pfSense OpenVPN cannot reach the entire LAN subnet
-
I'm using pfSense 2.8 in a Proxmox VM, behind a Fortigate cluster. I'm experiencing one way communication with some IP addresses on the pfSense LAN network.
I can reach 13 of 30 IP addresses on the LAN subnet from the OpenVPN client. All types of traffic to those 13 address are functioning fine.
If I capture packets in pfSense I can see ICMP echo request from my OpenVPN client IP, but no replies. If I capture packets at the Fortigate, I do not see the echo requests coming from pfSense.
Odd
-
I wouldn't expect to see any traffic through the Fortigate except the OpenVPN encrypted packets if pfSense is behind it in Proxmox. Assuming the pfSense LAN and clients in it are also in Proxmox?
The most common reason to see something like that is that the LAN hosts are blocking traffic from the OpenVPN subnet.
-
I think this may be an asymmetric routing issue. On a windows host on the remote LAN it has the Fortigate as the default gateway. There is a route on the Fortigate to send OpenVPN client subnet traffic to pfSense. I think remote LAN hosts are sending to the Fortigate but pfSense is trying to send directly to the LAN hosts.
As a test, I configured a manual route on a windows hosts to send to pfSense for OpenVPN client traffic and now I can see it....asif
-
Oh yes if some hosts are not using pfSense as their gateway that would be an asymmetric route. That traffic could (should) be blocked by the Fortigate since it would only ever see replies. For TCP traffic at least.
