN gateway is my main Internet connection (e.g. a cable modem). Assume that the WAN1 and WAN2 gateways are for my backup Internet connections (e.g. DSL). We want WAN to provide our primary connection to the Internet. When WAN is down, we want our Internet connectivity to be load balanced across WAN1 and WAN2. Therefore, we set WAN to Tier 1 and both WAN1 and WAN2 to Tier 2. Thus, when the higher priority WAN is down, the failover will user WAN1 and WAN2. If either WAN1 or WAN2 go down, pfSense will use the remaining functioning gateway, so that even if two of the gateways are down, we should have some Internet connectivity, albeit with limited bandwidth.

The next field in the table, Virtual IP, allows you to select what virtual IP should be used when the gateway group applies to a local Dynamic DNS, IPsec or OpenVPN endpoint. In my example, since I was not setting up the gateway group to be used in any such scenario, I left this field unchanged.

The next field, Trigger Level, allows you to choose which events trigger exclusion of a gateway. The choices are Member Down, Packet Loss, High Latency, and Packet Loss or High Latency. I chose Packet Loss as the trigger. You can enter a brief Description, and press the Save button. On the next page, you’ll need to press the Apply Changes button.

Next, you need to redirect your firewall traffic to the new gateway. Navigate to Firewall -> Rules, and click on the tab of the interface whose traffic you want to redirect (e.g. LAN). Press the plus button to add a new rule. The default settings can be kept for most settings (Source and Destination should both be set to any). Scroll down to Advanced features, and press the Advanced button in the Gateway section. Select the gateway set up in the previous step in the dropdown box. Enter a brief Description, and press the Save button. On the next page, press the Apply Changes button. If you need to redirect traffic on other interfaces, you will have to set up firewall rules for those interfaces as well.

Finally, you need to navigate to System -> General Setup and make sure you have at least one DNS server for each ISP. This ensures that you still have DNS service if one or more gateways goes down. You may need to set up static routes for your DNS servers; part two of this series went into some detail on how to do this.

Once the gateway groups and firewall rules are configured, your multi-WAN load balancing setup should be complete.

External Links:

Network Load Balancing on Wikipedia

pfSense Multi-WAN Configuration: Part Three

pfSense multi-WAN

Advanced Outbound NAT settings in pfSense 2.2.4.

Some multi-WAN configurations require special workarounds because of limitations in pfSense. This article covers those special cases.

Because of the way pfSense distributes traffic over multiple Internet connections using the same gateway IP, you will need to insert a NAT device between all but one of those connections. This is not an elegant solution, but it is a workable one.

pfSense can only accommodate one PPPoE or PPTP WAN connection. Therefore, OPT WAN interfaces cannot use PPPoE or PPTP WAN types. If you need to use PPPoE or PPTP, the best workaround is to use them on your modem or another firewall. Most DSL modems can handle PPPoE and either directly assign your public IP to pfSense or give it a private IP and provide NAT. Public IP passthrough is possible on many modems and is the preferred means of doing this.

pfSense Multi-WAN: NAT Rules

The default NAT rules generated by pfSense will translate any traffic leaving the WAN or an OPT WAN interface to that interface’s IP address. In a default two interface LAN and WAN configuration, pfSense will NAT all traffic leaving the WAN interface to the WAN IP address. The addition of OPT WAN interfaces extends this to NAT any traffic leaving an OPT WAN interface’s IP address. This is the default behavior and is all handled automatically unless Advanced Outbound NAT is enabled. The policy routing rules direct the traffic to the wAN interface used, and the outbound and 1:1 NAT rules specify how the traffic will be translated. If you require Advanced Outbound NAT with multi-WAN, you will need to configure NAT rules for all your WAN interfaces.

When using port forwarding with a multiple WAN setup, keep in mind that each port forward applies to a single WAN interface. A given port can be opened on multiple WAN interfaces by using multiple port forward entries, one per WAN itnerface. The easiest way to accomplish this is to add the port forward on the first WAN connect, then click the plus button to the right of that entry to add another port forward based on that one. Change the interface to the desired WAN interface, and press the Save button.

1:1 NAT entries are specific to a single WAN interface. Internal systems can be configured with a 1:1 NAT entry on each WAN interface, or a 1:1 entry on one or more WAN interfaces and use the default outbound NAT on others. Where 1:1 entries are configured, they always override any other Outbound NAT configuration for the specific interface where the 1:1 entry is configured.

