Issues with Subnet behind UDM Pro
-
@misinthe said in Issues with Subnet behind UDM Pro:
Hello everyone, I am having a little issue with OpenVPN and I was hoping to get some help.
How my network is set up is, from the WAN, it goes into my PfSense firewall, then that splits into my DMZ and the other goes into a UDM Pro, which creates my main LAN for everything in my house.
On the Firewall, my networks are:
LAN - 10.20.0.0/24
DMZ - 10.30.0.0/24
OpenVPN - 10.50.0.0/24On the UDM Pro, my networks are:
WAN (From PfSense) - 10.20.0.0/24
LAN - 10.10.0.0/24
IoT - 10.10.10.0/24
Guest - 10.10.40.0/24My issue is, when I use the OpenVPN, I can connect fine on the 10.50.0.0/24 and I can reach the 10.20.0.0/24 network, but I can't get past that into my 10.10.0.0/24 network to access my internal servers.
I have tried adding rules into both the VPN and the UDMP firewalls but nothing seems to help.Any ideas would be appreciated!
at the top it said your vpn network is: 10.50.0.0/24 but in your openvpn config it has 10.20.50.0/24 I think we should start by clarifying the networks and what each 1 is for then it can help you clean up and get your setting.
-
@silence
My apologies, that was my bad, here is the list of my networks.
On the pfSense:
LAN is basically just providing for the UDM Pro.
OPT1 is my DMZ.
OpenVPN is my VPN.
On the UDM Pro:
Default is my main LAN
Guest is Guest
IoT is for my IoT devices
NoT is for things I don't want to go on the internet but I need access on the network.
My UDM Pro has a WAN address of 10.20.0.5 provided by pfSense.
-
@misinthe, perfect
Now explain what you want to accomplish? and I will help you as soon as possible.@misinthe said in Issues with Subnet behind UDM Pro:
How my network is set up is, from the WAN, it goes into my PfSense firewall, then that splits into my DMZ and the other goes into a UDM Pro, which creates my main LAN for everything in my house.
question: does your wan in pfsense by any chance have an RFC ip?
@misinthe said in Issues with Subnet behind UDM Pro:
OpenVPN is my VPN.
Why don't I see an openvpn interface?
-
@silence said in Issues with Subnet behind UDM Pro:
@misinthe, perfect
Now explain what you want to accomplish? and I will help you as soon as possible.I just want to be able to VPN into the network inside the UDM Pro, with Open VPN, I am able to get into the 10.20.50.0 network, which is in the pfSense, but I cannot reach my 10.10.0.0 network from it.
question: does your wan in pfsense by any chance have an RFC ip?
I am not sure about this one, how can I verify this?
Why don't I see an openvpn interface?
I don't know, I used the Wizard to create the OpenVPN Server. This is how it looks. Maybe because it uses the WAN interface?
-
@misinthe
There is no special VPN interface needed for your purposes.What is about filter rule on the UDM? Don't you know, how to configure it?
You obviously cannot get from the UDM WAN to its LAN. So you may have to allow it.For testing again, you can connect a PC to the UDMs WAN 10.20.0.0/24. Configure its network interface IP manually and set the UDMs WAN IP as gateway. Then check if you can access a device in the UDMs LAN.
From all you wrote here, I assume, you will not be able to. So the UDM blocks the access and there is nothing you can do on pfSense to resolve this. -
@viragomann said in Issues with Subnet behind UDM Pro:
@misinthe
There is no special VPN interface needed for your purposes.What is about filter rule on the UDM? Don't you know, how to configure it?
You obviously cannot get from the UDM WAN to its LAN. So you may have to allow it.For testing again, you can connect a PC to the UDMs WAN 10.20.0.0/24. Configure its network interface IP manually and set the UDMs WAN IP as gateway. Then check if you can access a device in the UDMs LAN.
