Cannot get internet connectivity for LAN and VPN_LAN clients at the same time
-
when using the -nopull option, you need to assign an interface to your openvpn instance (interfaces–>assign--><+>-->ovpncx)
then goto interfaces-->optx--> set type to 'none' ---> save
you should now have a gateway / if you don't create a gateway for the optx interface.
use the gateway in your vpn_lan firewall rulesoh yeah, you probably need to create some 'PASS' rules on the optx interface and if you have manual NAT, you'd have to sort that too
-
Thanks heper.
I think I already have that interface, named VPN_WAN, which i identify in NAT and lan_vpn already right?
If I add PASS rules on the VPN_WAN gateway, wouldn't that be only for inbound connections from the internet?? Currently I just have a block all rule…
See attached pics for VPN_WAN gateway and firewall details.
-
Bump.
So referencing my LAN_VPN rules i have attached, what do I need to change to route that lan out the VPN WAN??
-
This is too much for me to want to process (sans compensation) without an accurate, detailed network diagram.
-
This is too much for me to want to process (sans compensation) without an accurate, detailed network diagram.
Diagram added.
-
There is no reason to set the gateway on your LAN rules to WAN_PPPOE. Set it back to default. If you REALLY need to policy route everything out WAN_PPPOE, you need to bypass policy routing for everything that needs to route elsewhere, such as traffic from LAN to LAN_VPN.
With one WAN there is no reason to use policy routing. Set it to default. Note that you also need to bypass policy routing on LAN_VPN if you want those hosts to be able to access any "local" resources like LAN.
https://doc.pfsense.org/index.php/What_is_policy_routing
https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
What is in the VPN_DNS alias?
Are you sure you are having a traffic routing problem or a DNS problem? I am not sure about the policy routing out the VPN with the /32 routes in the table for 8.8.8.8 and 8.8.4.4 since you have those name servers "glued" to WAN_PPPOE in pfSense and you're trying to policy route the same DNS servers (Those are the servers you're giving to LAN_VPN clients via DHCP).
For instance, with the VPN connection up can you ping 208.67.222.222 from Host A2?
-
Derelict, thanks for providing some help here. I have updated the pics in my original post to reflect some changes, as directed by yourself.
Unfortunately, I still cannot get Internet connectivity out the VPN subnet, while using the -nopull option. I updated the monitor IP for the VPN_WAN gateway to 8.8.8.8, and interestingly that allows me to ping that particular IP out the VPN, but nothing else. i.e. I cannot ping 208.67.222.222 from the LAN_VPN subnet unless I set it to be the monitor IP for the VPN_WAN gateway.
What is in the VPN_DNS alias?
This was just and alias for 8.8.8.8 & 8.8.4.4
Any other hints or advice?
-
You don't have any old IPsec configs or anything covering 10.10.20.0/24 do you?
-
You don't have any old IPsec configs or anything covering 10.10.20.0/24 do you?
Nope. This is a fresh install with openvpn only.
-
Don't know, dude. It works every time I do it.
