Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN -> LAN (OK) | LAN -> VPN (OFF) need both working

    Scheduled Pinned Locked Moved General pfSense Questions
    53 Posts 2 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Ok. So you should be able to ping the VPN client IP in the tunnel subnet but the client itself would have to allow it. Is that also pfSense? If so you would need a firewall rule there.

      To ping a subnet behind the client you need routes and iroutes. That means adding them as remote networks in the server setup and adding Client Specific Overrides for the client with that subnet defined:
      https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html#create-client-specific-overrides

      Steve

      B 1 Reply Last reply Reply Quote 0
      • B
        BRQ_michael @stephenw10
        last edited by

        @stephenw10 Okay, but I don't want clients to be visible on my network just to ping, I need them to talk to everything, from ping to remote access, everything in fact

        B 1 Reply Last reply Reply Quote 0
        • B
          BRQ_michael @BRQ_michael
          last edited by

          @BRQ_michael But this step by step is just to add in case PFSENSE was a client of another OpenVPN server, no?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            No that's the server side for an SSL/TLS site to site which is what you have.

            Is the client end here also pfSense?

            B 1 Reply Last reply Reply Quote 0
            • B
              BRQ_michael @stephenw10
              last edited by

              @stephenw10 No, it's a computer

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                So how is it routing traffic from the subnet behind it? You enabled some software routing on the 'computer'?

                B 1 Reply Last reply Reply Quote 0
                • B
                  BRQ_michael @stephenw10
                  last edited by

                  @stephenw10 I don't understand the question sorry, I'm on a computer on the pfsense local network and that's why I can access it, to test I disconnect from the company's LAN network, connect from my cell phone data and do the tests connected to openvpn, if it is What you wanted to know from the question, I ended up not understanding.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    You said you need to be able to access the VPN clients from LAN is that not true?

                    B 1 Reply Last reply Reply Quote 0
                    • B
                      BRQ_michael @stephenw10
                      last edited by

                      @stephenw10 exactly, this is what I need, I need my local LAN to talk to the Clients of my OPENVPN server

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        OK so you are testing by pinging from, for example, 192.168.140.57 to 50.50.50.5 ?

                        In that case the client at 50.50.50.5 must allow the ping traffic. For example Windows firewall will block that.

                        B 1 Reply Last reply Reply Quote 0
                        • B
                          BRQ_michael @stephenw10
                          last edited by

                          @stephenw10 Exactly, but for example, it's not just ping that doesn't allow it, I try to access my folders, and also transfer something, and my Windows firewall has been dead for ages, completely disabled.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Right but we just use ping as a test because it will usually be allowed.

                            So what error does it return?

                            B 1 Reply Last reply Reply Quote 0
                            • B
                              BRQ_michael @stephenw10
                              last edited by

                              @stephenw10 The order has timed out.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                OK, run the ping from a host on LAN then check the state table. Filter by the target IP address and make sure you see the states present.

                                You should see one state on LAN and one on OpenVPN.

                                B 2 Replies Last reply Reply Quote 0
                                • B
                                  BRQ_michael @stephenw10
                                  last edited by

                                  @stephenw10 Done, no ping

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    So no states created on any interface?

                                    Was the ping running while you checked the states? The states will close quickly after the ping stops, like maybe 30s.

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      BRQ_michael @stephenw10
                                      last edited by

                                      @stephenw10 Exactly, Totally unavailable LAN -> VPN

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Hmm, then check the firewall logs. Is that blocked on LAN?

                                        If not check the routing table on the LAN client running the ping. Is it somehow trying to ping directly? Like maybe is still has a VPN connection active and isn't even trying to use the LAN?

                                        B 1 Reply Last reply Reply Quote 0
                                        • B
                                          BRQ_michael @stephenw10
                                          last edited by

                                          @stephenw10 Nothing appears in the logs when I try to ping.
                                          It's not possible that this is something that abnormal, I don't even make settings other than what comes by default in PFSENSE

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            If the LAN host is pinging something in the 50.50.50.X subnet and it is using pfSense as it's default gateway that traffic will arrive at the LAN interface. So it will either be blocked or passed and open a state.

                                            Try running a packet capture on the LAN filtered by the target IP (50.50.50.X) and then running the ping from the LAN host. If those pings don't arrive at the LAN then there is some routing issue on the LAN host.

                                            B 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.