Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN can reach VPN subnet, but PFSense cannot

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 436 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fmstrat
      last edited by

      Hi all,

      I've got an OpenVPN client running on PFSense that connects just fine and the firewall route is in place so that any host can reach 192.168.6.0/24. This works great on any machine on the LAN. I now want to do a Domain Override in the DNS Resolvers section that drives any queries for that domain to 192.168.6.XX.

      These queries fail. I noticed when SSH'd into PFSense, I can't ping 192.168.6.XX, but I can from a machine on the LAN. Any idea what rule is required to allow this?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Look at the source address of the queries to the 192.168.6.X DNS server. The other side will need to know how to route back to that.

        Assigning an interface at the 192.168.6.X side might be enough since you'll have the benefit of reply-to there.

        Else you could use outbound NAT on OpenVPN so the DNS queries would look like they came from the tunnel address so replies would work. You would need an assigned interface at the source end for that.

        OP was kind of lacking on details as to exactly what is where so these are somewhat-educated guesses.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          If your routing and firewall rules allow it, it should just work. There are several variables to account for though, so we need more details.

          • list itemPost your server1.conf and client1.conf.

          • What are you allowing thru the tunnel? Post the firewall rules from the OpenVPN tab on both ends.

          • Is the remote end using PFsense for DNS or something else? (e.g. AD, Infoblox, etc)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.