[SOLVED] OpenVPN 2.4 tap bridge problem access to LAN



  • Hi all!
    I have a same problem with setup OpenVPN.

    remote sede 176.10.10.10                        pfsense 85.10.10.10
                          10.70.0.129    tap tunnel                10.70.0.249

    The certificates are issued, the tunnel is configured, the connection is fine, I take IP from DHCP (10.1.70.129). On the remote side through the tunnel I only see the pfsense and no one else in the local network pfsense.

    After configure OpenVPN server I create interface OPT1 from ovpns1 and create bridge em1 (LAN) and OPT1 (ovpns1).

    server cfgs:

    dev ovpns1
    verb 1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 85.10.10.10
    tls-server
    server-bridge 10.1.70.249 255.255.255.0 10.1.70.129 10.1.70.135
    client-config-dir /var/etc/openvpn-csc/server1
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'PFSense-OpenVPN-cert' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 2
    push "route 10.1.70.0 255.255.255.0"
    push "route 10.0.0.0 255.0.0.0"
    push "dhcp-option DNS 10.1.91.250"
    push "dhcp-option DNS 10.1.91.251"
    push "dhcp-option DNS 10.1.90.102"
    push "dhcp-option NTP 10.1.91.100"
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.4096
    crl-verify /var/etc/openvpn/server1.crl-verify
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo adaptive
    persist-remote-ip
    float
    
    

    client cfgs:

    dev tap
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote 85.10.10.10 1194 udp
    pkcs12 gateway-udp-1194-irbis-crt-0.p12
    tls-auth gateway-udp-1194-irbis-crt-0-tls.key 1
    ns-cert-type server
    comp-lzo adaptive
    
    

    P.S. Just noticed that if you enable ARP proxy, everything works except the receiving IP when connecting.



  • What is wrong?

    On client routing:

    ...
    10.0.0.0     255.0.0.0           10.1.70.249        10.1.70.129    291
    10.1.70.0    255.255.255.0       On-link            10.1.70.129    291
    10.1.70.129  255.255.255.255     On-link            10.1.70.129    291
    10.1.70.255  255.255.255.255     On-link            10.1.70.129    291
    ...
    
    

    But available only pfsense.

    ping 10.1.70.249
    
    Exchange of packets at the 10.1.70.249 with 32 bytes of data:
    The response from 10.1.70.249: bytes=32 time=51мс TTL=64
    The response from 10.1.70.249: bytes=32 time=25ms TTL=64
    
    ping 10.1.70.254
    
    Exchange of packets at the 10.1.70.254 with 32 bytes of data:
    The response from 10.1.70.129: destination host unreachable.
    Timed out for the request.
    Timed out for the request.
    


  • Anyone have ideas why does not work routing on pfsense?



  • Have you set up the openVPN Firewall rules (a rule to allow all traffic should be there), the WAN interface should also have the default rule. If you used the Wizard, then the rules should have been set automatically.

    If there are rules in place, is ping allowed?



  • Yes, rule for "any to any" was present on OpenVPN adapter.
    I try add rule for WAN any protocols fo any to any, but now work still. IMHO to add a rule "all to all" on WAN dangerous.








  • Having same problem with pfSense 2.3.3_1 which also running the LAN/handling DHCP

    Client is a OS X 10.11 machine with Tunnelblick. The client cannot get an IP from the DHCP server or pass packets, and it self assigns a 169.254 address.



  • @jtl:

    Having same problem with pfSense 2.3.3_1 which also running the LAN/handling DHCP

    Client is a OS X 10.11 machine with Tunnelblick. The client cannot get an IP from the DHCP server or pass packets, and it self assigns a 169.254 address.

    Hi. I have this problem when set wrong bridge adapter on OpenVPN tab.
    If you to adjust like on the screenshots, then DHCP is working correctly and has access to pfsense is also. But in LAN there is no access.






  • Forgot to say that pfsense is also installed on the virtual machine VMware (ESXi + distributed switch). The search led to the need to enable promiscuous mode.
    But not….



