SG-1100 cannot reach LAN beyond PFSense firewall using Openvpn wizard
-
After unsuccessfully searching this forum and Google and the PfSense book, I am still stuck.
I have used the wizard to set up an OpenVPN instance on my netgate device. I can connect from outside the network.
From the GUI server configuration page:
IPv4 Tunnel Network is: 10.8.2.0/24
IPv4 Local Network is: 172.20.1.0/24
Topology is SubnetThere are automatically generated outbound NAT Rules I don't really understand but do contain the above networks.
There is a firewall rule on the WAN allowing connections to 1194.
There is a firewall rule on the OpenVPN tab allowing all created by the wizard.
I can ping 10.8.2.1
I can ping 10.8.2.2 (self)
I can ping 172.20.1.1 (SG-1100)
I cannot ping 172.20.1.3Route from SG-1100:
default XX.XXX.184.1 UGS 87264 1500 mvneta0.4090
10.8.2.0/24 10.8.2.2 UGS 0 1500 ovpns1
10.8.2.1 link#13 UHS 0 16384 lo0
10.8.2.2 link#13 UH 9 1500 ovpns1
XX.XXX.184.0/22 link#10 U 31950 1500 mvneta0.4090
XX.XXX.186.1 link#10 UHS 0 16384 lo0
127.0.0.1 link#7 UH 327 16384 lo0
172.20.1.0/24 link#11 U 459909 1500 mvneta0.4091
172.20.1.1 link#11 UHS 0 16384 lo0Route of client when connected to openvpn:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.43.230 192.168.43.160 35
10.8.2.0 255.255.255.0 On-link 10.8.2.2 291
10.8.2.2 255.255.255.255 On-link 10.8.2.2 291
10.8.2.255 255.255.255.255 On-link 10.8.2.2 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.20.1.0 255.255.255.0 10.8.2.1 10.8.2.2 291
192.168.43.0 255.255.255.0 On-link 192.168.43.160 291
192.168.43.160 255.255.255.255 On-link 192.168.43.160 291
192.168.43.255 255.255.255.255 On-link 192.168.43.160 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.43.160 291
224.0.0.0 240.0.0.0 On-link 10.8.2.2 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.43.160 291
255.255.255.255 255.255.255.255 On-link 10.8.2.2 291Persistent Routes:
NoneSorry the formatting is terrible.
There are no log entries from firewall indicating a block.
In the past, when I've created a tunnel setup on Ubuntu, I had to enter NAT rules with masquerade to work but I thought the wizard would do it.
Any help is greatly appreciated. Thanks.
Devan
-
This worked for me...In Openvpn server under tunnel settings:
Find Redirect IPv4 Gateway and check the box to force all client-generated IPv4 traffic through the tunnel.
Save and see if you can ping the host LAN
-
Thank you for responding.
After making the change, I now have many firewall entries between my SG-1100 and virtual IP address on the openvpn interface. Also from LAN hosts and virtual IP address on LAN interface.
After updating the firewall rules, I still cannot ping the other hosts behind the LAN (172.20.1.3). I can ping them when connected to the LAN directly.
I also turned off the firewall on the client.