Unable to access to clients in the network that don't have gateway IP Setup



  • Hello,

    Before PFSense, I was using Microsoft's RRAS service to provide VPN access to my clients and they were able to successfully connect to the VPN either using PPTP or SSTP protocols and were able to access ANY IP in the network regardless of their network configurations contained gateway ip or not.

    With PFSense OpenVPN (in Tunnel mode), I am only able to access the local network PC's IF THEIR GATEWAY IP'S ARE SETUP AS THE PFSENSE IP.

    Now there are some IoT devices in my network that don't support gateway IP modification, or it is too hard to configure them one by one. I loved the old setup with RRAS but had to move away from that.

    Now, I need to know how to achieve the similar think with PFSense. I need to be able to reach the internal computers WITHOUT GW IP SETUP thru OpenVPN.

    I tried using the TAP protocol, tried creating a new interface on the TAP protocol, new bridge between TAP and LAN, added PASS entries for OpenVPN to LAN etc, WAN to LAN etc, with no results.

    Any help is extremely appreciated, and I will donate $100 to the PFSense project if I can get a valuable answer. Thanks!


  • Rebel Alliance Global Moderator

    What devices would you be wanting to access that do not support a gateway?  Can you not just hand out a gateway via dhcp.  If you want these devices to always have the same IP then just setup a reservation.

    But to do what you want yes you have to use TAP…  Ie you clients on the same network as your vpn clients.. This normally is really not a very good idea at all. I guess could put together a guide if I get a chance.  But I really do not like promoting bad setups, to me that would be a bad setup.  If you can not find a guide, prob not one in the docs - put up a bounty and sure someone would jump on it.

    What network are you using - this is for sure going to be a problem if your remote location your wanting to access is using that same network.

    Your other option would be to use TUN for your vpn, but just source nat connections to these devices that do not have a gateway.

    I love to hear what sort of IOT device doesn't know how to use a gateway.  Its right in the name "internet of things" They didn't call them "local network of things" its pretty impossible to talk to the internet without using a gateway ;)



  • Hi again.

    In this particular case, we are trying to talk to a Siemens Simotion drive. It is possible to set up gateways on that device, however it will require the service to do a visit to us, which will cost money. In the past, they were able to successfully connect to our devices using RRAS VPN.

    I don't know that you mean by What network you are using question.

    Could you please elaborate using TUN for the vpn and sourcing nat connections to these devices?


  • Rebel Alliance Global Moderator

    What network are you using 192.168.x.x/? 10.x.x.x/? 172.16-18.x.x/?

    So they didn't setup any gateway on this device, you only have 1 network?  Nobody would be able to talk to this device from any other network if it doesn't have a gateway - be it another local network/vlan or remote users.

    Ok… As to doing a nat..  So I just created a nat on my lan interface that says hey if the source is my vpn tunnel network 10.0.8.0/24 and your going to the lan network 192.168.9/24 nat it to the lan interface IP (192.168.9.253) in my case.

    I then make a connection to a box on my lan 192.168.9.100, and you can see from that box via remote desktop running a netstat that is sees my connection from pfsense IP address

    TCP    192.168.9.100:3389    192.168.9.253:38769    ESTABLISHED

    If I look in the state table on pfsense I see that it natted my 10.0.8.100 address to the 192.168.9.253 address.  So so in this case the connection came from the IP address on that network.  So the client 192.168.9.100 would not need a gateway.

    Now if I remove that nat... And just come in via the vpn.. The client will see my connection from the 10.0.8.100 address.








  • I still couldn't figure it out. Could you be able to help me directly?


  • Rebel Alliance Global Moderator

    Dude can not figure out what?? How to create a nat?  I gave you pictures showing the nat..

    What is the network you are using as your openvpn tunnel?  What network your using on your lan?  You create a outbound nat using your LAN interface where the source is your tunnel network is your dest is your LAN network.. And your nat interface would be your LAN interface..

    It is actually like 10 seconds to setup..  Switch to hybrid mode and then create your nat..  If you give me remote access to your system I could set it up sure.. If I break something its on you..  I gave you a picture and instructions now.  Here is another picture of the actual nat page

    My networks are most likely different than yours - you have to put int he networks your using for your vpn tunnel network and what your using on your lan network..