@viragomann: Ping uses the ICMP protocol, so you have to add an additional rule where you allow that. Thank you was a NAT issue which we got resolved now. thank you for your answer

I am experiencing the same problem. I have my pfSense box connected to StrongVPN and I see this in the logs: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1562' WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic' When I put tun-mtu 1500 in the Custom Options, like you the warning changes.

So these new devices are pointing to pfsense as their gateway? Do they have host firewalls on them that could be blocking your tunnel network.. Why you should think its pfsense preventing access to devices on a network it allows access to seems a grasping at straws sort of thing without even basic troubleshooting.  Do you filter your vpn traffic to allow only access to specific IPs?  If not pfsense has nothing to do with the problem. Does pfsense have the mac address of these new devices in its arp table.  Can pfsense ping these devices from its interface in the 10.1.0.0/24 network?

@kip: I just need a new OS on the system. ??? Whatever you mean by that.

Are you pulling default routes from your vpn server your running.. Then yeah it would route all traffic through your vpn.. If you want your dmz machines to use the tunnel and your other machines to use your that is basic policy routing.. Just send the dmz or any IP you want out your gateway you created for the vpn connection.  Let your other clients just the normal routing of pfsense which should send it out your wan, etc.

A quick update on this. I disabled my new config and created a new one from scratch. This time it works the way i want to. I have no idee what happend with the old one…

Maybe it's a Client Config error. Double check TLS Key is correct on your Desktop.

If you want to do multiple sites on the same server there are additional considerations that usually require CSOs. And you must use SSL/TLS mode with a tunnel network larget than /30.

Just to follow up, I was able to get rid of this error, but disabling the 1:1 NAT mapping.

Sty make sure you don't have "redirect-gateway def1" in your advanced configuration for the PIA VPN.  That will override all of your policy based routing and send all traffic through the VPN by setting your default gateway to the VPN.

Figured I'd post my results from tonight… SG-4860 w/ 4 tunnels in a load-balanced gw group spread across 2 WANs. NordVPN. 256k buffer, comp-lzo, fast-io + RDRAND. Was able to sustain 250Mbit/s with CPU load between 9-12% Pretty happy with this, but will continue striving for higher highs. [image: UJ0hCf7.png]

Dude a mask of 255.0.0.0 means that 10.anything is the same network.. 10.13.11.100 is the same network as 10.12.10 So a client on 10.13.11.100 that gets traffic from something say 10.12.10.14 would just say oh hey buddy nice to talk to you.. Here is my answer.. it would NOT send it to its gateway because its the same network…  Fix your mask to be 24 bit and your problem will go away.

Thanks! Windows firewall…  Should have guessed.. Now ping and Windows remote desktop from VPN client to LAN is working  :)

After countless hours day and night, and two different experts gave up, I finally made it myself. I have to say, I was pretty desperate. Solution? I went to interfaces on local pfsense, added some cryptic ovpnc to interfaces and added manually NAT-routes for all interfaces wlan, lan, opt1, opt2 etc (all allowed, every direction). For some reason, I don't know why, everything worked! I can ping in every direction as long as I'm on a LAN. Now I have to reduce the access again so that I don't have more open routes that needed. Thanks for no help on this…

smashed it, i created a "client specific override" rule for the openvpn user "common name" to use a static virtual ip and from there i created "rules" under "openvpn" for the static ip to only access those ip addresses [image: Capture.PNG] [image: Capture.PNG_thumb]