[SOLVED] No access to network from VPN with only one WAN



  • Hello!
    I need some help with configuring pfSense.

    I've got 2.3.2 pfSense running with WAN only interface inside private lan.
    There's an other firewall which does NAT and forwards UDP 1194 to the pfSense and this allows me to connect to pfSense box using VPN.
    There's unlimited access to private LAN and internet for pfSense.
    The problem is that I can't access any host from private LAN (using IP) and even pfSense while I'm connected via OpenVPN. I have set up rule to allow all traffic from/to OpenVPN.

    Could you tell me what should I do to make network where pfSense lives to be accessible from VPN?



  • Go to Firewall > NAT > Outbound, select "Disable Outbound" and hit Save.
    Try again.



  • Thank you for reply!
    Didn't work, I also disabled packet filtering (System > Advanced > Firewall & NAT).
    Now I see packets from OpenVPN subnet (172.20.0.0/24) on local network host (192.168.0.0/20), but IP is not tracerouted to pfSense host. After adding route for 172.20.0.0/24 via pfSense IP I could ping both sides, but still no HTTP.

    I think I'm doing it totally wrong…
    Could you tell me how should I do this, please? :)



  • Allowng all traffic on WAN & OpenVPN interfaces allowed me to enter pfSense WEB UI and Darkstat module.
    No luck with 192.168.* ^(



  • Yeah! Your pfSense isn't the default gateway, but so response packets to requests from VPN cliensts are directed to the default gateway. A route for this on your router won't be satisfiable solution. The route has to be added to the destination host(s).

    Another solution is to do outbound NAT and translate outgoing traffic to the interface IP, which is default for WAN, but have to be set manually for VPN if necessary.
    However, this method has the drawback that you are not able to differ the VPN clients on the destination server.

    Also ensure that you have unchecked "Block private networks" in the WAN interface settings.



  • Thank you!

    Maybe this will help:

    NAT
    Hybrid Outbound NAT rule generation.

    Firewall
    Be sure to enable TCP/UDP (ICMP or whatever you need) traffic on OpenVPN interface.
    Allow same outgoing traffic from VPN subnet.

    So much fun!