External Links:

Network Load Balancing on Wikipedia

pfSense Multi-WAN Configuration: Part Two

pfSense multi WAN

Configuring the DNS forwarder in pfSense 2.2.4.

In the first article, we covered some basic considerations with a multi-WAN setup. in this article, we will cover multi-WAN configuration.

First, the WAN interfaces need to be configured. You should set up the primary WAN the same way you would in a single WAN setup. Then for the OPT WAN interfaces, select either DHCP or static, depending on your Internet connection type. For static iP conncections, you will need to fill in the IP address and gateway.

Next, you need to configure pfSense with DNS servers from each WAN connection to ensure it is always able to resolve DNS. This is important, especially if your network uses pfSense’s DNS forwarder for DNS resolution. If you only use one ISP’s DNS servers, an outage of that WAN connection will result in a complete Internet outage regardless of your policy routing configuration.

pfSense uses its routing table to reach the configured DNS servers. This means without any static routes configured, it will use only the primary WAN interface to reach DNS servers. Static routes must be configured for any DNS server on an OPT WAN interface to reach that DNS server. Static routes must be configured for any DNS server on an OPT WAN interface, so pfSense uses the correct WAN interface to reach that DNS server.

This is required for two reasons. [1] Most ISPs prohibit recursive queries from hosts outside their network. Thus, you must use the correct WAN interface to access that ISP’s DNS server. [2] If you lose your primary WAN interface and do not have a static route defined for one of your other DNS servers, you will lose all DNS resultion ability in pfSense, since all DNS servers will be unreachable when the system’s default gateway is unreachable. If you are using pfSense as your DNS server, this will result in a complete failure of DNS for your network.

pfSense Multi-WAN: Static IPs vs. Dynamic IPs

A setup that has all static IPs on the WAN interfaces is easy to handle, as each WAN has a gateway IP that will not change. Dynamic IP WAN interfaces, on the other had, pose difficulties because their gateway is subject to change and static routes in pfSense must point to a static IP address. This usually is not a major problem, since only the IP address changes while the gateway remains the same. If your OPT WAN public IP changes subnets (and therefore gateways) frequently, use of the DNS forwarder in pfSense is not an acceptable solution for redundant DNS servcies; you will still have no reliable means of reaching a DNS server over anything other than the WAN interface.

pfSense multi-WAN

Configuring DNS servers with multiple WAN interfaces in pfSense 2.2.4.

With dynamic IP WANs, you have two alternatives. Because traffic from the inside networks is policy routed by your firewall rules, it is not subject the the limitation of requiring static routes. You can either use DNS servers on the Internet on all your internal systems, or use a DNS server or forwarder on your internal network. As long as DNS requests are initiated from inside your network and not on the firewall itself (as it is in the case of the DNS forwarder), static routes are not required and have no effect on traffic initiated inside your network when using policy routing.

A second option to consider is using one of your DNS server IPs from each Internet connection as the monitor IP for that connection. This will automatically add the appropriate static routes for each DNS server.

If you have a mix of statically and dynamically addressed WAN interfaces, then the primary WAN should be one of your dynamic IP WANs, as static routes are not required for DNS servers on the primary WAN interface.

The image on the right shows separate DNS servers with a multi-WAN setup in pfSense. In System -> General Setup, you can enter the DNS servers, and you can select the gateway used with the selected DNS server in the dropdown box on the right. As you can see, I have selected different WAN interfaces for each of the DNS servers, so the two WAN interfaces (WAN and WAN1) are not dependent on the same DNS server.


External Links:

Network Load Balancing on Wikipedia

pfSense Multi-WAN Configuration: Part One

pfSense multi-WANpfSense incorporates the ability to set up multiple WAN interfaces (multi-WAN), which allows you to utilize multiple WAN connections. This in turn enables you to achieve higher uptime and greater throughput capacity (for example, if the user has one 1.5 Mbps connection and a second 2.5 Mbps connection, their total bandwidth using a multi-WAN setup would be 4 Mbps). It has been reported that some pfSense deployments have used as many as 12 WAN connections, and pfSense may scale even higher than that with the right hardware.

Any additional WAN interfaces are referred to as OPT WAN interfaces. References to WAN refer to the primary WAN interfaces, and OPT WAN to any additional WAN interfaces.

There are several factors to consider in a multi-WAN deployment. First, you’re going to want to use different cabling paths, so that multiple Internet connections are not subject to the same cable cut. If you have one connection coming in over a copper pair, you probably want to choose a secondary connection utilizing a different type and path of cabling. IN most cases, you cannot rely upon two or more connections of the same type to provide redundancy. Additional connections from the same provider are typically a solution only for additional bandwidth; the redundancy provided is minimal at best.

