Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN clients no longer accessible from LAN after upgrade to pfSense 2.7

    Scheduled Pinned Locked Moved OpenVPN
    49 Posts 8 Posters 12.1k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      itinfo @reberhar
      last edited by

      @reberhar

      To answer your questions.

      I was running 2.7.0 with the same issue.

      pfBlockerNG came with the upgrade - so yes running it.

      Here are my static routes:

      301f50ad-b42e-4553-883c-1ef6d0b46422-image.png

      Here are my Firewall rules:
      WAN:
      db5e7586-1398-4aaf-8248-b7357ee3f87d-image.png

      LAN

      8d951196-7017-44d9-a1ef-3822465d40d5-image.png

      OpenVPN
      626d1890-c1e0-40f5-b21f-292651311270-image.png

      OPenVPN Server config
      ebfcde18-8c37-426a-b8dd-ee1b992575a3-image.png

      058e1bfd-9bfd-46b3-8fa1-59ad706567cf-image.png

      b065ad76-6303-463d-9d68-e819b7d8b09c-image.png

      ee065ee5-47ba-409f-b112-d1045a2aba32-image.png
      40ac04cb-35e9-45f7-b020-ee235ea2c981-image.png
      72000254-17d1-45ac-a0ea-75f6293726ab-image.png

      <Status-OpenVPN>
      a097e57f-1864-43d8-94e7-2a999ad1d17f-image.png

      I R 2 Replies Last reply Reply Quote 0
      • I Offline
        itinfo @itinfo
        last edited by

        @itinfo
        more:

        Note 3 VLANS have the same gateway - yet above in the <status-OpenVPN) we can see for instance P2P_Maine has a target network of 10.0.4.3 for VLAN address of 10.10.60.0-/24

        Here we can see that the route to 10.10.60.0/24 has a default gateway of 10.0.4.2 (this is the endpoint of P2P_NH above)
        <Diagnostics-Routes>
        31331eaa-4c18-483c-815f-0eb3a850006b-image.png

        Here is tracert to 10.10.60.254 (Netgate router on Vlan 10.10.60.0\254)
        993bc256-2e71-4326-ab61-3354a1ad7b8f-image.png

        from 10.10.30.19

        Here is a package capture on the LAN interface for a TraceRT from 10.10.30.19 to 10.10.60.254
        bb4877e1-f2c0-4b07-8e6e-18b27f936cda-image.png

        no response

        here is an RDP request to a workstation 10.10.60.151
        909a2db8-d8bf-4a45-8a20-4edf4029afc6-image.png

        No packages on the WAN interface from or to 10.10.30.19 nor 10.10.60.151

        Seeing traffice on the WAN to the IP 10.10.60.151 tracing Port 3389

        94cac28b-9bd7-4752-b40d-543102c4b8b0-image.png

        However I don't know what the destination (gateway) that the packages are looking for

        Traffic on the VPN interface (OVPNS6) from the 10.10.60.x/24 network, but nothing to the network when trying to RDP to 10.10.60.151

        The site: 10.10.60.x/24 has a gateway on the VPN of 10.0.4.1 (the Server side of the Tunnel) thus their traffic is flowing.

        When trying to connect from the server side (10.10.30.19) to 10.10.60.151 there is no traffic on the VPN interface (OVPNS6)

        So, with all this I welcome your insight.

        R 1 Reply Last reply Reply Quote 0
        • R Offline
          reberhar @itinfo
          last edited by reberhar

          @itinfo What was the version of pfSense you upgraded from? Do you have any policy routing rules?

          I am not with Netgate so I am trying to think this through when I have a chance. I have 8 pfSense servers plus other servers behind them that I maintain.

          Look carefully at you Lan firewall rules. From what I see and what you are telling me, that is the first place to look.

          I 1 Reply Last reply Reply Quote 0
          • I Offline
            itinfo @reberhar
            last edited by

            @reberhar
            e7220a21-e68c-4479-90c8-92456696ba49-image.png

            R 1 Reply Last reply Reply Quote 0
            • R Offline
              reberhar @itinfo
              last edited by reberhar

              @itinfo Ok I see a couple of policy rules. The one at the very top is sending all your OpenVPN queries out to WANGW. You don't want that. It would be wise to move that rule below your OPENVPN rules and see what happens. That policy rule prevents your OpenVPN Quieres from reaching the system routing table.

              It seems to me that you may want to change the way you are driving your gateways. If you have only one gateway, you don't need this policy rule. It is literary sending everything out to WANGW. There are better ways to do this.

              You may want to put the policy rule that is at the top BELOW the other policy rule with CAMERASGW. I am not sure what the other rules do so you may have to play around to find the place you want it.

              I 1 Reply Last reply Reply Quote 1
              • I Offline
                itinfo @reberhar
                last edited by

                @reberhar thanks for the insight.

