pfSense is in transparent bridge mode. I think the reason why this works today (through windows-server) is that I have a management computer inside the network more or less directly connected to the RV325 on eth2 of the server. On this management-computer, one port has the RV325 as gw. When I use VPN client in Windows against this computer, it fill find the path all ways. That explains why it works? So I would need to do something similar with pfSense basically.

so, you are actually wanting to use tap mode? Why do you need that if I may ask?  It is fairly uncommon and a bit trickier to make work, will not work for mobile devices and has several other caveats etc. Much better to stick with tun unless you really need broadcast traffic to traverse the tunnel for some reason…

@viragomann: Check the outbound NAT. Firewall > NAT > Outbound. There has to be a mapping for the WAN interface and the VPN tunnel as source. If you change the tunnel, you have also to change that NAT rule. THANKS, THAT DID IT!  I changed the: "Source network for the outbound NAT mapping." address to match my OpenVPN in Firewall > NAT > Outbound and it still was not working so I rebooted pfSense and it worked!  I guess I was under the assumption that pfSense updated everything kind of like when you disable a NAT Port Forward and it will disable the Firewall rule as well.  Now, in the Outbound NAT it says: "Auto created rule" next to the OpenVPN rule I just changed but at the top I have marked: "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)" which I believe I marked sometime after setting up my OpenVPN, is that why the rule did not update?

I have no idea what VPN you have. The one on OPT1.

Welcome Steve & congats on your first post. What DNS servers are you pushing to clients (on your server config)? There are 4 fields (at least on mine) that you can specify.  I haven't tried it as I don't have a need for this but, I expect that if you filled out the 2nd field, the DNS server will be pushed to your client.  It's still up to the client device (Mac, PC, whatever) how it uses that info. Some may react differently than others. I know Macs are particularly beastly when it comes to DNS as they have abstracted away many of the standard mechanisms in favor of proprietary mDNSResponder-type sorcery. Maybe if you describe your issue in more detail we can help.

Thank for the reply. In short, it won't work for me  ;D

OK thank you.

I went ahead and created a PR#3844 for this alternate method Again, "works for me" but would apprecaite comments If you want to give it a try, use System Patches and add commit 4f62b7c0bd7e7a1845cded171fbd918c04e73738

If you have only one client who connects to the server, he gets the same IP on each connection anyway and you can also control access by the whole tunnel subnet. If you have multiple clients take a look at Client Specific Overrides. https://doc.pfsense.org/index.php/OpenVPN_Settings https://doc.pfsense.org/index.php/OpenVPN_multi_purpose_single_server#OpenVPN_Client_specific_overrides

It seems to work no so I guess it not a problem anymore.

Should have been more patient/persistent, and kept working on it before I posted here. Eventually sorted this out myself. For anyone referencing this article later, here's what the issue was: I messed around with DNS settings just after getting the VPN online, because I want all internal DNS resolution to go to the server-side PFsense box (it's acting as DNS resolver). I had put an entry in the general setup, specifying my server-side pfsense box as a DNS server, with my client-side ISP IP as the gateway. This was causing a static route to be entered into the table, and was the root of the issues. I still have some things to figure out with DNS, but the original issue I was posting about is now resolved.

So all 3 of your servers are on some public /? they are behind a firewall, so  not accessible on internet. dhcp provide on my lan (file server, vpn …)  routable ip adress 194.48.50 .../24, (that different of traditionnal "private use" 192.168... adress) PS: i can change my mind and put an another NIC , but it will be in same subnet.

@Cyber-Wizard: but it creeps me out that this impacts the OpenVPN service so dramatically. Not a solution but with regards to OpenVPN "locking up", it is known it happens during the authentication. Normally this goes unnoticed. There is a way around it, maybe it can be applied/integrated to pfSense… http://engineering.freeagent.com/2017/05/22/external-authentication-scripts-in-openvpn-the-right-way/

"it pushes CN and IP to a bind/named and works like a charm" Yeah bind can do that ;)  There is not such functionality in unbound that I am aware of.

Hello, thanks for your reply.  I basically wanted to add another wireless router just as a bridge connection so that if my son and his friends connect to that wireless bridge they won't get the lag they are experiencing going thru the VPN. I know I can achieve this with aliases specifying which hosts use what, but I just wanted to see if i could set it up so I can tell the kids if they want to do gaming connect to this gaming AP. I can't seem to find out how I can add a NIC card and anything connected to the 3rd NIC will go straight out using WAN.

When I experienced that problem I moved my network to 172.16.0.0, as I'd never seen any commercial gear in that range, but I had in 192.168. & 10..

I don't see that happening. While technically it may be possible, that would increase the complexity quite a lot for very little benefit to most users.

What worked: It was the DNS suffix: On a computer on a domain, I needed to ipconfig /all, and under "Connection-specific DNS Suffix" it showed local.domainname.com Thats what needs to be under "DNS Default Domain" under VPN -> OpenVPN -> Servers -> edit