yes, they have a guide there online but they also told to me that is tested on 2.3.3 version

Hey.

I don't understand the problem, why he won't go out with the ping over the vpn tunnel.

My settings for OvpnServer:

0_1540368233072_2018-10-24_095723.png
0_1540368267816_2018-10-24_095758.png
0_1540368275740_2018-10-24_095816.png

My Firewallrules:
0_1540368290883_2018-10-24_095837.png

My Interfaces:
0_1540368311257_2018-10-24_095911.png

My Interface setting OPT6:
0_1540368337438_2018-10-24_095928.png

My Gateway OPT6:
0_1540368373009_2018-10-24_095959.png

My static route:
0_1540368405969_2018-10-24_100028.png

I take a traceroute to destination 192.168.3.32 over my local LAN Interface:
0_1540368589274_2018-10-24_100905.png

I've only see this:

1 10.2.28.1 0.240 ms 3.165 ms 0.200 ms 2 10.2.28.1 3.687 ms 3.664 ms 0.228 ms 3 10.2.28.1 3.593 ms 3.703 ms 0.244 ms 4 10.2.28.1 3.639 ms 3.698 ms 0.241 ms 5 10.2.28.1 3.650 ms 3.765 ms 0.254 ms 6 10.2.28.1 0.260 ms 0.238 ms 3.648 ms 7 10.2.28.1 3.676 ms 0.257 ms 3.640 ms 8 10.2.28.1 3.711 ms 0.270 ms 0.270 ms 9 10.2.28.1 0.286 ms 0.277 ms 0.286 ms 10 10.2.28.1 0.288 ms 0.248 ms 3.631 ms 11 10.2.28.1 3.826 ms 0.283 ms 3.729 ms 12 10.2.28.1 3.736 ms 0.289 ms 3.544 ms 13 10.2.28.1 3.830 ms 0.314 ms 0.297 ms 14 10.2.28.1 0.309 ms 0.365 ms 0.311 ms 15 10.2.28.1 0.318 ms 0.315 ms 0.316 ms 16 10.2.28.1 0.328 ms 0.323 ms 0.321 ms 17 10.2.28.1 0.319 ms 0.325 ms 0.339 ms 18 10.2.28.1 0.326 ms 0.331 ms 0.333 ms

But, i can ping the virtual ip 10.2.28.1 (pfsense) to my zeroshell (foo 10.2.28.2) looks like good:

PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes 64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms 64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms 64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms --- 10.2.28.2 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms

Does anyone have any idea what I missed?

BR

Huh?? What? Your wan will be connnected to isp router... Your lan will be connected to your lan side switches.. pfsense is now the new gateway for all your lan devices.

Yeah your tunnel network can not overlap with your lan networks on either site.

Yes TLS is configured. I disabled it and created a new profile, and the issue replicates. But here is something I am still having trouble figuring it out.

There is only one local account in the pFsense. In my team, I am the only one able to authenticate and ping/or connect to internal resources. Everyone else can only authenticate, but can't ping anything or access any internal resources. We all are using LDAP authentication.

Sorry for the delayed response, I've been away.

We have a LAN behind a Netgate SG-1000. We access this LAN remotely via OpenVPN which has been set up using the OpenVPN wizard. I believe this is a pretty simple, straight forward implementation.

The OpenVPN interface has no restrictions placed on it, there are no firewall rules other than the default open to all.
The LAN interface has the following firewall rules:
IPv4 Default allow LAN to any rule
IPv6 Default allow LAN to any rule
allow Ping

I am required by PCI to restrict the LAN access to only select IP addresses. As soon as I disable IPv4 allow LAN to any, I am unable to ssh into the LAN via OpenVPN. I can ping the LAN IP, and if I am already connected I do not lose my connection.

Any guidance is appreciated.

In this case, there will never be any dynamic clients. All of the clients will be cloud servers/sites that require a static IP. I just wanted to cover all bases in case there is a situation in the future that would require dynamic clients on this particular OpenVPN server instance.

Oh, thank you. Sorry I put my request in here.
BR

By poking around in the ISP modem/router's settings, I found one that allowed me to do Mac address passthrough - I copy-pasted my pfSense WAN interface's Mac, and Poof, all was well!

I suppose I could have done a port forward for the specific port only, but given that my traffic only goes direct to the pfSense box (which acts as my firewall), I think this is acceptable - thoughts?

When you create your client override you can call out different tunnel network.

@pfnguser114

are you using their DNS servers? if so where are they plugged in at ?

are you using the dns resolver?

what browser is leaking?

Your subnets should not overlap.

-Rico

@netblues this is my mistake in the content of the post, port 40 000 or 9 they are default, I tested both.

Not enough information. A comprehensive diagram of what you are trying to do will probably be worth a thousand words.

Hi,

Actually I got it figured out, it was compression problem!
Maybe here was too many things wrong and change of things, for one I used now different VPN service as earlier. For second there might have been something wrong in the rules as I when my public ip was in use on the host which should have not been.
Dunno, but now it is working as intended.

Connection is off when tunnel is down. Correct compression setting in the vpn config started the packet flow.

So ***Solved

I seem to have fixed my slow speeds with the following:

I am now getting 40mbps download and 30 upload over vpn.

System/Advanced/Networking
-- Network Interfaces --
Hardware Checksum Offloading: (checked)

Open VPN Server config
-- Advanced Configuration --
Custom options:

fragment 0 mssfix 0

That wasn't very helpful.