From a remote OpenVPN client I can access web servers running on the host on the OpenVPN server LAN only by LAN IPv4 address, not host name or IPv6. I can't ping the windows host by IPv4 or IPv6 nor by hostname despite pushing routes in the OpenVPN advanced configuration. It almost seems as though the client isn't using pfSense as the DNS server, which is running DNS resolver. Is a route available between VPN and LAN subnets, as I can access hosts on the pfSense LAN by IPv4 address? Why not IPv6 or hostname? Does it matter I put fd45::0/64 in the IPv6 tunnel network, what should I put there?

Here are some of the OpenVPN server settings:

openvpn tunnel settings.png
openvpn advanced client.PNG
openvpn advanced config.png

Here is a windows 10 host on the LAN that I can access it's web servers:

Windows IP Configuration Host Name . . . . . . . . . . . . : media-server-pc Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : mypublicdomain.com Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : mypublicdomain.com Description . . . . . . . . . . . : Mellanox ConnectX-3 Ethernet Adapter Physical Address. . . . . . . . . : EC-0D-9A-2C-14-70 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2601:xxxx:xxxx:3800:f749:b327:f336:3572(Preferred) IPv6 Address. . . . . . . . . . . : fd38:xxxx:xxxx:1:367c:dfef:fcbc:5eeb(Preferred) Link-local IPv6 Address . . . . . : fe80::a0e7:5877:e5e8:4035%4(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.50(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Thursday, December 21, 2023 4:05:15 PM Lease Expires . . . . . . . . . . : Monday, January 1, 2024 6:38:52 PM Default Gateway . . . . . . . . . : fe80::225:90ff:febb:bf0c%4 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 552340890 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-19-13-C7-40-8D-5C-B6-47-55 DNS Servers . . . . . . . . . . . : 192.168.1.1 2601:xxxx:xxxx:3800:225:90ff:febb:bf0c NetBIOS over Tcpip. . . . . . . . : Enabled Connection-specific DNS Suffix Search List : mypublicdomain.com

Here is the Windows 10 OpenVPN client ipconfig:

Windows IP Configuration Host Name . . . . . . . . . . . . : oo-reg01-lt Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Unknown adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect Physical Address. . . . . . . . . : 00-FF-82-8B-3D-A8 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2601:xxxx:xxxx:3800::1000(Preferred) Link-local IPv6 Address . . . . . : fe80::567c:53a3:83c7:7d99%14(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.2.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : 687931266 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-F3-39-C1-B4-A9-FC-EF-76-C2 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Enabled

I notice the VPN client ipconfig doesn't say it is on mypublicdomain.com, is that a problem? Where have I gone wrong in connecting the VPN client to the OpenVPN LAN?

@FCS001FCS said in Routing Log is Empty:

@viragomann said in Routing Log is Empty:

@FCS001FCS
pfSense docs > Routing Logs

Thanks, yes, I found that already but honestly did not understand what was supposed to show up in the logs from that short explanation page.

All these are features that are not enabled by default on pfSense. Some are actually packages, which would have to be installed.
So I think, if you use it you would be aware of it.

hi @greenlight

I tried setting 'Default gateway IPv4' from 'Automatic' to 'None' and it seemed to fix the issue. I will observe more and update this post if it does not really fix the issue. Thank you I got the idea from your question earlier.

@KingTChoka said in Not receiving WAN IP when connecting to my SHAW modem in bridge mode, thus not able to connect to internet:

"Without more info" - What more info could I provide?

"Does the modem have multiple ports?" - Yup, it has 4, and I've tried plugging the ethernet cable in 2/4, but I guess I can try the other 2.

"Did you try to plug a pc directly into the modem when bridged? Does it get an IP?" - Haven't tried that yet but I will soon. Am I suppose to expect an IP? Why would a PC plugged directly into a bridged modem expect an IP?

Is this cable internet, fiber, other?
What model is the modem?
As said already, DHCP, PPPoE, other?

If cable, you'll have to reboot the modem after changing the directly connected device as they 'record' the mac of that directly connected device.

Usually if bridged, they may only work on port 1.
Alternatively, when bridging, they sometimes need to to enter the MAC of the device you want to receive the IP. Was there a field asking for that when you put it in bridge mode?

Why wouldn't a PC connected get an IP? Whatever you connect to the modem, when bridged, will get the public IP.

