OpenVPn - LAN - Router
-
I had installed my first pfsense virtual private network with OpenVPN succesfully. This is a road- warrior connection, and I can connect to every PC behind LAN interface. Now, in this internal network I have a router with another private network attached to it and its own IP range. I can´t figure out which rules must i write to reach the computers behind this router. I intend remote desktop connection to this machines from mi warrior client.
My network topology is the following :
Lan IP is 192.168.1.0/24, Router external interface has 192.168.1.254 ip address, PC´s attached to router have 192.168.30.0/24 IP adresses|–-------------| Lan -----------------------
Internet -------- | pfsense |-----------| Switch |
roadwarrior ---------------- -----------------------
client |.......| |
PC1 PC9 |
-----------
| Router |
------------
| ....... |
PC10 PC14Can you help me ? Thanks in advance
-
That would be a routing matter rather than a rules matter.
You have to add a static route in pfSense:
Go to System > Routing > Gateways
Add a new gateway tor your router here if you haven't yet. Enter your routers LAN IP as gateway IP. Don't check "Default Gateway", enter a description and save it.
Then go to Routes tab and add a new route. In destination network field enter 192.168.30.0/24 and at Gateway select the one you have set up first, enter a description and save it.Then go to the OpenVPN server configuration and add the network behind the router (192.168.30.0/24) to the "IPv4 Local Network/s". If you have entered your LAN network there separate it by a comma. This should push a route to this network to VPN clients.
Of course, the rules on OpenVPN interface have also to allow traffic to 192.168.30.0/24.
-
A few things need to happen (some already mentioned):
-
PFsense needs to how to get to the 192.168.30.0/24 network. As viragomann mentioned, you will need a static route, but the next hop/gateway needs to be the router's IP on the Lan side (not the PFsense Lan IP). i.e. your static route will need "Destination Network" as 192.168.30.0/24 with a "Gateway" of 192.168.1.254
-
Check the routing table on your router, you may also need a static route on our router telling it that packets destined for the "192.168.1.0/24" network need to go through the PFsense Lan IP.
-
You need to push a route for the 192.168.30.0/24 network to your mobile clients… i.e. add "192.168.30.0/24" to the "IPv4 Local Network/s" section on your road warrior config.
-
In order for your mobile clients to access the 192.168.30.0/24 network, your router will need a static route for the road warrior tunnel network, which will send the return traffic back towards PFsense.
-
-
As a practical matter, I would also change that LAN 192.168.1.0/24 in the middle to some other more obscure private address space.
That will help avoid problems for your Road Warriors when they are sitting in their local cafe and the cafe WiFi hotspot is also 192.168.1.0/24