I have 3 WAN, 1 LAN, and 1 device VPN'ed into WAN1. Computers using WAN2 or WAN3 cannot see the VPN device

ThePowerPig

Hello pfSense users,

I have 3 WANS. I setup aliases to route different IPs of my LAN subnet to different WANS. The device that is using a VPN (OpenVPN) to connect to the pfsense box is using 10.11.83.0/24 and is assigned 10.11.83.2, I can access the device on the computers that are using the same WAN as the VPN is on. The other computers that are using the other 2 WANS can not access or ping the device.

Is there a way to set pfSense to route the 10.11.83.0/24 subnet to all the WANS so all the computers can access the device?

Thanks for any help to this question.

The Party of Hell No

@ThePowerPig I need clarification... are you wanting access to the other two WANs fot he VPN to go out, or to the LAN subnets behing the other two WANs?

ThePowerPig

@The-Party-of-Hell-No
I would like to have all computers have access to that device.

I have servers using different WANS but need to be able to pass traffic to the device on the VPN.

Thanks

viragomann

@ThePowerPig
It's not clear to me, how is this device connected to pfSense.
Is it a VPN client and 10.11.83.0/24 is the VPN tunnel pool of the OpenVPN server running on pfSense?

And you want to access it by its IP 10.11.83.2?

ThePowerPig

@viragomann
I can ping the device on computers at 10.11.83.2 on the computers that are using WAN1. Computers using WAN2 and WAN3 are not able to ping it. I am wondering if there is route or firewall that I would need to add to make it accessible on all computers no matter what WAN they are on.

Would maybe having the device connect to the pfSense box using 3 VPN connections (1 to each WAN) fix the issue or would something other then openVPN work better? Maybe IPSEC?

The device is a raspberry Pi running Debian with the openVPN client.

Sorry that I am not good at explaining what I am trying to do. I have a unique setup. If I could have got multiple static IPs from 1 ISP then it would have been less complex.

Thanks

viragomann

@ThePowerPig said in I have 3 WAN, 1 LAN, and 1 device VPN'ed into WAN1. Computers using WAN2 or WAN3 cannot see the VPN device:

I can ping the device on computers at 10.11.83.2 on the computers that are using WAN1. Computers using WAN2 and WAN3 are not able to ping it.

How did you ensure, that these computers use WAN2 or 3. I guess with a policy routing rule?
If so ensure, that the destination of the rule does not match the OpenVPN tunnel network.

ThePowerPig

@viragomann

I created aliases in those I put in the IP addresses that the servers I want on which WAN. An alias for each WAN. Then add those Aliases in the firewall rules.

Rule/alias example 1
Interface: LAN
Address Family: IPv4
Protocol: Any
Source: "Address or Alias" WAN1Alias
Destination: Any
-Advanced-
Gateway: WAN1GW1

viragomann

@ThePowerPig
So add an additional rule to allow access to internal subnets (best to create an RFC 1918 alias for this purpose), but at least for the IPs you want to access from the device in question, and move this rule up above of the policy routing rule.