OpenVPN and LAN connectivity



  • I've setup OpenVPN (UDP/tun) and assigned it IPv4 Tunnel Network 10.0.8.0/24.

    I can connect in just fine, get an IP, I get DNS, and can query DNS.

    The rest of my LAN is 10.10.x.x., so I entered "10.0.0.0/8" for "IPv4 Local network(s)". Tracing however I see it hits the gateway at 10.0.8.1, but never makes it to 10.10.x.x.

    What do I need to do to bridge OpenVPN so it can access the rest of my network?


  • LAYER 8 Netgate

    Not sure what happens when your tunnel network is included in your local networks.

    If your local networks are 10.10.x.x why don't you try setting your local networks to 10.10.0.0/16 and see what happens?

    Using the longest, most-specific netmask necessary to accomplish the task at hand is generally the correct decision.



  • Just tried changing it to 10.10.0.0/16, still can't ping 10.10.1.52 (my test target).



  • Is the access allowed by a firewall rule at the OpenVPN interface?


  • LAYER 8 Global Moderator

    who why would you have /16 as your local network in the first place??  You have close to 65k hosts on the same layer 2??  Seems bit unlikely..

    I don't get why people think that using such large masks is realistic.. Those sorts of masks are good for summary routing, as mask on actual network not really..  I not can see putting more than say 500 some hosts on the same layer 2 ever.. Even that would be a lot of broadcast noise..

    So you have over 250 devices?  If not then /24 is more than enough of a mask and makes it easy to read what network your on.

    I would love to hear your use case of why /16 makes sense as your mask for your network.


  • LAYER 8 Netgate

    That aside -

    The problem you are seeing is almost always:

    1. Firewall rules on OpenVPN not allowing the traffic in at the destination side (ping is ICMP, not TCP or TCP/UDP)
    2. Local firewall on the target device blocking connections from different subnets
    3. Default gateway on source or destination device not being pfSense.



  • Using diag_testport.php I was able to replicate the problem:

    Destination: 10.10.1.10 port 80
    Source Address: LAN

    That works fine.

    Change source to OpenVPN server or localhost and it times out.

    Firewall rules at this point are all defaults from install + the 2 or 3 the OpenVPN wizard sets up. Nothing has been added or removed.


  • LAYER 8 Netgate

    That sounds like how it's supposed to be working. The other side will not have a route back to localhost since there is no NAT and might have a route back to the tunnel address but it probably won't respond. If you can source the traffic from Local network on one side to remote network on the other it is working.



  • Go to NAT -> Outbound -> Select manual and click save. You should now see a rule added for the 10.0.8.0 subnet. You can change it back to hybrid after that.

    I had the same problem last week. Everything looked OK, could connect and ping the server but not any of the lan hosts.

    There should be some documentation or a warning in pfsense clearly stating that you need to configure a NAT rule if you want to reach your lan.


  • LAYER 8 Netgate

    You do not need NAT.



  • So looking at the firewall logs, it  suggests traffic is allowed to pass, however AFAIK not a packet is actually going through.




  • 
    TRANSLATION RULES:
    no nat proto carp all
    nat-anchor "natearly/*" all
    nat-anchor "natrules/*" all
    nat on re0 inet from 127.0.0.0/8 to any port = isakmp -> 71.xxx.xxx.xxx static-port
    nat on re0 inet from 10.10.8.0/24 to any port = isakmp -> 71.xxx.xxx.xxx static-port
    nat on re0 inet from 10.10.0.0/16 to any port = isakmp -> 71.xxx.xxx.xxx static-port
    nat on re0 inet from 10.10.8.0/24 to any port = isakmp -> 71.xxx.xxx.xxx static-port
    nat on re0 inet from 127.0.0.0/8 to any -> 71.xxx.xxx.xxx port 1024:65535
    nat on re0 inet from 10.10.8.0/24 to any -> 71.xxx.xxx.xxx port 1024:65535
    nat on re0 inet from 10.10.0.0/16 to any -> 71.xxx.xxx.xxx port 1024:65535
    nat on re0 inet from 10.10.8.0/24 to any -> 71.xxx.xxx.xxx port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/*" all
    rdr-anchor "tftp-proxy/*" all
    rdr-anchor "miniupnpd" all
    
    FILTER RULES:
    scrub on re0 all fragment reassemble
    scrub on re1 all fragment reassemble
    scrub on ovpns1 all fragment reassemble
    anchor "relayd/*" all
    anchor "openvpn/*" all
    anchor "ipsec/*" all
    block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
    block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
    block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
    block drop log quick from <snort2c>to any label "Block snort2c hosts"
    block drop log quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout"
    block drop in log quick from <virusprot>to any label "virusprot overload table"
    pass in quick on re0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
    pass in quick on re0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
    pass out quick on re0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
    block drop in log quick on re0 from <bogons>to any label "block bogon IPv4 networks from WAN"
    block drop in log quick on re0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
    block drop in log on ! re0 inet from 71.xxx.xxx.xxx/24 to any
    block drop in log inet from 71.xxx.xxx.xxx to any
    block drop in log on re0 inet6 from fe80::2e0:4cff:fe68:27d5 to any
    block drop in log quick on re0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block drop in log quick on re0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block drop in log quick on re0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block drop in log quick on re0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block drop in log quick on re0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    pass in on re0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
    pass out on re0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
    block drop in log on ! re1 inet from 10.10.0.0/16 to any
    block drop in log inet from 10.10.1.1 to any
    block drop in log on re1 inet6 from fe80::1:1 to any
    pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on re1 inet proto udp from any port = bootpc to 10.10.1.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on re1 inet proto udp from 10.10.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass quick on re1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    pass quick on re1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    block drop in log on ! ovpns1 inet from 10.10.8.0/24 to any
    block drop in log inet from 10.10.8.1 to any
    block drop in log on ovpns1 inet6 from fe80::2e0:4cff:fe68:27d5 to any
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (re0 71.xxx.xx.xxx) inet from 71.xxx.xxx.xxx to ! 71.xxx.xxx.xxxx/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpns1 10.10.8.1) inet from 10.10.8.1 to ! 10.10.8.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/*" all
    pass in log quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN vpn.hostname.tld wizard"
    pass in quick on re0 reply-to (re0 71.xxx.xx.xxx) inet proto udp from any to 71.xxx.xxx.xxx port = openvpn keep state label "USER_RULE: OpenVPN vpn.hostname.tld wizard"
    pass in quick on re1 inet from 10.10.0.0/16 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    pass in quick on re1 inet proto tcp from any port = domain to 127.0.0.1 port = domain flags S/SA keep state label "USER_RULE: Forced DNS Redirection"
    block drop in log quick on re1 inet proto tcp from 10.10.1.5 to 71.xxx.xxx.0/24 flags S/SA label "USER_RULE: Block IP cam outbound traffic"
    pass in quick on re1 inet from 10.10.0.0/16 to 10.10.8.0/24 flags S/SA keep state label "USER_RULE"
    pass in quick on ovpns1 reply-to (ovpns1 10.10.8.1) inet all flags S/SA keep state label "USER_RULE: Default allow OpenVPN to any rule"
    anchor "tftp-proxy/*" all
    No queue in use</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
    

Log in to reply