Another consideraton is the path from your connection to the Internet. With larger providers, two different types of connections will traverse significantly different networks until reaching core parts of the network. These core network components are generally designed with high redundancy and problems are addressed quickly, as they have widespread effects.

Whether an interface is marked as down or not is determined by the following ping command:

ping -t 5 -oqc 5 -i 0.7 [IP ADDRESS]

In other words, pfSense sends 5 pings (-c 5) to your monitor IP, waiting 0.7 seconds between each ping. it waits up to 5 seconds (-t 5) for a resoibsem and exits successfully if one reply is received (-o). It detects nearly all failures, and is not overly sensitive. Since it is successful with 80 percent packet loss, it is possible your connection could be experiencing so much packet loss that it is unusable but not marked as down. Making the ping settings more strict, however, would result in false posiitives and flapping. Some of the ping options are configurable in pfSense 2.2.4.

In the next article, we’ll cover WAN interface configuration in a multi-WAN setup.

External Links:

Network Load Balancing on Wikipedia

Configuring Dynamic DNS in pfSense

pfSense DDNS

Adding a domain name at the Duck DNS website.

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames and/or addresses. The term is used to describe two separate concepts. The first is dynamic DNS updating, which refers to systems that are used to update traditional DNS records without manual editing; this mechanism is described in RFC 2136. The second permits lightweight and immediate updates, often using an update client. These clients provide a persistent addressing method for devices that change their location or IP addresses.

Most internet users who have consumer-grade internet access have a dynamic IP address, most likely assigned by their Internet service provider’s (ISP) DHCP server. These types of IP addresses pose a problem if the user wants to provide a service to other users on the Internet (e.g. a file server). DDNS provides a solution to this problem by providing a means of mapping a potentially rapidly changing IP address to a domain name without suffering the delay which it usually takes for a DNS change to propagate through the hierarchy of DNS servers.

Over the years, several companies and organizations have provided dynamic DNS capabilities. One such company, Dyndns (now called Dyn), provided a free domain name. In 2014, Dyn discontinued their free domain name service. They now charge $40 a year, which I still consider to be a reasonable price. But why pay for domain names when you can still get them for free? Duck DNS provides up to 5 free domain names (all subdomains of; e.g. and is easy to configure with pfSense. In this article, I will outline the process.

Configuring Dynamic DNS: Creating a Duck DNS Domain Name

First, create a free account on Duck DNS. Once you have done this, scroll down to the domains section of the page. There will be an edit box for entering your domain name and a green add domain button. Enter a domain and press this button; if your domain isn’t taken already, you should see a page similar to the one shown in the screen capture in which your new domain is listed.

Next you need to install the Duck DNS client on your computer. The Windows version of the client can be downloaded from and installed easily. The Linux version can be installed even more easily. You will need to install zenity, cron and curl first. Cron comes with most if not all Linux distros; zenity and curl can be installed with the apt-get command. There is a script you can download and execute which provides the same functionality as the Windows Duck DNS client. You will need to enter the domain you created in the first step in the Domain field and in the Token field you need to enter the token generated by Duck DNS for your domain. [This token can be found in the as part of the Update URL provided in the pfSense installation instructions on the Duck DNS website. The token is the part between token= and the ampersand.]

Configuring Dynamic DNS: Adding a DynDns Entry in pfSense

pfSense DDNS

Adding a DynDns entry in pfSense 2.2.4.

With Duck DNS configured and the client installed, now we can log into our pfSense box and configure DynDNS. From the pfSense menu, navigate to Services -> Dynamic DNS. There will be two tabs on the page: DynDns and RFC2136; select DynDns if it is not already selected. Press the plus button to the right of the table to add a new entry. For Service type, select Custom from the dropdown box. The Username and Password fields can be left blank. For the Update URL, you need to copy and paste the URL provided in the pfSense installation instructions on the Duck DNS webside. [You can find this instructions page by clicking on install on the menu at the top and then clicking on pfSense in the Routers section.] For Results Match, enter OK. Once these settings are entered, click on Save to save the changes.

