2 VPN's. Remote Access not able to ping LAN

MikeDaniels

I have 2 VPN's setup on the same netgate PFsense box.

VPN #1 -> Peer to Peer - Works just fine. Traffic passes just fine. No issues.
VPN #2 -> Remote Access. VPN Connects fine. I can ping the firewall. I can edit the firewall via the GUI on port 443. The problem is that I can not hit anything except the firewall. I can not ping anything else on the network (LAN).

To try to figure out what is happening, I pinged from the netgate. At first I chose the LAN interface and then I chose the VPN interface.
Ping from LAN -> Works just fine. All packets work.
Ping from the VPN interface -> Does not ping anything.

Logs do not show that a firewall is blocking anything. I have followed all of the instructions in the netgate instructions and it appears I've done it correctly (I'll add screenshots if we get there)

In all of the firewall rules and interfaces I allow bogon networks as well as private networks. I have NO rules to block anything, just rules to allow.

I have setup 3 interfaces for VPN rules. There is the Peer to Peer VPN interface which is enabled and active. There is the Remote Access VPn which is enabled and active.

In the firewall rules I have 3 interfaces attached to my VPN's. OPT5 is assigned to the peer to peer VPN. OPT7 is assigned to the Remote Access VPN. The final one is the standard OpenVPN group interface.

I checked the route tables and the default gateway is set to this device. All routes point back to this device on all host boxes.

My questions to start with are this:

1. Is there a special consideration I need to be making when it comes to a dual VPN setup? I was not able to find a specific document to compare my config to so if this is true, any chance you know of a document like this to compare my config to?
2. Any other thoughts welcome.

I'm guessing this is a basic config issue and that I've simply overlooked something that is special to a dual VPN setup, so before we get into the specific config I'm just looking for some general information. If this doesn't work, I'll add the config here. Thanks!
Mike

Rico

There is nothing special with multiple OpenVPN Instances, you can have as many S2S and/or RAS as you want.
Show as much information as possible via Screenshots, it's just some configuration problem (missing routes, Firewall Rules, ...).
But first work through https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html

-Rico

MikeDaniels

Thank you. That is what I was looking for that I couldn't find. Will respond with questions if I have any. Appreciate your help.

• Mike

MikeDaniels

In the end it turned out to be two issues.

1. Missing route that wasn't pushed to a host on the LAN we are accessing.
2. The gateway added by the OpenVPN client had boosted itself to the default gateway which was not wanted as we only want backend traffic traversing our network. Once I adjusted this the gateway the VPN's now work as designed.

Thanks for the document.

Mike

Rico

Glad you have it working now.

-Rico