[SOLVED] OpenVPN 2.4 tap bridge problem access to LAN
-
Hi all!
I have a same problem with setup OpenVPN.remote sede 176.10.10.10 pfsense 85.10.10.10
10.70.0.129 tap tunnel 10.70.0.249The certificates are issued, the tunnel is configured, the connection is fine, I take IP from DHCP (10.1.70.129). On the remote side through the tunnel I only see the pfsense and no one else in the local network pfsense.
After configure OpenVPN server I create interface OPT1 from ovpns1 and create bridge em1 (LAN) and OPT1 (ovpns1).
server cfgs:
dev ovpns1 verb 1 dev-type tap dev-node /dev/tap1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 85.10.10.10 tls-server server-bridge 10.1.70.249 255.255.255.0 10.1.70.129 10.1.70.135 client-config-dir /var/etc/openvpn-csc/server1 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'PFSense-OpenVPN-cert' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 2 push "route 10.1.70.0 255.255.255.0" push "route 10.0.0.0 255.0.0.0" push "dhcp-option DNS 10.1.91.250" push "dhcp-option DNS 10.1.91.251" push "dhcp-option DNS 10.1.90.102" push "dhcp-option NTP 10.1.91.100" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo adaptive persist-remote-ip floatclient cfgs:
dev tap persist-tun persist-key cipher AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote 85.10.10.10 1194 udp pkcs12 gateway-udp-1194-irbis-crt-0.p12 tls-auth gateway-udp-1194-irbis-crt-0-tls.key 1 ns-cert-type server comp-lzo adaptiveP.S. Just noticed that if you enable ARP proxy, everything works except the receiving IP when connecting.
-
What is wrong?
On client routing:
... 10.0.0.0 255.0.0.0 10.1.70.249 10.1.70.129 291 10.1.70.0 255.255.255.0 On-link 10.1.70.129 291 10.1.70.129 255.255.255.255 On-link 10.1.70.129 291 10.1.70.255 255.255.255.255 On-link 10.1.70.129 291 ...But available only pfsense.
ping 10.1.70.249 Exchange of packets at the 10.1.70.249 with 32 bytes of data: The response from 10.1.70.249: bytes=32 time=51мс TTL=64 The response from 10.1.70.249: bytes=32 time=25ms TTL=64ping 10.1.70.254 Exchange of packets at the 10.1.70.254 with 32 bytes of data: The response from 10.1.70.129: destination host unreachable. Timed out for the request. Timed out for the request. -
Anyone have ideas why does not work routing on pfsense?
-
Have you set up the openVPN Firewall rules (a rule to allow all traffic should be there), the WAN interface should also have the default rule. If you used the Wizard, then the rules should have been set automatically.
If there are rules in place, is ping allowed?
-
Yes, rule for "any to any" was present on OpenVPN adapter.
I try add rule for WAN any protocols fo any to any, but now work still. IMHO to add a rule "all to all" on WAN dangerous.
-
Having same problem with pfSense 2.3.3_1 which also running the LAN/handling DHCP
Client is a OS X 10.11 machine with Tunnelblick. The client cannot get an IP from the DHCP server or pass packets, and it self assigns a 169.254 address.
-
@jtl:
Having same problem with pfSense 2.3.3_1 which also running the LAN/handling DHCP
Client is a OS X 10.11 machine with Tunnelblick. The client cannot get an IP from the DHCP server or pass packets, and it self assigns a 169.254 address.
Hi. I have this problem when set wrong bridge adapter on OpenVPN tab.
If you to adjust like on the screenshots, then DHCP is working correctly and has access to pfsense is also. But in LAN there is no access.
-
Forgot to say that pfsense is also installed on the virtual machine VMware (ESXi + distributed switch). The search led to the need to enable promiscuous mode.
But not…. -
Someone tell me how to build a bridge correctly.
IMHO the problem is in the bridge, more precisely in ARP. -
WAIDW?
-
Someone tell me how to build a bridge correctly.
IMHO the problem is in the bridge, more precisely in ARP.In the past I followed this post (https://forum.pfsense.org/index.php?topic=46984.0) and had the same problem as you but on another hypervisor (Hyper-V).
The solution was to enable "MAC spoofing" on the pfSense's LAN interface which is a member of the bridge. The other bridge member is the interface assigned to OpenVPN's Remote Access-mode (tap) server.For ESXi the solution is the same:
-
Thanks for the reply.
But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable only on private VLAN. As I understand, it need to setup only VLAN to which belongs the LAN adapter pfsense.
-
Thanks for the reply.
But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable only on private VLAN. As I understand, it need to setup only VLAN to which belongs the LAN adapter pfsense.See this article: http://wiki.vmug.com/index.php/Configuring_Distributed_Switches_in_vCenter_6
Security
Security Settings are on a Distributed Switch Portgroup are exactly the same as those found on the properties of the Standard Switch or its portgroups. The following information is a direct copy of the information from the Standard Switch content.
By default Promiscuous Mode is set to reject - and this prevents packet capturing software installed to compromised virtual machine for being used to gather more network traffic to facilitate a hack. Nonetheless it could modified by a genuine network administrator to capture packets as part of network troubleshooting. Even with this option enabled it would not stop an administrator from receiving packets to the VM. Another reason to change this option to Accept if you want to run intrusion detection software inside a VM. Such intrusion detection needs to be able to sniff network traffic as part its process of protecting the network. Finally, a less well-known reason for loosening the security on promiscuous mode is to allow so called "Nested ESX" configurations. This is where ESX is installed into a VM. This generally done in homelab and testing environments, not generally recommended for production use.
-
I turned on promiscuous mode, but it didn't help.
Noticed the following things when working through a tunnel.
Do ping machines behind pfsense is also ( let it be 10.3.100.250) through the tunnel
Have:
1 - the local machine (10.1.70.129) through the tunnel sends an icmp packet to the address 10.3.100.250
2 - pfsense is also not located with the end destination on the same network and sends the packet to the default gateway (10.1.70.254)
3 - next package in the chain, which we do not particularly interesting, gets on 10.3.100.250
4 - 10.3.100.250 sends a response which falls as a result 10.1.70.254
5 - 10.1.70.254 asks what mac have 10.1.70.129?
6 - 10.1.70.129 says: my mac is xx:xx:xx:xx:xx:xx:xx:xx
7 - This ARP reply never reaches 10.1.70.254!
8 - 10.1.70.254 asked again but no reply and receives. As a result packet with the answer to ping is lost.The question is: why pfsense is also reject ARP from local machine?
-
You have to enable all of those. It has to be able to do forged transmits and MAC changes or it can't send out traffic from bridged clients, and it needs promiscuous mode to receive the taffic.
-
Out of curiosity why are you trying to setup tap, actual use of tun is almost always a better choice. What are you doing that you need layer 2 access across the vpn?
-
Some people need to be bridged to their LAN for special reasons, for example I'm trying to bridge my management VLAN to a OpenVPN TAP instance. Some embedded devices on that VLAN don't like being accessed from outside their subnet, for example.
Regardless it would be great to have this issue fixed. I managed to get tap bridged with LAN on my bare-metal pfSense instance but I can't access any services hosted on the pfSense instance itself such as WebGUI/DNS, etc. I can ping it though.
-
Fixed problem with access.
Many thanks to all responded!The solution is to enable forged transmits on a distribution switch (LAN interface). In pfsense is also not a problem. Bug proved in the settings of the switches.
