Cant Ping\Access anything on Local Network apart from the gateway.

bigp

Hi There,

I'm currently looking at a setup that has two Interfaces\WAN connections. One of the WAN Interfaces seems to be working with OpenVPN just fine, but the other isn't working correctly. This is what I have currently for the non working interface.

Tunnel Network is 10.20.2.0/24
LAN is 10.20.0.0/24

When i connect my client (running as an Administrator as using Windows OS) it seems to connect fine and i get an address of 10.20.2.6. However i can not access\ping any local devices on the 10.20.0.0 LAN. I can however ping and access the psense gateway\firewall which is on 10.20.0.1.

From the LAN i cant ping the VPN client. However from the gateway\firewall i can do a successfully ping to the VPN client.

As you will no doubt tell from the above description, My knowledge of networks is limited and i'm a Psense newbie, but something is telling me i may need to do some port forwarding. (From looking at the working OPENVPN setup on the other interface, i cant see anything obvious that i should be changing and the openvpn setup seems identical apart from the tunnel network address)

Any help would be greatly appreciated.

Thanks

viragomann

Check if the routes are set correctly at the client? Run "route print" at the Windows command line while the VPN is established and post the output, please.

bigp

Thanks Viragomann,

Here is the result of my route print.

Many thanks for your time.

notworking_route.txt
[working route.txt](/public/imported_attachments/1/working route.txt)

viragomann

I think the "IPv4 Local Networks" must be set wrong at server. It seems you have 10.20.0.0/16 there for your LAN instead of 10.20.0.0/24, so it includes your tunnel subnet at the failing setup, but not at the working one.

bigp

Sorry Viragomann

but can you point me in the direction where I would check this? is it a forwarding rule?

many thanks

bigp

just another question could I not just change the tunnel network to another address instead?

viragomann

No, that's in the OpenVPN server settings. Go down to "IPv4 Local Networks" and check your entry.

viragomann

@viragomann:

No, that's in the OpenVPN server settings. Go down to "IPv4 Local Networks" and check your entry.

Yes, any tunnel subnet beyond 10.20.0.0/16 (10.20.0.0 - 10.20.255.255) should work also.

bigp

Please see attached. I do have redirect gate way enabled. But when unchecking that I can see the ipv4 local networks to be 10.20.0.0/24?

setup.png_thumb

viragomann

Yeah, you have redirect gateway, so there are no further route needed.
But you have strange routes at your client that are caused by the OpenVPN setup.

Do you have something special in the "Custom options" in the server settings or client specific overrides?

bigp

I will check them out, but i don't believe i have any custom options set. Is there a way i can generate the OpenVPN server config and post it?

viragomann

Just make screenshots and add it to your post as attachments. Don't use spaces in the file names.

bigp

Just checked I have no client specific overrides and I have nothing set in advanced configuration.

Re:
Do you have something special in the "Custom options" in the server ? Where would I find custom options?

viragomann

In the server config right down at the bottom.

It would be more meaningful to post screenshots here. It's easy.

bigp

viragomann please find attached server screenshots

![SERVER CONFIG 1.png](/public/imported_attachments/1/SERVER CONFIG 1.png)
![SERVER CONFIG 1.png_thumb](/public/imported_attachments/1/SERVER CONFIG 1.png_thumb)
![SERVER CONFIG 2.png](/public/imported_attachments/1/SERVER CONFIG 2.png)
![SERVER CONFIG 2.png_thumb](/public/imported_attachments/1/SERVER CONFIG 2.png_thumb)
![SERVER CONFIG 3.png](/public/imported_attachments/1/SERVER CONFIG 3.png)
![SERVER CONFIG 3.png_thumb](/public/imported_attachments/1/SERVER CONFIG 3.png_thumb)
![SERVER CONFIG 4.png](/public/imported_attachments/1/SERVER CONFIG 4.png)
![SERVER CONFIG 4.png_thumb](/public/imported_attachments/1/SERVER CONFIG 4.png_thumb)

viragomann

Everything looks fine in the setup. So I've no Idea where the strange routes come from.
Maybe they are not from the VPN setup. Make a route print on your Windows while no VPN is connected.

bigp

Hi - I have attached 3 route prints. One without any VPN as requested. One with the working VPN for the other WAN link, and one for the non working wan link.

Route_with_no_connection.txt
Route_with_not_working_WANVPNinterface.txt
Route_with_working_WANVPNinterface.txt

viragomann

Obviously the strange route is caused by the VPN connection.

10.20.0.0      255.255.0.0        10.20.0.1        10.20.2.6     31

But your config looks well. So no idea why.

So try to change the VPN tunnel subnet to 10.23.0.0/24 or any other outside of 10.20.0.0/16.

bigp

Ok so I've changed the tunnel to what you suggested and I now have access to both the local network and gateway https://forum.pfsense.org/Smileys/default/grin.gif

However I know cant access the internet? getting closer lol

viragomann

For accessing the internet over VPN it's needed to add an outbound NAT rule for each VPN tunnel subnet. Firewall > NAT > Outbound

By default, pfsense does this automatically if your outbound NAT is set to automatic or hybrid rule generation. But if you change the tunnel that could fail.