  • Someone tell me how to build a bridge correctly.
    IMHO the problem is in the bridge, more precisely in ARP.



  • WAIDW?



  • @Irbis:

    Someone tell me how to build a bridge correctly.
    IMHO the problem is in the bridge, more precisely in ARP.

    In the past I followed this post (https://forum.pfsense.org/index.php?topic=46984.0) and had the same problem as you but on another hypervisor (Hyper-V).
    The solution was to enable "MAC spoofing" on the pfSense's LAN interface which is a member of the bridge. The other bridge member is the interface assigned to OpenVPN's Remote Access-mode (tap) server.

    For ESXi the solution is the same:



  • Thanks for the reply.
    But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable  only on private VLAN. As I understand, it need to setup only VLAN to which  belongs the LAN adapter pfsense.




  • @Irbis:

    Thanks for the reply.
    But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable  only on private VLAN. As I understand, it need to setup only VLAN to which  belongs the LAN adapter pfsense.

    See this article: http://wiki.vmug.com/index.php/Configuring_Distributed_Switches_in_vCenter_6
    Security
    Security Settings are on a Distributed Switch Portgroup are exactly the same as those found on the properties of the Standard Switch or its portgroups. The following information is a direct copy of the information from the Standard Switch content.

    By default Promiscuous Mode is set to reject - and this prevents packet capturing software installed to compromised virtual machine for being used to gather more network traffic to facilitate a hack. Nonetheless it could modified by a genuine network administrator to capture packets as part of network troubleshooting. Even with this option enabled it would not stop an administrator from receiving packets to the VM. Another reason to change this option to Accept if you want to run intrusion detection software inside a VM. Such intrusion detection needs to be able to sniff network traffic as part its process of protecting the network. Finally, a less well-known reason for loosening the security on promiscuous mode is to allow so called "Nested ESX" configurations. This is where ESX is installed into a VM. This generally done in homelab and testing environments, not generally recommended for production use.



  • I turned on promiscuous mode, but it didn't help.
    Noticed the following things when working through a tunnel.
    Do ping machines behind pfsense is also ( let it be 10.3.100.250) through the tunnel
    Have:
    1 - the local machine (10.1.70.129) through the tunnel sends an icmp packet to the address 10.3.100.250
    2 - pfsense is also not located with the end destination on the same network and sends the packet to the default gateway (10.1.70.254)
    3 - next package in the chain, which we do not particularly interesting, gets on 10.3.100.250
    4 - 10.3.100.250 sends a response which falls as a result 10.1.70.254
    5 - 10.1.70.254 asks what mac have  10.1.70.129?
    6 - 10.1.70.129 says: my mac is xx:xx:xx:xx:xx:xx:xx:xx
    7 - This ARP reply never reaches 10.1.70.254!
    8 - 10.1.70.254 asked again but no reply and receives. As a result packet with the answer to ping is lost.

    The question is: why pfsense is also reject ARP from local machine?


  • Rebel Alliance Developer Netgate

    You have to enable all of those. It has to be able to do forged transmits and MAC changes or it can't send out traffic from bridged clients, and it needs promiscuous mode to receive the taffic.


  • Rebel Alliance Global Moderator

    Out of curiosity why are you trying to setup tap, actual use of tun is almost always a better choice.  What are you doing that you need layer 2 access across the vpn?



  • Some people need to be bridged to their LAN for special reasons, for example I'm trying to bridge my management VLAN to a OpenVPN TAP instance. Some embedded devices on that VLAN don't like being accessed from outside their subnet, for example.

    Regardless it would be great to have this issue fixed. I managed to get tap bridged with LAN on my bare-metal pfSense instance but I can't access any services hosted on the pfSense instance itself such as WebGUI/DNS, etc. I can ping it though.



  • Fixed problem with access.
    Many thanks to all responded!

    The solution is to enable forged transmits on a distribution switch (LAN interface). In pfsense is also not a problem. Bug proved in the settings of the switches.