Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (SOLVED)I disable Pfsense DHCP and now i can't ping any LAN from VPN

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann
      last edited by

      Do you try to connect to host names or IPs?

      Do you drive the OpenVPN server in tap mode?

      1 Reply Last reply Reply Quote 0
      • T
        tgilcas
        last edited by

        Thanks for the help, i have openvpn server running in tun mode.
        I could not ping any ip or hostname.

        I solved it!

        here is the solution if others have the same problem as me.

        It was that disabling DHCP on pfsense Automatic NAT doesn't route openvpn ip to internal lan any more, so i changed to Hybrid Outbound NAT rule generation.(Automatic Outbound NAT + rules below) and added the mapping rule source (ipenvpn ip's) can get to LANs IP. and that was all.

        Now i can ping any ip or connect to shared folders..

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Huh?

          Makes ZERO sense.. Are you trying to say that turning off the dhcp server on the lan network removes the openvpn tunnel network from the automatic nat?  Yeah that makes no sense at all.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • T
            tgilcas
            last edited by

            Yes, this is what am saying. i had to manually add route, here is a picture.

            With dchp disable it doesn't route openvpn to lan. with dchp enabled, i did not have to add this route.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Dude your source natting is all… See how you picked lan interface.. What your doing there is natting traffic that comes in from your openvpn to the lan IP address of pfsense!!

              You can see in your automatic rules that 10.12.0/14 is still being natted outbound..

              You for sure do not need to do what your doing to access shit on your lan from openvpn..  Unless your trying to fool their host firewalls to thinking your on their network.  Or they use some other gateway other than pfsense.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                That NAT rule makes no sense. And it is not a route. It is an outbound NAT rule. It has nothing to do with the DHCP server or the direction in which traffic flows (is routed).

                I assume 10.12.10.0/24 is your OpenVPN tunnel address?

                What that rule is doing is telling the system to masquerade all traffic from 10.12.10.0/24 to the LAN address on their way out LAN. One reason to do that is if the hosts on LAN have a default gateway that is not that pfSense node. Another would be the hosts on LAN do not have a default gateway set at all.

                That rule would NEVER be created by Automatic NAT, DHCP server or not.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  tgilcas
                  last edited by

                  Okay, yes i understand, outbound nat doesn't have nothing to do with DCHP server I get it. And yes 10.12.10.0/24 is my openvpn address, but there is something i don't get. Why when PFSENSE had DCHP server and DNS forwarding enable i did not need to map that rule?

                  When I disable it and got windows server handle DHCP Server and DNS for my computers on the lan, I could not connect to any computer anymore over VPN unless I ad that mapping rule.

                  What is the correct way to configure it?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Is the other DHCP server giving all the correct information? Particularly pfSense as the client hosts' default gateway?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • T
                      tgilcas
                      last edited by

                      This is what a machine on lan receive from Windows server DHCP

                      Gateway is 10.13.11.1 (Pfsense)

                      10.13.11.20 (Windows Server 2016)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        dude your mask is /8 – WTF??  255.0.0.0

                        Yeah that is BORKED...  So now your tunnel network as the clients source network.. So why would he talk to the gateway to get back out the tunnel.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • T
                          tgilcas
                          last edited by

                          Well, I did not really understand what you sed.

                          That was a capture from a Virtual Machine from hyper v, I connect from my house using Mac (viscosity) to openvpn that has pfsense configured. I can't ping any pc on lan (Office computers) if i dont map openvpn to lan on PFsense NAT, but ur saying i dont need to map to get to the lan, thats not the correct o good way to do it.(thats what u sed before)

                          So now, mask 255.0.0.0 nothing have to do with that.

                          Windows server DHCP server gives 10.13.11.100-254 ips  default  gateway is Pfsense 10.13.11.1.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Dude a mask of 255.0.0.0 means that

                            10.anything is the same network..

                            10.13.11.100 is the same network as 10.12.10

                            So a client on 10.13.11.100 that gets traffic from something say 10.12.10.14 would just say oh hey buddy nice to talk to you.. Here is my answer.. it would NOT send it to its gateway because its the same network…  Fix your mask to be 24 bit and your problem will go away.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.