                I did see the icmp requests from 10.10.30.19 to 10.10.70.1 being sent out over the WAN interface.

                Now they are being sent out over the OpenVPN interface

                I removed many of the 'test' rules -much longer story - had an ISP router that went bad and I had to get Netgate/pfSense onboard to prove that it was not my router but theirs. ~ $2,000 of costs

                and I now have

                b12a41c8-efde-4336-bf10-75133cc23851-image.png

                Best part of your help is......

                It works!!!!!

                Thanks a million

                R 1 Reply Last reply Reply Quote 0
                • R Offline
                  reberhar @itinfo
                  last edited by

                  @itinfo I am glad my help worked. We have all worked frantically into the night hoping, wishing that someone could simply answer our questions and relieve our anxiety and frustration, and that of our users too sometimes.

                  The switching to 2.7.0 was pariticulary difficult because it broke functioning systems. If you look through the forums here you can see that it was a real struggle for me too. When the light finally went on, I wrote a post that several people found helpful.

                  At that point some documentation on HA actually helped me understand the problem better too, thus the questions about other Lans and a DMZ. Lan to lan communication can also be broken by policy routing rules.

                  God bless you,

                  Roy Eberhardt

                  1 Reply Last reply Reply Quote 1
                  • R Offline
                    reberhar @itinfo
                    last edited by reberhar

                    @Further up your WANGW policy rule is further down in the rules list, but was certainly impacting your tunnel access. I read your rule comments more carefully and understand your system better. Yes you did need to remove this rule WANGW, or insert others that trapped for your tunnel addresses and sent them out to the system routing table.

                    For me, since I need policy routing, I setup an alias list in a rule that traps my server addresses and sends them to the system routing table. This rule I placed above the policy routing rule.

                    FYI

                    lifeboyL 1 Reply Last reply Reply Quote 0
                    • R rlabaza referenced this topic on
                    • lifeboyL Offline
                      lifeboy @reberhar
                      last edited by

                      @reberhar I'm a little confused by your comments about "policy rules". What are policy rules / policy routing rules or are they just another name for firewall rules that you show in the screen shots you posted?

                      R 1 Reply Last reply Reply Quote 0
                      • R Offline
                        reberhar @lifeboy
                        last edited by reberhar

                        @lifeboy Hi lifeboy,

                        So normally, when a rule matches conditions in the firewall or a query falls out the bottom the next place it goes is to the system routing table.

                        If you change that and direct the output somewhere else that is policy based routing.

                        At near the very bottom of any firewall rule in the advanced area you see something like:


                        Gateway "HereIsMyGatewayGroup" (quotes mine)
                        Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.
                        Gateway selection is not valid for "IPV4+IPV6" address family.


                        This is the place you put policy base routing.

                        Roy

                        lifeboyL 1 Reply Last reply Reply Quote 0
                        • lifeboyL Offline
                          lifeboy @reberhar
                          last edited by

                          @reberhar I can understand if you have multiple gateways that you'd have to add something like this, but I have a single WAN gateway and OpenVPN that connects site-to-site. On the client side I have an LAN rule that allows all traffic. There is only one way for traffic to leave the client and that is via the default gateway.

                          R 1 Reply Last reply Reply Quote 0
                          • R Offline
                            reberhar @lifeboy
                            last edited by reberhar

                            @lifeboy Hi Lifeboy, ...

                            So does this information help you? Policy routing will break your OpenVPN connections if you're query ends up there. You gotta grab them beforehand and send them to the system table. Then it works.

                            Roy

                            R 1 Reply Last reply Reply Quote 0
                            • R Offline
                              reberhar @reberhar
                              last edited by

                              @reberhar Hi Lifeboy,

                              I'm sorry that I didn't understand your frustration was coming from your broken VPN. I just answered your question about what policy rules are.

                              You MUST send any VPN queres to the system table before they reach policy rules or they will fail.

                              Roy

                              lifeboyL 1 Reply Last reply Reply Quote 0
                              • lifeboyL Offline
                                lifeboy @reberhar
                                last edited by

                                @reberhar Thanks for your patience! I still don't see a way to achieve this, unless the comment below the "gateway" means that if I leave the gateway as default, the traffic will go the routing tables.

                                Should I not have a rule to manage "all from any" traffic for the LAN then? Or a rule that only allows traffic that's not for OpenVPN?

                                R 1 Reply Last reply Reply Quote 0
                                • M Offline
                                  michaelschefczyk
                                  last edited by

                                  Dear All,

                                  I am very glad that this does get discussed in plain language, now. Please take a look at my situation an point me to the right direction.

                                  My situation is dual WAN with site to site OpenVPN and remote access OpenVPN. Inbound OpenVPN ports are forwarded to localhost, so that OpenVPN is available on both WANs.

