[SOLVED] OpenVPN 2.4 tap bridge problem access to LAN

Irbis

Forgot to say that pfsense is also installed on the virtual machine VMware (ESXi + distributed switch). The search led to the need to enable promiscuous mode.
But not….

Irbis

Someone tell me how to build a bridge correctly.
IMHO the problem is in the bridge, more precisely in ARP.

Irbis

WAIDW?

bk

@Irbis:

Someone tell me how to build a bridge correctly.
IMHO the problem is in the bridge, more precisely in ARP.

In the past I followed this post (https://forum.pfsense.org/index.php?topic=46984.0) and had the same problem as you but on another hypervisor (Hyper-V).
The solution was to enable "MAC spoofing" on the pfSense's LAN interface which is a member of the bridge. The other bridge member is the interface assigned to OpenVPN's Remote Access-mode (tap) server.

For ESXi the solution is the same:

Irbis

Thanks for the reply.
But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable  only on private VLAN. As I understand, it need to setup only VLAN to which  belongs the LAN adapter pfsense.

bk

@Irbis:

Thanks for the reply.
But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable  only on private VLAN. As I understand, it need to setup only VLAN to which  belongs the LAN adapter pfsense.

See this article: http://wiki.vmug.com/index.php/Configuring_Distributed_Switches_in_vCenter_6
Security
Security Settings are on a Distributed Switch Portgroup are exactly the same as those found on the properties of the Standard Switch or its portgroups. The following information is a direct copy of the information from the Standard Switch content.

By default Promiscuous Mode is set to reject - and this prevents packet capturing software installed to compromised virtual machine for being used to gather more network traffic to facilitate a hack. Nonetheless it could modified by a genuine network administrator to capture packets as part of network troubleshooting. Even with this option enabled it would not stop an administrator from receiving packets to the VM. Another reason to change this option to Accept if you want to run intrusion detection software inside a VM. Such intrusion detection needs to be able to sniff network traffic as part its process of protecting the network. Finally, a less well-known reason for loosening the security on promiscuous mode is to allow so called "Nested ESX" configurations. This is where ESX is installed into a VM. This generally done in homelab and testing environments, not generally recommended for production use.

Irbis

I turned on promiscuous mode, but it didn't help.
Noticed the following things when working through a tunnel.
Do ping machines behind pfsense is also ( let it be 10.3.100.250) through the tunnel
Have:
1 - the local machine (10.1.70.129) through the tunnel sends an icmp packet to the address 10.3.100.250
2 - pfsense is also not located with the end destination on the same network and sends the packet to the default gateway (10.1.70.254)
3 - next package in the chain, which we do not particularly interesting, gets on 10.3.100.250
4 - 10.3.100.250 sends a response which falls as a result 10.1.70.254
5 - 10.1.70.254 asks what mac have  10.1.70.129?
6 - 10.1.70.129 says: my mac is xx:xx:xx:xx:xx:xx:xx:xx
7 - This ARP reply never reaches 10.1.70.254!
8 - 10.1.70.254 asked again but no reply and receives. As a result packet with the answer to ping is lost.

The question is: why pfsense is also reject ARP from local machine?

jimp

You have to enable all of those. It has to be able to do forged transmits and MAC changes or it can't send out traffic from bridged clients, and it needs promiscuous mode to receive the taffic.

johnpoz

Out of curiosity why are you trying to setup tap, actual use of tun is almost always a better choice.  What are you doing that you need layer 2 access across the vpn?

jtl

Some people need to be bridged to their LAN for special reasons, for example I'm trying to bridge my management VLAN to a OpenVPN TAP instance. Some embedded devices on that VLAN don't like being accessed from outside their subnet, for example.

Regardless it would be great to have this issue fixed. I managed to get tap bridged with LAN on my bare-metal pfSense instance but I can't access any services hosted on the pfSense instance itself such as WebGUI/DNS, etc. I can ping it though.

Irbis

Fixed problem with access.
Many thanks to all responded!

The solution is to enable forged transmits on a distribution switch (LAN interface). In pfsense is also not a problem. Bug proved in the settings of the switches.