OpenVPN Access to LAN Question
-
I've followed the various tutorials on setting up an openvpn server/client with pfsense, and I'm almost there.. but I have a few questions.
OpenVPN Clients: 192.168.200/0/24
DMZ: 192.168.1.0/24
LAN: 10.10.10.0/24The vpn clients can access the DMZ servers fine, but cannot access anything on the LAN (windows shares, rdp, etc). I have the following routes being pushed down from the server:
Destination Mask Gateway Interface
10.10.10.0 255.255.255.0 192.168.200.5 192.168.200.6
192.168.1.0 255.255.255.0 192.168.200.5 192.168.200.6
192.168.200.1 255.255.255.255 192.168.200.5 192.168.200.6I have NetBIOS unchecked which should allow for share access, but I get host not found (even though I know the remote 10.10.10.x system is online)
Oddly enough, I can access the pfsense firewall on 10.10.10.1, I just can't seem to access anything beyond that. I don't have any specific rules on either dmz or lan interface (based on what I read, I shouldn't need to as vpn clients are allowed full access automatically)
Am I missing something here?
-
can you ping any 10.10.10.x host via vpn?
-
Nope. Just the gateway.
-
so you have set 192.168.1.0/24 (your DMZ area) as "local network" in openVPN configuration form, and configured the route for your LAN using the advanced configuration field.
I have a similar configuration working.
LAN 192.168.100.x
other subnet in LAN 192.168.1.x, 192.168.2.x, 192.168.3.x …..Using openVPN I can successfully connect with all this lan.
I just configured the openVPN in pfsense, opened the port on the firewall. no need to create static route or firewall rules. just config 192.168.100.0/24 as "local network" and added push command like this in "advanced configuration" under openVPN config in pfsense.
push "route 192.168.3.0 255.255.255.0";
I'm using pfsense 2.0 RC1, I was not able to make this work with 1.2.3 version.
hope this can help you.
-
Ah. Interesting. I'm using 1.2.3 which might be why. I've also had my 'local network' set to the 10.10.10.0/24 network space and only did a custom route to the DMZ (via push as well as manually on the client via route add). I'm wondering if there's a limitation with 1.2.3 which prevents LAN access.
-
may the 1.2.3 requires a firewall rule?
-
If so, what would that rule look like?
-
you shoul permit connections from your vpn to your dmz.
if your dmz is connected on LAN interface create a rule in LAN interface that permit all traffic from 192.168.200.0/24
-
That's what I thought, too. I added a rule on the LAN interface to allow any any from 192.168.200.0/24 but to no avail. As the DMZ network is reachable as-is (192.168.200.0/24 (vpn) has access to 192.168.1.0/24 (dmz) already), I suspect I only need to focus on LAN connectivity from the vpn subnet. Is there anything special I need to do rule-wise on the WAN interface as that's technically where the VPN is connecting from.
-
I think that you should see only the VPN call in WAN interface, once created the tunnel all comunications are between LAN and VPN interface.