                                  My classical LAN firewall rules are:

                                  Screenshot 2024-02-06 at 07-16-54 pfsenses10m.schefczyk.net - Firewall Rules LAN.png

                                  The problematic "policy routing" is everything where the gatewway colum is different from "*" (also showing the "advanced settings" wheel) - did I understand this correctly?

                                  To not break OpenVPN in pfSense 2.7 I need to remove policy routing from the LAN rules, also correct? From all of them or only those which may end up pointing outbound to the OpenVPN tunnel (please see below)?

                                  Then my take is:

                                  • The bottom rule "Load balance all other traffic." This will handle traffic going though the site to site OpenVPN tunnel. Should be easy to fix: Normally, I have one of my WANs as the default gateway, but I could just select a gateway group as the default gateway, right?

                                  • The other rules are more difficult to manage but these will not send traffic to the OpenVPN tunnel - this is where I would need some hints, please - if there need to be changes:
                                    -- The first policy rule is such an example: The VoIP running in the LAN does only work, if traffic goes through a particular WAN (my GW_WAN1). How can I achieve that without "policy routing"?
                                    -- Similarly, I have DSL and CATV modems in front of my pfSense that I would like to reach for admin access (for example rule "Fritzbox WAN2". Of course, I can reach them only through the WAN in front of which they are sitting.
                                    -- Third, my mail server should serve both WANs inbound and outbound - and know which WAN each connection is using. I realize this by assigning source "gateways10DSL" to "GW_WAN1" and source "gateways10CATV" to "GW_WAN2"?

                                  Are those functions still possible with 2.7 using multi-WAN and OpenVPN?

                                  The traffic directed either to GW_WAN1 or GW_WAN2 odes NOT use VPN. Are these policy rules still a problem or is only the "Load balance all other traffic." the issue? Simularly itinfo also redirects to "CAMERASGW" for some destinations. If these rules need to go, the devices in front of pfsense could be put into a different LAN, but binding some output to specific WANs/IP addresses would be challenging.

                                  Regards,

                                  Michael

                                  R 2 Replies Last reply Reply Quote 0
                                  • R Offline
                                    reberhar @lifeboy
                                    last edited by reberhar

                                    @lifeboy Hi Lifeboy,

                                    Yes, default goes to the routing tables! You;ve got it. Most of us need policy routing but YOU CANNOT SEND THE OPENVPN queries out to them. So just for the OPENVPN and DMZ, and multiple LAN access you must send those to the system routing table. Only Internet access should go out to policy routing.

                                    If OPENVPN goes there it will be sent out to the Internet as well, where it is lost. The system routing table MUST be used for OPENVPN. That's where all those IP's live that you setup when you configured OPENVPN.

                                    Good job.

                                    What I do is include a simple rule that captures these OPENVPN queries and sends them to the default gateway BEFORE the policy routing rule. If there are a lot of these it is helpful to configure an alias so that don't have to include a rule for everyone of your OPENVPN tunnels or DMZ or Lans that might be impacted by the policy routing rule.

                                    1 Reply Last reply Reply Quote 1
                                    • R Offline
                                      reberhar @michaelschefczyk
                                      last edited by reberhar

                                      This post is deleted!
                                      R 1 Reply Last reply Reply Quote 0
                                      • R Offline
                                        reberhar @reberhar
                                        last edited by

                                        This post is deleted!
                                        1 Reply Last reply Reply Quote 0
                                        • R Offline
                                          reberhar @michaelschefczyk
                                          last edited by

                                          @michaelschefczyk Hi Michael,

                                          I am still trying to totally understand your system, but no you don't need to remove your policy routing to get your tunnels to work. You just need to make sure that your tunnel access is captured and sent to the system routing tables BEFORE they get to the policy routing rules.

                                          Gosh if I had to remove the policy routing so that I could use tunnels I would be in a real bind. I am busy, but when I have some time I will more closely study your posting.

                                          When you moved to 2.7.0 the system you installed a system that more strictly enforces the the firewall rules. In 2.6 you could still get to the the system table with a policy routing rule. That changed in 2.7.0. Now you must specifically tell the firewall which queries you want to go to the policy routing rules, and which you want to go to the system routing table.

                                          You might want to read some of my responses to Lifeboy.

                                          I hope that helps.

                                          1 Reply Last reply Reply Quote 1
                                          • lifeboyL Offline
                                            lifeboy @reberhar
                                            last edited by

                                            @reberhar It sounds great, except that even if I have one single rule in my LAN firewall rules, one that allows all traffic to go via the default, I can still not reach the client LAN from the server LAN.

                                            For the third time I'm redoing it from scratch now, since @jimp believes that if I follow the instruction exactly (assuming I use my own ip addresses, not the ones in the example), it will work.

                                            Let's see...

                                            R 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.