Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN connected device to reach a server farm behind an ASA

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      camilnajm
      last edited by

      Hello Everybody.

      The simplified network drawing represents a brief of my network. hopefully it is clear.

      I have been using pfsense for many years as an internet gateway so all the devices on the LAN (172.17.0.0/16) have the pfsense machine (172.17.11.254/16) as its default gateway.

      Now in order to access the server farm (172.16.0.0/16), i add a static route to every device on the LAN that needs to reach the server farm as follows:

      route ADD 172.16.0.0 MASK 255.255.0.0 172.17.1.253 -p

      Where the 172.17.1.253/16 is the ASA firewall with appropriate access lists that governs the traffic between WAN, LAN and DMZ.

      I have 2 scenarios/questions:

      1- Recently i followed a tutorial about OpenVPN setup. the tutorial was clear and straight forward. it worked great and now i can access the LAN from my laptop using a 3G/4G connection. as per the sketch, the OpenVPN server will have an IP of 10.8.0.1/24 and my laptop will have 10.8.0.2/24 as an IP once connected through OpenVPN.
      my question is, how can i reach the server farm? what routes/firwall rules should i add at the pfsense machine in order to let any OpenVPN connected device (10.8.0.2,3,4 and so on) to reach one/all machines at the sever farm (172.16.0.0/16) through the ASA firewall (172.17.1.253/16)? should i use the GW_DMZ gateway in the second attachment? (leading to question 2)

      2- Back to the LAN devices (not related to OpenVPN), in order to get rid of the static route that i have to add on each device, i added a gateway that points to the ASA firewall (attachement 2). Then i used this gateway in a static route (Attachment 3). the fact is that it is working and i can reach the server farm without a static route on the device that i am using, but i noticed that the system is very sluggish with lots of freezing. also if i am using a remote desktop session to a machine at the DMZ, the remote desktop keeps on disconnecting, even for less than a minute of connection, sometimes the remote desktop session freezes then later on resume, sometimes it disconnects then automatically reconnects.

      i hope that i well explained the situation and i hope to hear from you guys.

      Thank you

      Camil
      ![pfsense network brief.png](/public/imported_attachments/1/pfsense network brief.png)
      ![pfsense network brief.png_thumb](/public/imported_attachments/1/pfsense network brief.png_thumb)
      ![Routing_ Gateways.png](/public/imported_attachments/1/Routing_ Gateways.png)
      ![Routing_ Gateways.png_thumb](/public/imported_attachments/1/Routing_ Gateways.png_thumb)
      ![Routing_ Static Routes.png](/public/imported_attachments/1/Routing_ Static Routes.png)
      ![Routing_ Static Routes.png_thumb](/public/imported_attachments/1/Routing_ Static Routes.png_thumb)

      1 Reply Last reply Reply Quote 0
      • C
        camilnajm
        last edited by

        regarding point 2, i found the solution in one of the blogs. the following option needs to be selected (Checked)

        System -> Advanced -> Firewall and NAT -> Bypass firewall rules for traffic on the same interface.

        any hints for point 1?

        thank you

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.