Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn cannot access to lan

    Scheduled Pinned Locked Moved OpenVPN
    24 Posts 5 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sgtr
      last edited by

      Hi,
      Firstly, can you explain your modem configuration? As above your network subnet values might be same subnet. Other way did you added a rule (firewall>rules>openvpn) access to local network.

      Regards,
      SGTR

      Bir umut olmasa bile Asla Pes Etme.

      1 Reply Last reply Reply Quote 0
      • B Offline
        border
        last edited by

        Hi,

        I just opened the same question (cannot access LAN) so I cannot provide the answer to this question…
        But: the firewall rule for OpenVPN is created automatically when configuring OpenVPN (with description OpenVPN wizard).

        1 Reply Last reply Reply Quote 0
        • A Offline
          aykiri1
          last edited by

          my modem ip 192.168.5.1 subnet is 255.255.255.0
          pfsense ip 192.168.5.2 subnet is 255.255.255.0

          all pcs connecting to internet without problem.

          remote pc is connecting to pfsense with openvpn client and connection is OK taken ip 10.0.1.6
          firewall rules automaticly created . also i checked its available
          but can't connect to lolac pcs.

          1 Reply Last reply Reply Quote 0
          • H Offline
            heper
            last edited by

            please draw a map for us to understand your network topology. your pfsense only has 1 interface - a LAN interface ?

            1 Reply Last reply Reply Quote 0
            • A Offline
              aykiri1
              last edited by

              pfsense
              lan  192.168.5.2 subnet 255.255.255.0
              wan 192.168.5.1 subnet 255.255.255.0

              ovpn tunnel setting    10.0.1.0/24
              local network setting  192.168.5.0/24

              client connecting to pfsense server and access internet OK. web config pfsense is OK. pinging 192.168.5.2 OK
              but no ping or other access to 5.2 5.3 5.4 etc..

              Adsız.png
              Adsız.png_thumb

              1 Reply Last reply Reply Quote 0
              • P Offline
                phil.davis
                last edited by

                pfsense
                lan  192.168.5.2 subnet 255.255.255.0
                wan 192.168.5.1 subnet 255.255.255.0

                The way you have written this, it just won't work. It is not possible to have the same subnet on LAN and WAN. So there is some problem with us being able to understand what you mean.
                What is connected to the WAN NIC of pfSense?
                What is connected to the LAN NIC of pfSense?
                Please try and draw a network diagram of what hardware is connected where.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • A Offline
                  aykiri1
                  last edited by

                  thanks for helping

                  adsl_router(192.168.5.1-255.255.255.0) –------- pfsense (192.168.5.2-255.255.255.0) <<< 15 LAN PC (192.168.5.XX 255.255.255.0)
                                                                                                                            |
                                                                                                                            |
                                                                                                                remote pc 10.0.6.6

                  this is what i want.

                  that 15 pc and pfsense working properly no any problem.
                  i want to remote pc add to that lan
                  installed openvpn client to win7 pc. and connected to pfsense. pinging 192.168.5.2 is OK. web access and internet ok too.
                  only problem is i can't ping or any access to that 15 pc
                  firewall rules automaticly created. and i tried to push route 10.0.1.0 255.255.255.0 too
                  but no success

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    sgtr
                    last edited by

                    If you want to solve this problem. Firstly you must change modem network subnet. Because your modem and pfSense box are same network. Modem and local network shouldn't be same subnet. They must be different subnet. That's not pfSense problem. It is routing protocol rules. And go to modem gui change modem ip address and pfSense Wan ip address and wan gateway address. You will see problem solved.

                    Regards,
                    SGTR

                    Bir umut olmasa bile Asla Pes Etme.

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      aykiri1
                      last edited by

                      i changed to settings this values

                      adsl_router(192.168.6.1-255.255.255.0) –------- pfsense (192.168.7.2-255.255.255.0) <<< 15 LAN PC (192.168.7.XX 255.255.255.0)
                                                                                                                                |
                                                                                                                                |
                                                                                                                    remote pc 10.0.1.6

                      but no success

                      1 Reply Last reply Reply Quote 0
                      • P Offline
                        phil.davis
                        last edited by

                        I have no idea why your clients worked on LAN when you had 192.168.5.* addresses on pfSense WAN and LAN. Maybe you have pfSense in transparent bridge mode?
                        Anyway, now you have different subnets on LAN and WAN, which is good. Hopefully the LAN clients in 192.168.7.* are working fine and can get to the internet.
                        In your OpenVPN server, put "192.168.7.0/24" in "Local Network/s". Then the OpenVPN client should be given a route to 192.168.7.0/24
                        Make sure your OpenVPN tab has a rule that passes traffic to destination 192.168.7.0/24 (or pass destination all).

