Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with non-default gateway

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 798 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jgwinner
      last edited by

      I'm trying to setup a PFSense router as a 'new' gateway for an office.

      They have some external vendors that use a CiscoASA currently to connect.

      I was setting up the PFSense as an 'alternative' router with a 50/50 DHCP setup.

      (A side note - I figured DHCP would start assigning new  clients, but the Cisco seems to be faster :) )

      When I setup a remote VPN, I obviously won't be able to connect to anything that is using the Cisco as a remote gateway,  as the packets would go from the new firewall, to the device, then to the default gateway (Cisco) and get lost.

      Edit: If I setup NAT, on the new firewall for VPN clients, it would work, right?

      One bug:

      Whoops, looks like even when DHCP assigns the PFSense  firewall as the default gateway, I still can't access any of the internal systems. For example, I have a printer that I can't access when I'm on the VPN, although I can 'ping' it. I thought the OpenVPN wizard would add  a firewall rule. (It has under 'OpenVPN' on the firewall tab). Do I need to add access rules permitting the internal subnet access to the OpenVPN subnet?

      == John ==

      1 Reply Last reply Reply Quote 0
      • J Offline
        jgwinner
        last edited by

        This is a simple User access VPN, not a site to site

        Internal IP's are 192.168.10.X
        PFSense is 192.168.10.254
        Cisco is 192.168.10.1

        PFSense gives out 172.30.30.X addresses to VPN

        I can access 192.168.10.254 via VPN when connected.

        My IP address is 172.30.30.2 when connected.

        Now that the office is 'waking up' I do get some DHCP addresses; the two internal printers are both PING able, but I cannot print to them. Says it's offline.

        Although the Redirect Gateway option is specified, "Force all client generated traffic through the tunnel" when I connect I don't see it:

        Connection-specific DNS Suffix  . : corp.com
        Link-local IPv6 Address . . . . . : stuff
        IPv4 Address. . . . . . . . . . . : 172.30.30.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

        I can trace a route to a printer, for example, but not connect:

        Tracing route to HPOJ8600.corp.com [192.168.10.100]
        over a maximum of 30 hops:

        1    22 ms    19 ms    24 ms  172.30.30.1
          2    28 ms    *      21 ms  HPOJ8600.corp.com [192.168.10.100]

        Which makes me think I'm missing some allow rules, but the wizard added the following rule:

        3/10 KiB IPv4 *  *  *  *  *  *  none    OpenVPN Remote user access wizard

        Do I need to add allow rules from 172.30.30.x to 192.168.10.x and vice versa?

        == John ==

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.