SSH/RDP not working over OpenVPN in a Bridged LAN

sakthi

Hi All,
Good Day!

Main pfsense box - This is sitting behind a router and it's not connected to my ISP. Configured OpenVPN in this pfsense box.

Another pfsense as VM running in my homelab which I have it for isolating my vmservers from home network. The WAN IP of this pfsense box is from the Main pfsense box.

Main pfsense box - 192.168.20.1/24 (Bridged)
OpenVPN - 192.168.40.1/24
Secondary pfsensebox - Gets WAN address from main pfsense box.

I have setup OpenVPN Tunnel Mode on my main pfsense box allowed local network configured as 192.168.20.1/24 and OpenVPN communication is working fine.

I'm running couple of VM's and my jumpserver has a WAN IP (DHCP Reserved) from my main pfsense box. I'm not able to access this Jump server via VPN on SSH (22) or RDP(3389). Both the ports are listening. Internal from my bridged network i'm able to access the server but not via VPN.

Checking the states is showing CLOSED:SYN_SENT and SYN_SENT:CLOSED

Accessing the same server from Main pfsense box network

Looking for some help to resolve the issue.

viragomann

@sakthi
Seems the destination server is blocking that access.
I assume it blocks all access from outside its own subnet.

So configure it to allow the desired access.

sakthi

@viragomann , Hi, Thanks for your reply. I have problem accessing the server over SSH/RDP when I have the bridge setup. I did a factory reset and enabled only one LAN and configured OpenVPN in Tunnel Mode and i was able to access the server via SSH/RDP via OpenVPN. The problem happens only when i have bridged network. Any further help would be really useful as I can't use TAP mode since my OpenVPN clients are iOS and macOS.

Thank You

johnpoz

@sakthi said in SSH/RDP not working over OpenVPN in a Bridged LAN:

in Tunnel Mode and i was able to access the server via SSH/RDP via OpenVPN

Yeah - so what is the problem? As you mention ios doesn't support tap mode anyway.. And in general tap mode is a horrible idea anyway.

sakthi

@johnpoz Hi, Thanks for the reply. The problem is when I setup bridge mode (as explained in post 1) i'm not able to reach the server via SSH/RDP from OpenVPN client

johnpoz

Well you can't bridge network A (your vpn tunnel) to your lan network B.

Not sure what your trying to do exactly..

sakthi

@johnpoz , Sorry If i'm doing something stupid. I opted for bridging mutiple LAN's in my pfsense box so I can access my server directly from my laptop when I'm at home. (Followed this link to create bridge network
[https://eengstrom.github.io/musings/configure-pfsense-bridge-over-multiple-nics-as-lan]

So to remote access my server I setup OpenVPN. Everything is working fine except SSH and RDP.

Thank You

johnpoz

@sakthi said in SSH/RDP not working over OpenVPN in a Bridged LAN:

I opted for bridging mutiple LAN's in my pfsense box so I can access my server directly from my laptop when I'm at home.

No idea what that means.. I can access anything on my network I allow for - with zero bridging...

Not sure why you have 2 pfsense box anyway? If you draw up your network - we can figure out what is going on.. But can tell you pretty much for sure bridge anything is not the way to do it ;)

sakthi

@johnpoz , I have only one pfsense box with multiple NIC's. By default, I was not able to reach my homelab connect to LAN2 interface from LAN1 interface. I even created firewall rule to allow everything but it didn't work so I read the link and configured my bridge accordingly. Below is my pfsense setup. If Bridging is not the way can you please help me how I can reach my LAN2 from LAN1.

Thank You
Regards
Sakthi

sakthi

@johnpoz , Before creating the bridging, LAN1 was having one subnet and LAN2 was having one subnet and a firewall rule to allow everything from LAN 1 to LAN2 and vice versa.

johnpoz

And what device is this?

If you want more ports on the same network - use a switch, not discrete interfaces trying to create a switch in software.

And your wireless clients are on pfsense wan? So you don't want wireless clients to be able to talk to anything on your networks behind pfsense?

Where is this 2nd pfsense?

sakthi

@johnpoz , Its a custom pfsense device running on Intel Celeron processor. It has 4 ports (1 WAN and 3 LAN). I have only one pfsense box and using it only for the purpose of my study to connect to my homelab server. My Wireless clients are connected directly to my wireless router and my wireless router in connected to a ONT device provided by my ISP. I don't have a switch. I will try to buy one. But is there a way i can connect to LAN2 from LAN1 without switch or bridge.

LAN1 - 172.20.10.1/24
LAN2 - 10.20.20.1/24

johnpoz

If they are different interfaces and not switch ports - then no there is no way to put them on the same network without bridging them.

But the only reason you need for them to be on the same network is broadcast traffic.. They could be on different networks and still access everything on the other network. Just create any any rules.

Do these devices use some broadcast/multicast discovery or protocol that is required that they are required to be on the same network..

If want to leverage your ports for individual devices - ok... But why do you need to bridge them.. Just use 192.168.1/24 on 1 and 192.168.2/24 on 2.. And use an any any rule - there you go these devices can talk to each other for anything other than broadcast traffic.

Bridge is only going to complex up the config, and more overhead for what? Are you doing something that requires broadcast to work? Then get a switch... Really the only time it makes sense to leverage a bridge is media conversion...

Or I had something that required the devices to be in the same broadcast domain, ie the same L2 network.. But I also wanted to be able to firewall between them for some stuff. In that case you would use a bridge (transparent firewall) and be able to do such a thing. But just wanting to leverage the ports on your pfsense box.. I don't see the point of trying to bridge them?