Net30 Topology: No incoming traffic

nexodev

Hello,

unfortunately this provides the same result (100% package loss) as from the command line, independent of the source address I choose.

viragomann

Have you set outbound NAT rules for the VPN clients interface or did pfSense set them automatically?
Please post a screenshot if you're not sure.

nexodev

No, there are no VPN related NAT outbound rules. (Automatic outbound NAT rule generation)
There are only two WAN autogenerated rules, with source 127.0.0.0/8.

Are there outbound NAT rules required? At the moment, the pfSense machine is not yet used as a router, an I try to access the remote network from the pfSense machine directly.

viragomann

Have you even assigned an interface to the vpn client?

nexodev

yes

edit: there are two interfaces, WAN and LAN.
The pfsense machine lies in a microsoft azure network.
The WAN interface is connected to the cloud network and the LAN interface is assigned to the OpenVPN client.

viragomann

@nexodev:

the LAN interface is assigned to the OpenVPN client.

What does this mean?

You're running a OpenVPN client on pfSense, right?
So you have to assign an interface to the OpenVPN clients instance.
Interfaces > assign
select the OpenVPN client instance (e.g. ovpnc1) and hit Add
Open the new interface and enable it, you may also assign a custom name and save it.

By default pfSense generates outbound NAT rules automatically when you do that.

nexodev

@viragomann:

You're running a OpenVPN client on pfSense, right?
So you have to assign an interface to the OpenVPN clients instance.
Interfaces > assign
select the OpenVPN client instance (e.g. ovpnc1) and hit Add
Open the new interface and enable it, you may also assign a custom name and save it.

Yes, this is what I did.
I deleted and recreated the interface as you described to be sure.
But no outbound NAT rules are generated.

viragomann

So add it by yourself.

Switch the outbound NAT rule generation mode to Hybrid.
Then add rules to the OpenVPN clients interface for LAN network and pfSense comparably to the existing ones for WAN.

One with
interface = <openvpn clients="" interface="">source = LAN net
Other options at the default values.

a second with
interface = <openvpn clients="" interface="">source = 127.0.0.0/8</openvpn></openvpn>

nexodev

Okay, by LAN net you mean the local network of my pfSense machine?
Because LAN is also the name of the interface which is associated with the VPN, while the interface called "WAN" is associated to the local network (confusing, I know..)

I attached a screenshot of the current configuration

viragomann

Yes, pfSense uses this notation. "LAN net" is the network assigned to the LAN interface in firewall rules. In the outbound NAT rules the network has to be entered manually.
However, the network in that rule has to be that one from which you want to access the devices behind the vpn (the internal network, obviously the WAN network in your case=

If you're accessing from WAN interface, ensure that you've unchecked "block private networks" in the WAN interface settings and that you have a firewall rule in place on WAN interface to permit the access.

nexodev

Hmm, even with rules that allow everything, still no success..