(SOLVED)I disable Pfsense DHCP and now i can't ping any LAN from VPN



  • Hi, I had Pfsense working as DCHP DNS forwarding, but now windows server is working as DCHP and DNS server. OpenVPN still works and I can connect but now I can not access any computer on the LAN. o make a remote desktop connection like Windows RDP.

    is there any new rull in the firewall i need to make ? am lost



  • Do you try to connect to host names or IPs?

    Do you drive the OpenVPN server in tap mode?



  • Thanks for the help, i have openvpn server running in tun mode.
    I could not ping any ip or hostname.

    I solved it!

    here is the solution if others have the same problem as me.

    It was that disabling DHCP on pfsense Automatic NAT doesn't route openvpn ip to internal lan any more, so i changed to Hybrid Outbound NAT rule generation.(Automatic Outbound NAT + rules below) and added the mapping rule source (ipenvpn ip's) can get to LANs IP. and that was all.

    Now i can ping any ip or connect to shared folders..


  • Rebel Alliance Global Moderator

    Huh?

    Makes ZERO sense.. Are you trying to say that turning off the dhcp server on the lan network removes the openvpn tunnel network from the automatic nat?  Yeah that makes no sense at all.



  • Yes, this is what am saying. i had to manually add route, here is a picture.

    With dchp disable it doesn't route openvpn to lan. with dchp enabled, i did not have to add this route.


  • Rebel Alliance Global Moderator

    Dude your source natting is all… See how you picked lan interface.. What your doing there is natting traffic that comes in from your openvpn to the lan IP address of pfsense!!

    You can see in your automatic rules that 10.12.0/14 is still being natted outbound..

    You for sure do not need to do what your doing to access shit on your lan from openvpn..  Unless your trying to fool their host firewalls to thinking your on their network.  Or they use some other gateway other than pfsense.


  • Netgate

    That NAT rule makes no sense. And it is not a route. It is an outbound NAT rule. It has nothing to do with the DHCP server or the direction in which traffic flows (is routed).

    I assume 10.12.10.0/24 is your OpenVPN tunnel address?

    What that rule is doing is telling the system to masquerade all traffic from 10.12.10.0/24 to the LAN address on their way out LAN. One reason to do that is if the hosts on LAN have a default gateway that is not that pfSense node. Another would be the hosts on LAN do not have a default gateway set at all.

    That rule would NEVER be created by Automatic NAT, DHCP server or not.



  • Okay, yes i understand, outbound nat doesn't have nothing to do with DCHP server I get it. And yes 10.12.10.0/24 is my openvpn address, but there is something i don't get. Why when PFSENSE had DCHP server and DNS forwarding enable i did not need to map that rule?

    When I disable it and got windows server handle DHCP Server and DNS for my computers on the lan, I could not connect to any computer anymore over VPN unless I ad that mapping rule.

    What is the correct way to configure it?


  • Netgate

    Is the other DHCP server giving all the correct information? Particularly pfSense as the client hosts' default gateway?



  • This is what a machine on lan receive from Windows server DHCP

    Gateway is 10.13.11.1 (Pfsense)

    10.13.11.20 (Windows Server 2016)


  • Rebel Alliance Global Moderator

    dude your mask is /8 – WTF??  255.0.0.0

    Yeah that is BORKED...  So now your tunnel network as the clients source network.. So why would he talk to the gateway to get back out the tunnel.



  • Well, I did not really understand what you sed.

    That was a capture from a Virtual Machine from hyper v, I connect from my house using Mac (viscosity) to openvpn that has pfsense configured. I can't ping any pc on lan (Office computers) if i dont map openvpn to lan on PFsense NAT, but ur saying i dont need to map to get to the lan, thats not the correct o good way to do it.(thats what u sed before)

    So now, mask 255.0.0.0 nothing have to do with that.

    Windows server DHCP server gives 10.13.11.100-254 ips  default  gateway is Pfsense 10.13.11.1.


  • Rebel Alliance Global Moderator

    Dude a mask of 255.0.0.0 means that

    10.anything is the same network..

    10.13.11.100 is the same network as 10.12.10

    So a client on 10.13.11.100 that gets traffic from something say 10.12.10.14 would just say oh hey buddy nice to talk to you.. Here is my answer.. it would NOT send it to its gateway because its the same network…  Fix your mask to be 24 bit and your problem will go away.