@kiokoman said in Do I need a static router for my network?:

ndeed you need a static route to the wireless router

No not really, but if was going to create routes to the network behind the router, he would need to do it on all the hosts on his lan network

Or he is going to run into asymmetrical traffic..

I really don't see the point of letting that old access point do any nat.. Just use it as an AP and put it on another segment on your pfsense be it physical or vlan..

Running some downstream nat router is just going to be problematic.. And there is no rules you could do on pfsense to stop these clients connected to that wifi router from talking to anything on pfsense lan.. That would have to be done on that router, and guest normally stop wifi from talking to the wifi lan, but not its wan, etc..

You be much better off just doing it correctly via another segment on pfsense and using it as just an AP.. Or if your not actually worried about communication between lan and your wifi, then just use it as AP and put on the same pfsense lan network.

@andres-asm as a follow-up, while at the beginning what I did was bridge two virtual ethernet interfaces so I could give my internal VMs public IP addresses, I ended up switching to virtual IPs attached to the wan interface and 1:1 NAT.

But I get it, clients usually don't want to deal with NAT.

@Happydog
Having multiple interfaces within the same subnet is not a supported setup and makes not sense at all.

You can assign additional IP addresses as virtual (IP alias or Proxy ARP) to a single interface, however.

All Ports of the 2100 are 1G, if you want 10G you need a 6100, who are two 10G Ports.

@viragomann

Yes... thought so .. Guess it will have to come to that after all...
Thanks !

@viragomann

Arg!!! this is a client routing "issue"

With route in local route table on RHEL host to the gateway of subint:

ash-4.4# ip route add 9.9.9.9/32 via 192.168.20.1 ash-4.4# ip route get 9.9.9.9 from 192.168.20.100 9.9.9.9 from 192.168.20.100 via 192.168.20.1 dev bond0.20 cache ash-4.4# ping -I bond0.20 9.9.9.9 PING 9.9.9.9 (9.9.9.9) from 192.168.20.100 bond0.20: 56(84) bytes of data. 64 bytes from 9.9.9.9: icmp_seq=1 ttl=50 time=19.7 ms 64 bytes from 9.9.9.9: icmp_seq=2 ttl=50 time=17.9 ms 64 bytes from 9.9.9.9: icmp_seq=3 ttl=50 time=21.0 ms ^C --- 9.9.9.9 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 5ms rtt min/avg/max/mdev = 17.911/19.525/21.007/1.277 ms

without route in local route table on RHEL host to the gateway on the subint:

ash-4.4# ip route delete 9.9.9.9/32 via 192.168.20.1 ash-4.4# ip route get 9.9.9.9 from 192.168.20.100 9.9.9.9 from 192.168.20.100 via 192.168.1.1 dev bond0.1 cache ash-4.4# ping -I bond0.20 9.9.9.9 PING 9.9.9.9 (9.9.9.9) from 192.168.20.100 bond0.20: 56(84) bytes of data. ^C --- 9.9.9.9 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1ms

Now to tshoot in that direction.

Thanks!

@johnpoz I did go thorough port forward method. Initially i believed that setting the specific networks (172.x.x.x, 192.x.x.x, etc), in Virtual IPs, would be the only thing i need to do.
My first NTP server ran CHRONY but for some reason it was not able to provide time to the embedded linux devices. My Windows computer synced pretty fast.
Now, I switched to NTP daemon under Ubuntu. All embeded linux devices are syncing.
I also disabled the port forward and... the devices sync. Maybe it was because of the Ubuntu minimal server that i use.
The test device is not running firewall so i would pin point to the NTP server.

Guys, sorry for this but i am new in this area... Thank you for guiding and having patience with me. I'll test more tomorrow and if i can get away with networks defined in Virtual IPs, this is the best solution that i need.

Thank you, once again !
Best regards,
J.

@identitypaul Answering my own question, after many days of battling with this...

Resetting the state table fixed it instantly.

@hyperman35 Now I do remember what you shouldn't do, maybe this helps. Don't put any upstream gateway on the interface tab, it has to be None there for multiple gateways.

@Cool_Corona there’s this: https://docs.netgate.com/pfsense/en/latest/network/ipv6/nat.html

@gjaltemba
On the ISP router there should be an option to set pfSense WAN as "exposed host" or DMZ, so that all incoming traffic is forwarded to it.

Ensure that the router does not masquerading on forwarded traffic.