Entered what data? So your using a tls authentication mode - so the user needs also ta.key, etc. So your client would need 3 the CA, the User and the ta.key…  You imported those all into your nas?

https://doc.pfsense.org/index.php/Multi-WAN

So after doing some research I have realized that I do not need to assign a bridge to an interface with an IP. I can simply just bridge VPN and LAN with the LAN interface having the IP address. Once I've made those changes everything on the LAN works perfectly fine however I can no longer ping the LAN IP from the OpenVPN client. [image: illustration11.png] [image: illustration11.png_thumb] [image: illustration12.png] [image: illustration12.png_thumb]

Awesome. I could ping the server from the internal LAN, so I didn't think much about the Windows firewall. After turning that Windows firewall off to test, I could access the server over the VPN just fine. I turned the firewall back on and added a rule allowing incoming traffic from my OpenVPN IP range. We're all good now. Thanks for the help!

It's a VPN. Connect from the outside. When you connect from the inside from an address that is in the subnet that is supposed to be routed over the VPN it is not going to work.

@Censor: @mislav: I'll try to completely remove all users, certs, freeradius and then try to install it from scratch. I will update you with VPN results. Thanks for now. Hi, to remove the freeradius package and any other dependant package which are no longer needed you have to use this command "sudo apt-get remove –auto-remove freeradius" pfSense is not based on Linux and does not use apt. It uses FreeBSD and pkg.

@cobrahead: @bcruze: Have you tried enabling aes-ni? I have not. You? yes mine is enabled and being utilized.

I would: Set the VPN hosts I want to route only over the VPN to use free, outside name servers (google, quad-9, level3, etc) using DHCP or Static or whatever. Policy route the DNS queries out the VPN with all the other internet traffic. And you're done. Everything you just described is fine until the VPN is down and all of your DNS breaks for everything.

@johnpoz: what is the bank fqdn… Did you validate that it resolves and is in the table for your alias? Why would you need to hide the fqdn of some bank... That is like not wanting to post this website I search for stuff on is www.google.com -- but keep that on the DL ;) For example I bank with chase, they are www.chase.com, but that is also a cname...  See ;; QUESTION SECTION: ;www.chase.com.                IN      A ;; ANSWER SECTION: www.chase.com.          3571    IN      CNAME  wwwbcchase.gslb.bankone.com. wwwbcchase.gslb.bankone.com. 3571 IN    A      159.53.84.126 and then might get redirected to some other fqdn in your browser, etc.. So you need to validate that your alias is populating with the IP your actually going to, etc. I should have asked if it was ok to name the bank in question, which is Bank of America. I was not able to validate that it resolves, in the table I put bankofamerica.com  and secure.bankofamerica.com  for the fqdn. The bookmark I have in my browser is my login page  - secure.bankofamerica.com/myaccount/etc  -    I got that bookmark by going to www.bankofamerica.com and using the link to login. When I ping bankofamerica.com it returns IP 171.161.203.100 … should I be using that instead of a fqdn in the alias table? Thanks!

Thanks for answers I'll explain the real situation, I'll have more than 100 clients (router with a local network), so my OpenVPN will give IP to the router. Let's take: -> Router A: VPN IP 10.2.2.2 | Local network: 24.1.1.0/24 -> Router B: VPN IP: 10.2.2.3 | Local network: 24.1.2.0/24 -> Router C: VPN IP: 10.2.2.4 | Local network: 24.1.3.0/24 …. .... .... So I want to block communication between all router (easy, I just disable the option "Allow communication between client) But I'll create user to my OpenVPN (example for my windows computer) -> Client A: VPN IP: 10.2.2.40 And for this client, I need to allow communication to all routers. So what can I do? Disable "Allow communication between client", and can create specific rules for the user I want to allow communication? Make a second server for my users and configure it to communicate to all the clients of the first server? (BUT HOW?) Thanks for your help

Thank you could achieve your TAP bridge simon.lock. Can you give us how your final config looks like..? I was trying the custom``` push "redirect-gateway def1"; Cheers.

Thanks for the quick replies! bcruze: I did try that guide, I reckon its the same as the first link I posted. I'm a bit confused by it, as Step 18 has: Set Interface to "OpenVPN" But it doesn't show where to setup this interface, or where it came from? I think it's missed a step somewhere (or I'm misunderstanding). V3lcr0: If I remove those two rules, I just get a data from LAN to go over my normal gateway ie WAN. Sorry might have misunderstood your instructions. Alias for source (Firewall -> Alias -> IP): Name:PIA_VPN_IPs Type:Host(s) IP or FQDN: 192.168.1.48 Any other hints? Edit: Sorry everyone, the answer was hidden in plain sight! A new interface OpenVPN is added automagically when you configure it. I added all the NAT outbound rules as specified in the guides with OpenVPN as the interface this time and it worked straight away!

reserved

Correction: I'm running 2.4.2 Release FreeBSD 11.1 Release -p6.

I did a little bit of digging and found the following. Port Forwarding from VPN Provider to Torrent Client: https://forum.pfsense.org/index.php?topic=65094.0 Which also refers to this thread: https://forum.pfsense.org/index.php?topic=65230.0 So the floating rule did the trick and now port-forwarding works! :) Is this a bug? Was it reported back in 2013? Has it been fixed and then regressed?

@Nadar: We're discussing the exact same issue in this thread: http://forum.pfsense.org/index.php?topic=65230.new;topicseen#new From what I can understand, the reason is that the reply-to address for some reason isn't used for the return packets for the associated firewall rule for the port forwarding NAT rule. I've managed to get it to work by: On the NAT port forwarding rule, select "none" under "Filter rule association". Create the rule manually instead, under floating rules. The rule is basicly a "copy" of the one automaticly created by NAT: Pass, Quick, in, IPv4, <protocol>, source: any, Destination: port forwarding destination host, Destination port range: forwarded port Make sure it's high up/on top in the floating rules, and make sure it's a quick rule. When I look in rules.debug, the effect of this is simply that the rule (it's the firewall rule that contains the reply-to address) ends up much higher in the resulting ruleset, and that seems to make all the difference. I haven't quite figured out why yet.</protocol> Thanks! You saved me from a lot of troubleshooting. Is this a bug which has still not been fixed?