@audiobahn If a device is accessible from other devices within the same subnet, but not from the VPN or other network segments it should be accessible from outside with NAT though, because this way the packets get a source IP from its own subnet. However, in most cases it is the firewall on the respective device itself, which is simply blocking outside access. So the NAT is a hack and not recommended. You should better configure the devices firewalls accordingly. There are only rare dumb devices, which have no possibility to configure a gateway, where NAT is a good workaround.

Likely because OpenVPN is single-threaded? The faster that one core is, the better.

@viragomann Thanks for your clear explanation, got some rules to set up!

Yes, right and no change :)

@mikeyno said in Using DNS from VPN Provider (ExpressVPN): The help text implies that "Pull DNS" should cause pfSense to use DNS servers assigned by the OpenVPN server. Agree. So there might something be wrong.

@m0l50n said in Errors on OpenVPN logs server: I mean, 2 clients from the same location connecting to the same OpenVPN server (same WAN IP) on same protocol (UDP) can be problematic?!?!? Not problematic. The ports are different. You have a OpenVPN set up to listen on port 1200 and you have another OpenVPN server set up to listen on port 1195. Two complete separate instances, using their own settings. Example : many web server have two processes running : One web server, listing on port 80, doing the ancient "http" stuff. Another web server using other settings (with some TLS settings added) listens on port 443 and handles the "https" access. Both web server process serve the same data, doing the same things. It's just the "communication channel" that chances.

@jimp ok, thanks I see that now. both the VPN servers are Asus AX-11000 routers, so I guess I'll have to install a pfsense box at one of those locations because I don't see any way to change the CN.

I confirm your solution is so simple and working very well. I just renew the server certificate, client reconnecte to the server instance and continue to work like before. Thanks again!

Ditto. I couldn't replicate it on 2.6.0 / 22.01. Looks like it was fixed by https://redmine.pfsense.org/issues/12172

@viragomann I believe the problem is related to OpenVPN. Today the link SSH worked, but I lost it while I was working. From the log I see Nov 28 08:41:19 openvpn 46588 MyLoginName/MyRemoteIP:46059 [MyLoginName] Inactivity timeout (--ping-restart), restarting But I was working both on the pfSense dashboard and on a web panel of the server in DMZ. . Then I see many rows of this type, every 5-10 seconds. Nov 28 08:44:02 openvpn 46588 MyLoginNam/MyRemoteIP:45524 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2210 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Finally I would not want it to be related in some way to the problem I have already reported in this post; after starting the VPN connection, after about a minute I lose the ability to access the internet although I have configured the Outbound.

Fix found, for those interested the solution (I needed) can be seen here: Link https://www.linuxserver.io/blog/2017-05-01-how-to-run-pfsense-with-pia-vpn-but-still-use-plex-remote-access The section which is new that appears to fix the issue is named How to bypass VPN for Plex Server connections to plex.tv But i'd advise following the entire guide to ensure all settings are correct if you have problems still. Hope this helps!

@viragomann said in Ip "free outbound" from NordVPN: Dude, you have to add the rule to the internal interface!!! Thank you very much, it had escaped me, now everything works perfectly. You were too kind! Thanks again

@acloete Would be worth to mention. So configure PAT in your p 2 and use an IP which is routed to your site.

@the-rob Try to get it work with IP first to avoid resolving issues. If you cannot access the SMB ensure the host does not block it by its own firewall, which is the default behavior. To troubleshoot you can use the packet capture utility from the Diagnostic menu on pfSense. Take a capture on the interface facing to the SMB server and check if requests are going out and if responds are coming back properly.