Unable to reach LAN after succesful connection
-
I believe my problem is LAN is not the gateway for that network.
That will be the problem.
Since you LAN hosts don't know the subnet of the OpenVPN tunnel they will send their response to the default gateway.You can easily resolve this by adding an Outbond NAT rule for VPN tunnel to LAN.
To do so, you have to switch Outbond NAT to "Hybrid Outbound NAT rule generation" or "Manual Outbound NAT rule generation" at first and save this.
Then add a rule like:
Interface=LAN, Source=<your openvpn="" tunnel="" network="">, Translation=Interface addressThis will translate the VPN packets source address to the pfSenses LAN address, so the host on LAN will send their response to LAN address and pfSense routes it to the VPN client.</your>
-
Is it possible to give the client a valid IP from the LAN network? Preferrebly, I'd want to use the DHCP server on the LAN (it's an SBS box). I'm able to see the ping request from a firewall on the LAN and it is being blocked because it is coming over as the tunnel network (10.0.8.*)..
My LAN network is 192.168.16.0/24
Thank you,
Joschi -
you could use TAP vs TUN – but that really is not a very good idea..
"I'm able to see the ping request from a firewall on the LAN"
So your traffic is being blocked by the client firewall and not pfsense then? -
You can easily resolve this by adding an Outbond NAT rule for VPN tunnel to LAN.
To do so, you have to switch Outbond NAT to "Hybrid Outbound NAT rule generation" or "Manual Outbound NAT rule generation" at first and save this.
Then add a rule like:
Interface=LAN, Source=<your openvpn="" tunnel="" network="">, Translation=Interface addressThis will translate the VPN packets source address to the pfSenses LAN address, so the host on LAN will send their response to LAN address and pfSense routes it to the VPN client.</your>
I'm able to ping by IP address now. Thank you.
I'm not able to ping by FQDN yet. The client isn't getting the right IP address. Can I Push the LAN DNS to the client?
-
Yeah. You can check "Provide a DNS server list to clients" in the server config and enter you LAN DNS there. But remember that if you do that the client will only use this DNS server. So ensure that it can resolve everthing, what your clients need.
-
Yeah. You can check "Provide a DNS server list to clients" in the server config and enter you LAN DNS there. But remember that if you do that the client will only use this DNS server. So ensure that it can resolve everthing, what your clients need.
Hmm, I already have that set in the client configuration. I also have Redirect gateway checked.
-
The DNS server is also part of your LAN network, which the outbound NAT rule refer to?
Do an nslookup at the client to see if the correct DNS server is accessed.
-
The DNS server is also part of your LAN network, which the outbound NAT rule refer to?
Do an nslookup at the client to see if the correct DNS server is accessed.
Correct, the DNS server (part of SBS) is on the LAN. nslookup from the client says it's using 127.0.1.1 as server.
-
I specified the DNS server on the lan with nslookup and it worked. However, I had to specify pcname.domain.local in order for it to work.
Could it have something to do with the General Setup page? See attached
-
After some fiddling, I've managed to get it working on my iphone ;D However, both linux and windows clients still aren't resolving internal servers properly. My iPhone is working great. can pull up internal servers, check mail, etc..
What could that be???
-
After some fiddling, I've managed to get it working on my iphone ;D However, both linux and windows clients still aren't resolving internal servers properly. My iPhone is working great. can pull up internal servers, check mail, etc..
What could that be???
I should add I can get around using IP addresses from the linux and windows clients.
-
I had a similar problem, I can get connected but can access LAN resources, this happend when the conection was made by a NAT, when the device had a public IP, I can reach local resources.
The solution that worked for me, was set TCP as protocol for the VPN, the explanation its that some routers can´t give appropiate backward traffic for UDP, this its solved using TCP protocol, so can be solved adding a static route in the router (but I didnt do this, first tried the simplest solution :))
I suggest change the server configuration, export a new user and try again.
-
@ega:
I had a similar problem, I can get connected but can access LAN resources, this happend when the conection was made by a NAT, when the device had a public IP, I can reach local resources.
The solution that worked for me, was set TCP as protocol for the VPN, the explanation its that some routers can´t give appropiate backward traffic for UDP, this its solved using TCP protocol, so can be solved adding a static route in the router (but I didnt do this, first tried the simplest solution :))
I suggest change the server configuration, export a new user and try again.
Thank you for your suggestion. I will try that.
-
"nslookup from the client says it's using 127.0.1.1 as server."
Your clients said they were using loopback address as their dns? Where they running any sort of dns server that forwarded.. That makes no sense at all..
-
"nslookup from the client says it's using 127.0.1.1 as server."
Your clients said they were using loopback address as their dns? Where they running any sort of dns server that forwarded.. That makes no sense at all..
This is from a linux client. I have to specify nslookup someIP dnsIP and it works.
My windows clients are now working correctly!