                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                        1 Reply Last reply Reply Quote 0
                        • A Offline
                          aykiri1
                          last edited by

                          hi phil

                          it was my mistake sorry.

                          wan and lan was not same. it was 5.2 and 6.2 i was mistake from wan gateway and wan.
                          just. i changed ips but not success again.

                          now system.
                                                                                                      (wan 192.168.5.2  wangw 192.168.5.1)
                          adsl_router(192.168.5.1-255.255.255.0) –------- pfsense (192.168.7.2-255.255.255.0) <<< 15 LAN PC (192.168.7.XX 255.255.255.0)
                                                                                                                                    |
                                                                                                                                    |
                                                                                                                        remote pc 10.0.6.6

                          from vpn client side connecting to vpnserver is OK. connecting web access OK. connecting internet from pfsense OK.
                          no ping and access client pc's.  (firewall tab openvpn . any to any pass)
                          regards

                          ipconfig

                          Ethernet bağdaştırıcı Yerel Ağ Bağlantısı 2:

                          Bağlantıya özgü DNS Soneki .  . . :
                            Açıklama  . . . . . . . . . . . . : TAP-Windows Adapter V9
                            Fiziksel Adres. . . . . . . . . . : 00-FF-xx-13-xx-xx
                            Dhcp Etkin. . . . . . . . . . . . : Evet
                            Otomatik Yapılandırma Etkin. . .  : Evet
                            Bağlantı Yerel IPv6 Adresi . . . . . : fe80::cc54:cc25:9cde:cc83%cc(Tercih Edilen)
                            IPv4 Adresi. . . . . . . . . . . : 10.0.6.6(Tercih Edilen)
                            Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.252
                            Kira Sağlanan. . . . . . . . . .  : 03 Şubat 2014 Pazartesi 09:57:29
                            Kira Bitişi . . . . . . . . . . . : 03 Şubat 2015 Salı 09:57:28
                            Varsayılan Ağ Geçidi. . . . . . . :
                            DHCP Sunucusu . . . . . . . . . . : 10.0.6.5
                            DHCPv6 IAID . . . . . . . . . . . : 419495841
                            DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-xx-00-01-19-E8-xx-xx-60-A4-xx-2B
                          -99-0E
                            DNS Sunucusu. . . . . . . . . . . : fxx0:0:0:ffff::xxx
                                                                fec0:0:0:ffff::2%1
                                                                fec0:0:0:ffff::3%1
                            Tcpip üzerinden NetBIOS. . . . . . . . : Etkin

                          Ethernet bağdaştırıcı Yerel Ağ Bağlantısı:

                          Bağlantıya özgü DNS Soneki .  . . :
                            Açıklama  . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
                            Fiziksel Adres. . . . . . . . . . : xx-A4-4C-xx-99-xx
                            Dhcp Etkin. . . . . . . . . . . . : Hayır
                            Otomatik Yapılandırma Etkin. . .  : Evet
                            Bağlantı Yerel IPv6 Adresi . . . . . : fexx::294a:cc75:d957:xe2xx%11(Tercih Edlen)
                            IPv4 Adresi. . . . . . . . . . . : 192.168.4.174(Tercih Edilen)
                            Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.0
                            Varsayılan Ağ Geçidi. . . . . . . : 192.168.4.1
                            DHCPv6 IAID . . . . . . . . . . . : 241214540
                            DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-01-00-01-19-E8x-A3-xx-A40E
                            DNS Sunucusu. . . . . . . . . . . : 192.168.4.1
                            Tcpip üzerinden NetBIOS. . . . . . . . : Etkin