Now the dynamic DNS configuration is complete, but since the whole point of setting up DDNS is to make services on your home network available to others, you are probably going to want to add an entry to the Network Address Translation (NAT) table to redirect incoming traffic to the node providing the service. You also need a corresponding firewall rule to allow the traffic through (NAT can create such a rule automatically). This is assuming that you didn’t already alter the NAT/firewall rules for the service you want to make available. One potential issue is that your ISP may block port 80 traffic, so if you want to set up your own web server, you may have to use a different port. [You can use NAT to redirect traffic from the port you selected to port 80.] If you cannot access the service you are trying to make available from the WAN side, you might want to try a different port and see if it works.

External Links:

Dynamic DNS on Wikipedia

Duck DNS website


Video: Configuring Dynamic DNS with pfSense

You may want to set up a domain name for your home or SOHO WAN IP. This video demonstrates how to do this. In this video I cover:

  • What DDNS is, why you might want to use it, and different methods of implementing DDNS
  • Configuring Duck DNS on the Duck DNS web site; downloading and installing the Duck DNS client
  • Configuring DDNS in pfSense and setting up NAT so we can access an Apache web server behind the firewall
  • Accessing a web site using the domain name I set up in the previous steps

IPsec VPN Configuration in pfSense: Part One


Phase 1 IPsec configuration in pfSense 2.2.4.

In the previous article, we covered how to set up a PPTP VPN connection in pfSense, and how to connect to it in Mint Linux. Since PPTP relies on MS-CHAPv2, which has been compromised, we probably want to use another method if security is paramount. In this article, we will cover setting up an IPsec tunnel with pfSense and connecting to it with Mint Linux.

IPsec VPN Configuration: Phase 1

First we need to set up the IPsec tunnel in pfSense. Navigate to VPN -> IPsec and click on the plus button on on the lower right to add a new tunnel. Under General information, there is an entry for Interface, where we select the interface for the local endpoint of the tunnel. Since our end user will be connecting remotely, the local endpoint should be WAN. The next entry is Remote Gateway, where we enter the IP address or host name of the remote gateway. Enter a brief description and scroll down to the Phase 1 proposal (Authentication) section. At Pre-Shared Key, you need to enter a key (PSK), which will essentially be the tunnel’s password. Whether you alter the Phase 1 proposal (Algorithms) settings or not, take note of the settings, as we will need them for future reference. Press the save button at the bottom to save the Phase 1 configuration. On the next page, press the Apply changes button to commit changes.


Phase 2 IPsec configuration.

IPsec VPN Configuration: Phase 2

Now there should be a new entry in the IPsec table for the new Phase 1 configuration. Click on the big plus button underneath the entry you just created to initiate Phase 2 configuration. This section should expand, revealing an empty table for Phase 2 settings. Click on the (smaller) plus button to the right of the table to bring up the Phase 2 settings page. For Mode, you can select whichever method you prefer, but note that whoever connects will have to use the same method. For Local Network, enter the network or address to which you want to give the VPN user access (probably LAN net). For Remote Network, enter the address of the remote end of the VPN tunnel. Enter a brief description. In the Phase 2 proposal section (SA/Key Exchange), set the protocol and encryption options, again taking note of them for future reference (AES-256 is the commonly used standard). When you are done, press the Save button at the bottom of the page. Press the Apply changes button on the next page to commit changes. Finally, check the Enable IPsec check box on the main IPsec page and press the Save button.

Now that Phase 1 and Phase 2 configuration are complete, all that remains is to create a firewall rule for IPsec traffic. Navigate to Firewall -> Rules. There should be a new tab for IPsec; click on it. There may already be a rule there allowing traffic to pass to whatever network or address you specified in the Phase 2 configuration. If not, then create one now by pressing the one of the plus buttons on this page. Most of the default settings can be kept, but set Destination to the network or address specified in Local Network in the Phase 2 configuration. For Destination port range, specify any. Add a brief description, and press the Save button. On the next page, press the Apply changes button to commit these changes.

In part two of this article, we will cover connecting to the VPN tunnel from the remote node.

External Links:

IPsec on Wikipedia

pfSense IPsec configuration information from the official pfSense site

PPTP VPN Configuration in pfSense


Configuring the PPTP VPN settings in pfSense 2.2.4.

A virtual private network is a means of extending a private network across a public network. The public network is most commonly the Internet, although not always. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network. A VPN establishes a virtual point-to-point connection to the destination network. Major implementations of VPNs inclue OpenVPN, IPsec, L2TP and PPTP.

pfSense makes it easy to set up a VPN connection, with support for all four of the abovementioned VPN protocols. [m0n0wall, which I used prior to making pfSense my primary firewall, supported IPsec and PPTP.] In this article, I will demonstrate how to configure a PPTP connection with pfSense, and connect to it with a Mint Linux system.