From all you wrote here, I assume, you will not be able to. So the UDM blocks the access and there is nothing you can do on pfSense to resolve this.That's what I was thinking, The UDMP has to be blocking something, but I've added a rule on Internet In, Internet Local, LAN In and LAN Local to allow traffic coming from 10.20.50.0 and it still won't work.
-
@misinthe said in Issues with Subnet behind UDM Pro:
but I've added a rule on Internet In, Internet Local, LAN In and LAN Local to allow traffic coming from 10.20.50.0 and it still won't work
Not even from 10.20.50.0/24 like ping from pfSense?
Consider that access from the VPN client has an IP out of its tunnel network pool as source, so it's from outside of 10.20.50.0/24 and won't be covered by this rule.
However, I'm still suspecting that the LAN PC is blocking access from outside. To check this out, allow another subnet behind the UDM to access the LAN and try to access from a device within this subnet.
-
@viragomann, I can't even ping the 10.10.0.0/24 from the pfSense LAN.
Everything within the UDM works fine, I have 4 different subnets and they work, I also had an L2TP VPN set on it before I added the pfSense to my setup and it worked fine.
-
@misinthe said in Issues with Subnet behind UDM Pro:
Everything within the UDM works fine, I have 4 different subnets and they work,
You want to say, all subnets have internet access, I guess.
But can you access the main LAN from any other subnet across the UDM? -
@viragomann Well, I have rules to block my IoT and NoT from my main LAN, to be a bit safer.
I've also added this to static routes.
And this rule
And this
I'm not sure what else I can try.
-
@misinthe
You must not state a source port in the rule!
The port has to be "any". It can be any from 1024 to 65535.BTW: a route for the pfLAN might be useless, since the network is attached to the UDM directly.
-
@viragomann Okay, I changed the rule to this, and removed the pfLAN route. (I just added it to see if it would work).
It still won't allow traffic through though.
-
@misinthe
Okay. Now you should do some investigations by testing access from another network on the UDM as I suggested already. You can add a temporary rule to allow access from a specific device or better allow any and remove other devices temporarly.Alternatively you can sniff the traffic on the UDM main LAN and WAN interface while you ping the LAN from a VPN IP to see where it stucks.
As the UDM Pro is a router it should offer you this option, but I don't know.
Otherwise you won't get any further here, I'm afraid. -
@misinthe said in Issues with Subnet behind UDM Pro:
I am not sure about this one, how can I verify this?
If your 2 Router are connected in the same Lan Then, your problem is that it does not allow access between pfsense wan and UDM PRO.
That is why I ask you what is the wan IP of your pfsense and your UDM Pro, so it is seen in this publication that your Pfsense and UDM use IP RFC IN WAN.
-IF I'M RIGHT, THEN UNTIL NOW EVERYTHING @viragomann SUGGESTS IS WRONG.
-
@silence @viragomann
This might help you understand my network.
-
@misinthe
Yes, that's what I got from your description. -
@misinthe, it's just as i thought.
-
@viragomann @Silence Man, doing all this testing messed my pfSense up, now it won't boot up, so I just deleted the VM, I don't know if I'll rebuild it or if I'll just remove it from the equation and just add a piHole VM to the network.
-
@misinthe There are many ways to solve your problem here.
Now my suggestion is the following:
in my case I create the vlan in Pfsense and only use the UDM PRO FOR SWICTH
In this way when connecting via openvpn to your pfsense and everything will be Ok.
-If you decide to continue doing routing in pfsense and Routing in DM PRO then the suggestion is to start cleaning the openvpn configuration is wrong and static routes in pfsense.
rule in wan for your UDM PRO and with that everything should work without problem.
-
@misinthe said in Issues with Subnet behind UDM Pro:
Man, doing all this testing messed my pfSense up, now it won't boot up, so I just deleted the VM, I don't know if I'll rebuild it or if I'll just remove it from the equation and just add a piHole VM to the network.
wtf, So if I delete his pfsense how does he have access to the internet?
what is the ip of your computer?