                          route list

                          IPv4 Yol Tablosu

                          Etkin Yollar:
                                  Ağ Hedefi      Ağ Maskesi        Ağ Geçidi        Arabirim  Ölçüt
                                    0.0.0.0          0.0.0.0          192.168.4.1    192.168.4.174    276
                                  10.0.6.1  255.255.255.255        10.0.6.5        10.0.6.6    30
                                  10.0.6.4  255.255.255.252        On-link          10.0.6.6    286
                                  10.0.6.6  255.255.255.255        On-link          10.0.6.6    286
                                  10.0.6.7  255.255.255.255        On-link          10.0.6.6    286
                                  127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                                  127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                            127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                                192.168.4.0    255.255.255.0        On-link    192.168.4.174    276
                              192.168.4.174  255.255.255.255        On-link    192.168.4.174    276
                              192.168.4.255  255.255.255.255        On-link    192.168.4.174    276
                                192.168.7.0    255.255.255.0        10.0.6.5        10.0.6.6    30
                                  224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                                  224.0.0.0        240.0.0.0        On-link    192.168.4.174    276
                                  224.0.0.0        240.0.0.0        On-link          10.0.6.6    286
                                  224.0.0.0        240.0.0.0        On-link      192.168.59.1    276
                                  224.0.0.0        240.0.0.0        On-link    192.168.133.1    276
                            255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                            255.255.255.255  255.255.255.255        On-link    192.168.4.174    276
                            255.255.255.255  255.255.255.255        On-link          10.0.6.6    286
                            255.255.255.255  255.255.255.255        On-link      192.168.59.1    276
                            255.255.255.255  255.255.255.255        On-link    192.168.133.1    276

                          Adsız.png
                          Adsız.png_thumb

                          1 Reply Last reply Reply Quote 0
                          • H Offline
                            heper
                            last edited by

                            the lan pc's on the 192.168.7.x range have pfsense set as their default gateway ?

                            could you attempt todo the following in windows command prompt:

                            from VPN: tracert -d 192.168.7.X
                            from LANPC (when vpn is connected): tracert -d 10.0.6.6
                            also some diagnostics–>packet captures would be helpfull (try pinging from both ends while it is running)

                            1 Reply Last reply Reply Quote 0
                            • A Offline
                              aykiri1
                              last edited by

                              hi heper.

                              thats outputs

                              C:\Users\Live>tracert -d 192.168.7.5

                              En çok 30 atlamanın üstünde 192.168.7.5'e giden yolu izlemek

                              1    15 ms    14 ms    14 ms  192.168.5.1
                                2    57 ms    59 ms    39 ms  195.87.128.19
                                3    54 ms    44 ms    74 ms  46.234.2.17
                                4    *        *        *    İstek zaman aşımına uğradı. (its mean timeout)
                                5    *        *        *    İstek zaman aşımına uğradı.
                                6    *        *        *    İstek zaman aşımına uğradı.
                                7    *        *        *    İstek zaman aşımına uğradı.
                                8    *        *        *    İstek zaman aşımına uğradı.
                                9  ^C
                              C:\Users\Live>

                              C:\Users\xpx>tracert -d 10.0.6.6

                              En çok 30 atlamanın üstünde 10.0.6.6 'e giden yolu izlemek

                              1    *        *        *    İstek zaman aşımına uğradı. (its mean timeout)
                                2    *        *        *    İstek zaman aşımına uğradı.
                                3    *        *        *    İstek zaman aşımına uğradı.
                                4    *        *        *    İstek zaman aşımına uğradı.
                                5    *        *        *    İstek zaman aşımına uğradı.
                                6  ^C

                              1 Reply Last reply Reply Quote 0
                              • P Offline
                                phil.davis
                                last edited by

                                That is very strange. It is routing from the OpenVPN client across the VPN link to pfSense, but then pfSense is sending it out the WAN 192.168.5.1 to the public internet. I can't think how that could happen, because 192.168.7.5 is on the local LAN of pfSense, so it has to be delivered directly there.
                                What is in Diagnostics->Routes IPv4 section on pfSense?

                                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                1 Reply Last reply Reply Quote 0
                                • A Offline
                                  aykiri1
                                  last edited by

                                  hi phil its output.

                                  and i see on ipconfig
                                  –-------
                                  Ethernet bağdaştırıcı Yerel Ağ Bağlantısı 2:

                                  Bağlantıya özgü DNS Soneki .  . . :
                                    Açıklama  . . . . . . . . . . . . : TAP-Windows Adapter V9
                                    Fiziksel Adres. . . . . . . . . . : 00-FF-xx-13-xx-xx
                                    Dhcp Etkin. . . . . . . . . . . . : Evet
                                    Otomatik Yapılandırma Etkin. . .  : Evet
                                    Bağlantı Yerel IPv6 Adresi . . . . . : fe80::cc54:cc25:9cde:cc83%cc(Tercih Edilen)
                                    IPv4 Adresi. . . . . . . . . . . : 10.0.6.6(Tercih Edilen)
                                    Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.252
                                    Kira Sağlanan. . . . . . . . . .  : 03 Şubat 2014 Pazartesi 09:57:29
                                    Kira Bitişi . . . . . . . . . . . : 03 Şubat 2015 Salı 09:57:28
                                    Varsayılan Ağ Geçidi. . . . . . . : (gateway empty)
                                    DHCP Sunucusu . . . . . . . . . . : 10.0.6.5
                                    DHCPv6 IAID . . . . . . . . . . . : 419495841
                                    DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-xx-00-01-19-E8-xx-xx-60-A4-xx-2B

                                  gateway is empty is it normal ?

