Huh?? What? Your wan will be connnected to isp router... Your lan will be connected to your lan side switches.. pfsense is now the new gateway for all your lan devices.
Yeah your tunnel network can not overlap with your lan networks on either site.
Yes TLS is configured. I disabled it and created a new profile, and the issue replicates. But here is something I am still having trouble figuring it out.
There is only one local account in the pFsense. In my team, I am the only one able to authenticate and ping/or connect to internal resources. Everyone else can only authenticate, but can't ping anything or access any internal resources. We all are using LDAP authentication.
We have a LAN behind a Netgate SG-1000. We access this LAN remotely via OpenVPN which has been set up using the OpenVPN wizard. I believe this is a pretty simple, straight forward implementation.
The OpenVPN interface has no restrictions placed on it, there are no firewall rules other than the default open to all.
The LAN interface has the following firewall rules:
IPv4 Default allow LAN to any rule
IPv6 Default allow LAN to any rule
allow Ping
I am required by PCI to restrict the LAN access to only select IP addresses. As soon as I disable IPv4 allow LAN to any, I am unable to ssh into the LAN via OpenVPN. I can ping the LAN IP, and if I am already connected I do not lose my connection.
In this case, there will never be any dynamic clients. All of the clients will be cloud servers/sites that require a static IP. I just wanted to cover all bases in case there is a situation in the future that would require dynamic clients on this particular OpenVPN server instance.
By poking around in the ISP modem/router's settings, I found one that allowed me to do Mac address passthrough - I copy-pasted my pfSense WAN interface's Mac, and Poof, all was well!
I suppose I could have done a port forward for the specific port only, but given that my traffic only goes direct to the pfSense box (which acts as my firewall), I think this is acceptable - thoughts?
Actually I got it figured out, it was compression problem!
Maybe here was too many things wrong and change of things, for one I used now different VPN service as earlier. For second there might have been something wrong in the rules as I when my public ip was in use on the host which should have not been.
Dunno, but now it is working as intended.
Connection is off when tunnel is down.
Correct compression setting in the vpn config started the packet flow.
Except as I've said a few times now, you can't do that anymore. There is code in place to prevent that from happening. We've done all we can to protect against that in the future.
Ok perfect, but I will check this point on next upgrade because I actually had the problem upgrading from 2.4.3-p1...
add the remote network(client) in the RW settings:
IPv4 Local networks: local-network,remote network
Latter, I add in the RWOVPN Rules, 1 rule that allow the RW network access the server lan, a 2nd rule that allow RW network access remote network using as gw the LB-GW from the site2site setup.
In the client network, I didn't have to add nothing, this change was only in the server side.
Well, I have connectivity between the two buildings. I found a 2 page instruction on the web, that really helped. Also, what made me think I wasn't seeing the buildings was the fact I coudn't ping either PFsense box. BUT, when I tried to ping devices such as my time clock in the remote building, If out that I could. I can also go to the remote site, and ping my servers in my building...
I'll shut the remote site down until it's needed in the event my netgear boxes puke on me.