Generally, on interface rules that are evaluated top down - first match wins, if you want to limit what the users can do you go from most specific to least specific: Pass what your users need to access - DNS to DNS servers, pings to gateway for troubleshooting/comfort, etc. Block what you do not want your users to access - DMZ to LAN or other local networks, webConfig (don't forget WAN address or This firewall (self)), etc. Pass everything else - (the internet)

@Derelict: Just look at the OpenVPN threads.  There's a really long one about PIA that covers all this.  Sorry, I don't have a bookmark for it. There's a checkbox in the OpenVPN client config that says don't pull routes.  With that checked make an alias for the hosts you want to go out the VPN and set the VPN as a gateway in a matching rule. Appreciate the help. Will look for the post on PIA so I can figure it out.

Meaning all clients get routes to 10.0.0.0 and 10.0.1.0.  The firewall rules control who can actually talk to what. It just lets you standardize the server config for all users.  You can also just push specific routes to local assets to specific users.  OpenVPN will pretty much be able to do anything you can think of.

;) "Science bitch!" - Breaking Bad. I would say that it works. I authenticated with two account found in the separate backends  :o. [image: multiselect-auth-works.png] [image: multiselect-auth-works.png_thumb]

I deleted the Server and disabled the working Client for now.  I have pasted the logs to a pic attached. [image: Capture.JPG] [image: Capture.JPG_thumb]

On further investigation, it seems that pfsense is doing exactly as it should, it is assigning itself the 42.1 address, it's the dd-wrt router that is insisting on the .5 and .6 addresses. Thank you for the links though, definitely good information that I didn't know before

Yes, you're right. You have to select "Network" at destination type and enter your alias in the field below.  

Thank you for your response! Sometimes a solution is really simple but you just forget to think about it. Great that a forum like this has other users who are experienced and who can give you the right tips. You made my day, it all works flawlessly! ;D Kind regards, Dennis

Hello. I'm having some issues aswell. What did you do?

Thank you! Windows Firewall really blocked the ICMP packages.  ??? How I made ithis beginners failure to not check this?  :-[ Now everything what I need is working. There is still an Item I just can't understand. I can ping now from all clients all other clients in all locations, but my clients coming from outside over OpenVPN can't ping one of the Openvpn servers?!? Also the frontend of pfsense is not accessible from these notebooks if I choose the internal IPs. If I go over WAN, everything is fine?!? Packet captures show, that the echo and the reply is visible in two devices only: The TAP of the server for remoteclients and the server for remoteclients itsself. Nothing in LAN or in the bridge interface…. It is really funny, that a ping goes over two VPN tunnels and two servers without any trouble, but the servers themselfes are stealh devices  ;D

?????????????

@kapara: Also strange that I need to open gui as administrator You need to complain to MS. (There's also this management interface/ OpenVPNManager export option to avoid this.)

All you need to do is go into the shell portion and type: 11 to Restart webConfigurator, after that it should restore the openvpn portion. Worked for me just fine.