                                  changed openvpn gateway to default and take again tracert

                                  C:\Users\Live>tracert -d 192.168.7.5

                                  En çok 30 atlamanın üstünde 192.168.7.5'e giden yolu izlemek

                                  1    28 ms    13 ms    53 ms  10.0.6.1
                                    2    *        *        *    İstek zaman aşımına uğradı. (timeout)

                                  Adsız.png
                                  Adsız.png_thumb

                                  1 Reply Last reply Reply Quote 0
                                  • A Offline
                                    aykiri1
                                    last edited by

                                    any suggest from specialists ?

                                    1 Reply Last reply Reply Quote 0
                                    • S Offline
                                      sgtr
                                      last edited by

                                      Hi Everyone,

                                      Firstly @aykiri1

                                      I confused. Because there was one network when you started this topic. And then there are many networks (192.168.4.0/24, 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24 and your tunnel networks).

                                      what are your adsl modem ip and your pfSense wan and Lan ip address? You told us that adsl modem ip changed 192.168.6.1 and you pfSense LAn ip address 192.168.7.2

                                      @aykiri1:

                                      hi phil

                                      it was my mistake sorry.

                                      wan and lan was not same. it was 5.2 and 6.2 i was mistake from wan gateway and wan.
                                      just. i changed ips but not success again.

                                      now system.
                                                                                                                  (wan 192.168.5.2  wangw 192.168.5.1)
                                      adsl_router(192.168.5.1-255.255.255.0) –------- pfsense (192.168.7.2-255.255.255.0) <<< 15 LAN PC (192.168.7.XX 255.255.255.0)
                                                                                                                                                |
                                                                                                                                                |
                                                                                                                                    remote pc 10.0.6.6

                                      from vpn client side connecting to vpnserver is OK. connecting web access OK. connecting internet from pfsense OK.
                                      no ping and access client pc's.  (firewall tab openvpn . any to any pass)
                                      regards

                                      ipconfig

                                      Ethernet bağdaştırıcı Yerel Ağ Bağlantısı 2:

                                      Bağlantıya özgü DNS Soneki .  . . :
                                        Açıklama  . . . . . . . . . . . . : TAP-Windows Adapter V9
                                        Fiziksel Adres. . . . . . . . . . : 00-FF-xx-13-xx-xx
                                        Dhcp Etkin. . . . . . . . . . . . : Evet
                                        Otomatik Yapılandırma Etkin. . .  : Evet
                                        Bağlantı Yerel IPv6 Adresi . . . . . : fe80::cc54:cc25:9cde:cc83%cc(Tercih Edilen)
                                        IPv4 Adresi. . . . . . . . . . . : 10.0.6.6(Tercih Edilen)
                                        Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.252
                                        Kira Sağlanan. . . . . . . . . .  : 03 Şubat 2014 Pazartesi 09:57:29
                                        Kira Bitişi . . . . . . . . . . . : 03 Şubat 2015 Salı 09:57:28
                                        Varsayılan Ağ Geçidi. . . . . . . :
                                        DHCP Sunucusu . . . . . . . . . . : 10.0.6.5
                                        DHCPv6 IAID . . . . . . . . . . . : 419495841
                                        DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-xx-00-01-19-E8-xx-xx-60-A4-xx-2B
                                      -99-0E
                                        DNS Sunucusu. . . . . . . . . . . : fxx0:0:0:ffff::xxx
                                                                            fec0:0:0:ffff::2%1
                                                                            fec0:0:0:ffff::3%1
                                        Tcpip üzerinden NetBIOS. . . . . . . . : Etkin

                                      Ethernet bağdaştırıcı Yerel Ağ Bağlantısı:

