Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense to TomatoVPN routing issue. SOLVED!

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      EzdineG
      last edited by

      Thanks to this great guide here, I've configured pfSense/OpenVPN at work and connected to it from home via TomatoVPN in a site-to-site configuration.

      The pfSense machine is not and can not currently be made the default gateway of the work domain.  That said, the connection is easily made and I can ping, SSH, etc. to the pfSense server from home.  I can not ping any other machine on the network, nor can the machines at work ping mine at home.  If I change their default gateway to the pfSense we can see each other.  If I add a route to 192.168.1.0 -> 10.1.1.18 (pfSense Internal IP) at the default gateway they can see me but I still can't see them.  It is as if pfSense doesn't know where to send my requests on arrival if it is not the default gateway, even though it's on the same subnet.

      Anyone have any idea on a possible solution?  Any pointers on DNS, etc. would be great, I haven't had a chance to experiment much as I've been stuck here.  Thanks in advance for your time.

      My configuration is as follows: (pfSense Server)
      Protocol:            UDP
      Dynamic IP:        Checked
      Local Port:         1194
      Address Pool:     10.8.1.0/24
      Client-to-client:  Checked
      Cryptography:     BF-CBC
      Authentication:   (PKI)
      (Keys in place)
      LZO:                 Checked
      Custom Options:  route 192.168.1.0 255.255.255.0;push "route 10.1.0.0 255.255.0.0"
      Desc:                site-to-site
      Client-specific configuration (pfSense Server)
      Common name:    (matches key)
      Custom options:   iroute 192.168.1.0 255.255.255.0
      Desc:                 192.168.1.0/24

      VPN-> Client-> Basic (TomatoVPN client)
      Interface Type:    TUN
      Protocol:             UDP
      Server Addr:        (server's WAN ADDR):1194
      Firewall:              Automatic
      Auth Mode:          TLS
      Extra HMAC:         Disabled
      Nat on tunnel:      Checked
      VPN-> Client-> Advanced (TomatoVPN client)
      Poll:                    0
      Accept DNS Conf:  Disabled
      Encryption:           BF-CBC
      Compression:         Enabled
      ReNego:               -1
      (Keys in Place)

      Firewall Rules:LAN

      • LAN * * * *   Default LAN -> any

      Firewall Rules:WAN
      UDP * * * 194 *

      1 Reply Last reply Reply Quote 0
      • E
        EzdineG
        last edited by

        I've solved my own problem.

        The REAL default gateway at work needed a route added for the ADDRESS POOL, not the client side's LAN.  Using a route for the client side's LAN allowed them to see me, but not respond to me.

        Hope this helps anyone else attempting to configure a similar setup.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.