Strange VPN Problem - VPN Only Allows Access to PFSense on LAN Subnet

Jake Biker

Dear All,

We have a remote station - someone who shall remain nameless configured the LAN 192.168.1.0/24

I've built a OpenVPN with the Wizard, using Certs and Username and Password.
The VPN connects no problems and authenticates.

However I cannot reach any of the devices in the LAN Subnet aside from the PFSense itself on 192.168.1.254/24
I've looked at the firewall logs and they show the correct rules to allow traffic from the VPN into the LAN - they are logging this traffic against the pass rule.

However - I cannot ping or SSH or HTTP - nothing ..

Any ideas please?

Jarhead

@Jake-Biker Do these devices have software firewalls enabled on them?

Jake Biker

@Jarhead

I wish :)

Nope I can reach them the intended way inside the LAN - they are mostly our own devices IOT - no firewalls

THanks for reply ! :)

stephenw10

Yup you might need to NAT the VPN client traffic to the LAN address to get past that.

...or if they have no default route.

Jake Biker

@stephenw10

Surely the VPN wizard would set up the NAT?

stephenw10

It will NAT traffic out of the WAN but not the LAN. That is just routed by default. The requires the devices on LAN to reply to traffic from the tunnel subnet which they may block or not be able to.

Switch outbound NAT to hybrid mode.
Add a rule to NAT traffic from the tunnel subnet to the LAN subnet NAT'd to the LAN interface address.

Jake Biker

@stephenw10 HI mate - that doesn't seem to work

Interface : OpenVPN
Source OpenVPN Client Subnet
Sourtce Port Any
Designation LAN Subnets
NAT Address LAN Address

?? Please excuse Virtualisation engineer right on edge of comfort zone :)

stephenw10

The NAT rule should be on the LAN interface. That is where it needs to be applied outbound.

Jake Biker

@stephenw10

Thanks Stephen - I will try this.

Can I ask - why does this just "work" on all my other installs ? :)

stephenw10

It will work 'out of the box' as long as the hosts on LAN are able to respond to connections from the tunnel subnet.

If those hosts have an invalid default route they can only respond to connection from inside their own subnet.

If they have any sort of filtering they may block connections from outside their own subnet.

Both are quite common for IoT type devices.

Jake Biker

@stephenw10 Thanks mate --

We make those IOT devices, and they don't behave like this usually...

Anyway - this PFsense was originally a 2.3 32 bit device, I remapped the ports and moved it to 2.72 - all the VPN's are up and the multi-wan is working all fine.

Maybe this is a hangover from the migration from the old 32bit variant PFsense. XML?

stephenw10

It shouldn't be.

Are you policy routing traffic via a gateway group somewhere?

One thing that could be an issue is the negate networks rule. The behaviour of that has changed a few times since 2.0. A very old install might have negated the policy routing automatically but a 2.7.2 install will not. If it is applied to OpenVPN clients for example they will not reach the LAN without a bypass rule.

Jake Biker

@stephenw10

There are static routes - I need to look at these - should be able to do some work on this tomorrow.
Was thinking about virtualising the config - and bashing at it offline trying to suss it,

NightlyShark

@Jake-Biker What did you enter here:

?
Here?

stephenw10

No policy routing though? No gateway set on any firewall rules?

Jake Biker

@NightlyShark 192.168.1.0/24

Jake Biker

@stephenw10

Finally got some time to fix these two problems once and for all.

I noticed that I was able to ping some IP's on the LAN Subnet from the VPN.

But not others.

I created a NAT Rule.

Outbound
Interface LAN
IP both
Proto ANY
Source Manually Entered VPN Subnet
Dest LAN Subnets
Translation LAN Address

This works ...

On all IP addresses .
I tested local pings to make sure the gear was really available on ICMP and it was .. then I knew I had to fix it.

Thanks Stephen - I don't understand why this works and it didn't from scratch.

But ..all good.

THANKS!

stephenw10

Ah, nice. That implies some devices on the LAN are blocking connections from outside their subnet. That's common for Windows firewall for example. The NAT rule makes all connections from VPN clients appear to come from the LAN IP address so hosts allow it.

Jake Biker

@stephenw10
I need to go on a dang course :) :)

I am great with Virt and Linux and MS - but I suck at firewalls :)

Thanks mate :)