                                      Bağlantıya özgü DNS Soneki .  . . :
                                        Açıklama  . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
                                        Fiziksel Adres. . . . . . . . . . : xx-A4-4C-xx-99-xx
                                        Dhcp Etkin. . . . . . . . . . . . : Hayır
                                        Otomatik Yapılandırma Etkin. . .  : Evet
                                        Bağlantı Yerel IPv6 Adresi . . . . . : fexx::294a:cc75:d957:xe2xx%11(Tercih Edlen)
                                        IPv4 Adresi. . . . . . . . . . . : 192.168.4.174(Tercih Edilen)
                                        Alt Ağ Maskesi. . . . . . . . . . : 255.255.255.0
                                        Varsayılan Ağ Geçidi. . . . . . . : 192.168.4.1
                                        DHCPv6 IAID . . . . . . . . . . . : 241214540
                                        DHCPv6 İstemcisi DUID'si. . . . . . . . : 00-01-00-01-19-E8x-A3-xx-A40E
                                        DNS Sunucusu. . . . . . . . . . . : 192.168.4.1
                                        Tcpip üzerinden NetBIOS. . . . . . . . : Etkin

                                      route list

                                      IPv4 Yol Tablosu

                                      Etkin Yollar:
                                              Ağ Hedefi      Ağ Maskesi        Ağ Geçidi        Arabirim  Ölçüt
                                                0.0.0.0          0.0.0.0          192.168.4.1    192.168.4.174    276
                                              10.0.6.1  255.255.255.255        10.0.6.5        10.0.6.6    30
                                              10.0.6.4  255.255.255.252        On-link          10.0.6.6    286
                                              10.0.6.6  255.255.255.255        On-link          10.0.6.6    286
                                              10.0.6.7  255.255.255.255        On-link          10.0.6.6    286
                                              127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                                              127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                                        127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                                            192.168.4.0    255.255.255.0        On-link    192.168.4.174    276
                                          192.168.4.174  255.255.255.255        On-link    192.168.4.174    276
                                          192.168.4.255  255.255.255.255        On-link    192.168.4.174    276
                                            192.168.7.0    255.255.255.0        10.0.6.5        10.0.6.6    30
                                              224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                                              224.0.0.0        240.0.0.0        On-link    192.168.4.174    276
                                              224.0.0.0        240.0.0.0        On-link          10.0.6.6    286
                                              224.0.0.0        240.0.0.0        On-link      192.168.59.1    276
                                              224.0.0.0        240.0.0.0        On-link    192.168.133.1    276
                                        255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                                        255.255.255.255  255.255.255.255        On-link    192.168.4.174    276
                                        255.255.255.255  255.255.255.255        On-link          10.0.6.6    286
                                        255.255.255.255  255.255.255.255        On-link      192.168.59.1    276
                                        255.255.255.255  255.255.255.255        On-link    192.168.133.1    276

                                      Bir umut olmasa bile Asla Pes Etme.

                                      1 Reply Last reply Reply Quote 0
                                      • A Offline
                                        aykiri1
                                        last edited by

                                        hi SGTR

                                        my second lan and second wan interfaces not important becasue i want to access only lan1 (LAN)

                                        ofcourse i made  changes when get info from someone then test by test.

                                        (wan=192.168.6.2    wangw=192.168.6.1)
                                        modem ip 192.168.6.1–-------------------------pfsense (lan 192.168.7.2)------------------------------ clients 192.168.7.xx
                                                                                                                              |
                                                                                                                              |
                                                                                                                    openvpn client 10.0.6.6

                                        firewall rule  opnvpn any to any and any port pass added
                                        openv vpn client connecing to server get ip 10.0.6.6 web access pfsense OK. internet OK. lan access NOK

                                        thx

                                        1 Reply Last reply Reply Quote 0
                                        • A Offline
                                          aykiri1
                                          last edited by

                                          when i using client export (with execute setup) i must change ip adress

                                          this client openvpn conf

                                          dev tun
                                          persist-tun
                                          persist-key
                                          cipher AES-128-CBC
                                          auth SHA1
                                          tls-client
                                          client
                                          resolv-retry infinite
                                          remote 192.168.6.2 1194 udp
                                          lport 0
                                          verify-x509-name "xxxxx" name
                                          auth-user-pass
                                          pkcs12 secure-udp-1194-vpn1.p12
                                          tls-auth secure-udp-1194-vpn1-tls.key 1
                                          ns-cert-type server
                                          comp-lzo

                                          this red value i changing to wan ip adress.
                                          what is the problem ?

                                          1 Reply Last reply Reply Quote 0
                                          • H Offline
                                            heper
                                            last edited by

                                            pfsense sets the interface ip in the client-config … in your case this is probably 192.168.....

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.