PPTP VPN Configuration: Configuring the PPTP Server

After logging into your pfSense firewall, navigate to VPN -> PPTP. From the Configuration tab, select the Enable PPTP server radio button. For Server address, you should enter an IP address on an unused subnet. For Remote address range, you should specify the starting address for VPN users (presumably on the same subnet as the server address). Scroll to the bottom and check the Require 128-bit encryption check box. Press the Save button at the bottom of the page.

Now PPTP is enabled, but we still have to create users and a firewall rule. Click on the Users tab and press the Plus button to add a user. Enter a username and password (you have to enter it twice). If you want to assign a specific IP address to this user, you can do it here. Press the Save button when you’re done.


Creating an firewall rule to allow traffic to pass from the VPN to the LAN.

Now all we have to do is add a firewall rule. Navigate to Firewall -> Rules. You will see that in addition to tabs for all your interfaces (LAN, WAN, DMZ/OPT1, etc.) there is a tab for PPTP. Click on that tab, and click on the Plus button to the right of the table to add a rule. For Destination, select LAN net (to allow access to the LAN network from our VPN), and for Destination port range, select any. Add a brief Description (e.g. “Allow PPTP to LAN”) and press the Save button. [All other settings can be kept at the default values.] Once the rule is saved, press the Apply changes button on the next page to force a reload of the firewall rules.

PPTP VPN Configuration: Testing the Connection in Linux Mint

Our setup of the pfSense firewall for VPN is complete; now we need to test it. Your mileage may vary depending on what operating system you use. I used Mint Linux to connect. In Linux Mint, click on the connection icon in the system notification area of the toolbar. A box with various networking options should appear. In this box, click on Network Connections. This should open the Network Connections dialog box. [You can also reach this dialog box by navigating to Preferences -> Network Connections on the Mint Linux menu, also accessible from the toolbar.] In this dialog box, click on the Add button. This will launch the Choose a Connection Type dialog box, choose Point-to-Point Tunneling Protocol (PPTP) and press the Create button. At Gateway (on the VPN tab), enter the WAN IP address of your pfSense firewall (or the domain name of your WAN gateway, if you have one). For User name and Password, enter the username and password you created when you were setting up PPTP on your pfSense box. Press the Advanced button and check the Use Point-to-Point encryption (MPPE) check box. This will enable the Security dropdown box, select 128-bit (most secure. Check the Allow stateful encryption check box. Press the OK button to save these settings. Next, click on the IPv4 Settings tab and for Method, select Automatic (VPN) addresses only from the dropdown box. Click on the Save button at the bottom of the dialog box to save the VPN connection settings.


Configuring the advanced settings in Mint Linux for our VPN connection.

Now, the VPN connection settings are saved and you should be able to connect. Again click on the connection icon in the system notification tray. In the box that appears, there should be a new section called VPN Connections. Click on the VPN connection you just created (most likely, VPN connection 1), when you do, Linux Mint will try to establish a VPN connection. If it works, you should be connected to the VPN.

If it doesn’t work, there can be several reasons. If the connection attempt fails without even connecting to your pfSense box, then you should make sure that the WAN interface of your pfSense box is reachable from your network. If, however, Mint Linux is able to connect to your pfSense box but the connection still fails (the more likely scenario), your VPN connection settings may be incorrect. In particular, you should check to make sure the security settings are correct (you must choose 128-bit encryption and allow stateful encryption). If you double-check the settings and everything seems to be right and you still cannot connect, then the mistake may have been how you configured PPTP in pfSense, so you probably should double-check those settings. If you are now connected to the VPN, you should be able to access LAN resources the same as a local LAN user would be able to access them.

One final note is that we should be mindful of the fact that VPN connections are encrypted, and encrypting data requires additional CPU power. One user connecting via VPN shouldn’t create an appreciable strain on the CPU, but 50 VPN users surely will. There is specialized hardware that you can purchase; Soekris is the most prominent manufacturer of such hardware, and installing them in your pfSense box will relieve the CPU of the computing-intensive tasks of encryption and compression. In most cases, however, the cheaper option is to just buy a faster CPU. In any case, you will probably want to consider VPN usage when you develop the specifications for your pfSense box.

External Links:

Virtual private network on Wikipedia.

Product page for vpn 14×1 products on the Soekris website.


© 2013 David Zientara. All rights reserved. Privacy Policy