Access Webconfigurator on standby firewall's LAN interface from OpenVPN Client

HerticWild

We want to disable external Webconfigurator access to our firewalls.
Before we can do that, we have to be able to connect to the Webconfigurator via the LAN interfaces of both servers.
We have OpenVPN configured to use a CARP IP.
We are using HASync to keep the 2 firewalls the same (FW1, FW2).
We can connect to the GUI via FW1's lan interface but we can not connect to the standby via it's LAN interface. We can only access the GUI via the WAN.
I think it's a routing issue as the firewall rules are in place to allow OpenVPN clients GUI access. When I look at the routes, the only difference I see is on the one currently running OpenVPN (FW1):

Dest 192.168.1.0/24
GW 192.168.1.2
Flag UGS
Use 1752640
MTU 1500
Netif ovpns2

Dest 192.168.1.2
GW link#16
Flag UH
USE 644803
MTU 1500
Netif ovpns2

Those 2 routes.

Do I need to add a static route on FW1 from the OpenVPN client network to the LAN interface of FW2?

If I do that - what happens when FW1 goes away, and OpenVPN starts running on FW2?

Or is there a better way to achieve this?

viragomann

A solution for that is described here under "You cannot reach the slave pfSense via OpenVPN":
https://vorkbaard.nl/openvpn-in-a-pfsense-carp-cluster

HerticWild

@viragomann
Worked like a charm - thanks!