Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] OpenVPN 2.4 tap bridge problem access to LAN

    Scheduled Pinned Locked Moved OpenVPN
    18 Posts 6 Posters 9.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Irbis
      last edited by

      Forgot to say that pfsense is also installed on the virtual machine VMware (ESXi + distributed switch). The search led to the need to enable promiscuous mode.
      But not….

      1 Reply Last reply Reply Quote 0
      • I
        Irbis
        last edited by

        Someone tell me how to build a bridge correctly.
        IMHO the problem is in the bridge, more precisely in ARP.

        1 Reply Last reply Reply Quote 0
        • I
          Irbis
          last edited by

          WAIDW?

          1 Reply Last reply Reply Quote 0
          • B
            bk
            last edited by

            @Irbis:

            Someone tell me how to build a bridge correctly.
            IMHO the problem is in the bridge, more precisely in ARP.

            In the past I followed this post (https://forum.pfsense.org/index.php?topic=46984.0) and had the same problem as you but on another hypervisor (Hyper-V).
            The solution was to enable "MAC spoofing" on the pfSense's LAN interface which is a member of the bridge. The other bridge member is the interface assigned to OpenVPN's Remote Access-mode (tap) server.

            For ESXi the solution is the same:

            1 Reply Last reply Reply Quote 0
            • I
              Irbis
              last edited by

              Thanks for the reply.
              But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable  only on private VLAN. As I understand, it need to setup only VLAN to which  belongs the LAN adapter pfsense.

              srpfs.jpg
              srpfs.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • B
                bk
                last edited by

                @Irbis:

                Thanks for the reply.
                But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable  only on private VLAN. As I understand, it need to setup only VLAN to which  belongs the LAN adapter pfsense.

                See this article: http://wiki.vmug.com/index.php/Configuring_Distributed_Switches_in_vCenter_6
                Security
                Security Settings are on a Distributed Switch Portgroup are exactly the same as those found on the properties of the Standard Switch or its portgroups. The following information is a direct copy of the information from the Standard Switch content.

                By default Promiscuous Mode is set to reject - and this prevents packet capturing software installed to compromised virtual machine for being used to gather more network traffic to facilitate a hack. Nonetheless it could modified by a genuine network administrator to capture packets as part of network troubleshooting. Even with this option enabled it would not stop an administrator from receiving packets to the VM. Another reason to change this option to Accept if you want to run intrusion detection software inside a VM. Such intrusion detection needs to be able to sniff network traffic as part its process of protecting the network. Finally, a less well-known reason for loosening the security on promiscuous mode is to allow so called "Nested ESX" configurations. This is where ESX is installed into a VM. This generally done in homelab and testing environments, not generally recommended for production use.

                1 Reply Last reply Reply Quote 0
                • I
                  Irbis
                  last edited by

                  I turned on promiscuous mode, but it didn't help.
                  Noticed the following things when working through a tunnel.
                  Do ping machines behind pfsense is also ( let it be 10.3.100.250) through the tunnel
                  Have:
                  1 - the local machine (10.1.70.129) through the tunnel sends an icmp packet to the address 10.3.100.250
                  2 - pfsense is also not located with the end destination on the same network and sends the packet to the default gateway (10.1.70.254)
                  3 - next package in the chain, which we do not particularly interesting, gets on 10.3.100.250
                  4 - 10.3.100.250 sends a response which falls as a result 10.1.70.254
                  5 - 10.1.70.254 asks what mac have  10.1.70.129?
                  6 - 10.1.70.129 says: my mac is xx:xx:xx:xx:xx:xx:xx:xx
                  7 - This ARP reply never reaches 10.1.70.254!
                  8 - 10.1.70.254 asked again but no reply and receives. As a result packet with the answer to ping is lost.

                  The question is: why pfsense is also reject ARP from local machine?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    You have to enable all of those. It has to be able to do forged transmits and MAC changes or it can't send out traffic from bridged clients, and it needs promiscuous mode to receive the taffic.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Out of curiosity why are you trying to setup tap, actual use of tun is almost always a better choice.  What are you doing that you need layer 2 access across the vpn?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • J
                        jtl
                        last edited by

                        Some people need to be bridged to their LAN for special reasons, for example I'm trying to bridge my management VLAN to a OpenVPN TAP instance. Some embedded devices on that VLAN don't like being accessed from outside their subnet, for example.

                        Regardless it would be great to have this issue fixed. I managed to get tap bridged with LAN on my bare-metal pfSense instance but I can't access any services hosted on the pfSense instance itself such as WebGUI/DNS, etc. I can ping it though.

                        pfSense 2.4.2 - virtualized with PCIe passthrough on whitebox - 150/150 FTTP

                        1 Reply Last reply Reply Quote 0
                        • I
                          Irbis
                          last edited by

                          Fixed problem with access.
                          Many thanks to all responded!

                          The solution is to enable forged transmits on a distribution switch (LAN interface). In pfsense is also not a problem. Bug proved in the settings of the switches.

                          scr0.JPG
                          scr0.JPG_thumb

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.