VPN Routing Not on Edge
-
I have a pfsense box set up as a non-edge device, running services like DNS, DHCP and OpenVPN for me.
OpenVPN is setup and works, as clients are able to establish a connection and I can hit the pfsense box when clients are connected. But any other traffic is not being routed. VPN clients are unable to ping any other clients on the LAN and traffic to the internet is not passing.
What am I missing exactly?
Does anyone have example firewall configs for a similar setup that they could hare? Most examples I see have separate interfaces for WAN and LAN networks.Thanks!
Joe -
If the VPN is only for your own purposes add an S-NAT rule (outbound NAT), which translates the source address of outgoing packets to the interface address.
-
So I have the following configured under Firewall –> NAT --> Outbound
Interface: LAN
Source: 192.168.15.0/24 (my OVPN net)
SourcePort *
Destination *
NAT Address: Interface addressSame behavior, I can hit any services running on the pfsense box, on any interface (ovpn address or LAN address)
But I can't hit anything else on my LAN network, or anything beyond my edge.Any other details I can provide to help debug this?
Thanks!
-
Have you switched the outbound NAT mode to hybrid or manual?
If you haven't you can add rules though, but with no effect. -
Outbound NAT mode is set to Hybrid
FWIW, there are also no automatic NAT rules generated. -
Can you access the LAN devices from pfSense itself? e.g. ping.
You also want to route internet traffic over the vpn? So have you checked "Redirect gateway" in the OpenVPN server settings?
What das the routes on the client looks like?
-
Can you access the LAN devices from pfSense itself? e.g. ping.
Yes. Can ping hosts on the LAN network from pfsense no problem.
You also want to route internet traffic over the vpn? So have you checked "Redirect gateway" in the OpenVPN server settings?
Correct, I have that option checked on the server side, and also tried to setting the option on the client config side.
What das the routes on the client looks like?
Only client I have to test with at the moment is an Android phone, which makes getting routing info a bit of a pain. But here is the output from ip route show run in a terminal emulator:
100.111.128.0/19 dev wlan0 proto kernel scope link src 100.111.143.150
192.168.15.0/24 dev tun0 proto kernel scope link src 192.168.15.2 -
The output doesn't show any route. It only shows network settings of the interfaces.
I'm not familiar with Android, so cannot give hints. However, the OpenVPN client should log the connection establishing. There you will get details if adding the routes succeed or not.
-
Well I managed to figure it out. Turns out I am an idiot. When I moved the machine off my edge, I had disabled the firewall under advanced settings.
I had forgotten about this, and it turns out, as the helpful text points out, this also disables any NAT functionality.
So after enabling the firewall, everything works as expected!Thanks for the help! And sorry for the confusion.