Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (SOLVED)I disable Pfsense DHCP and now i can't ping any LAN from VPN

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tgilcas
      last edited by

      Hi, I had Pfsense working as DCHP DNS forwarding, but now windows server is working as DCHP and DNS server. OpenVPN still works and I can connect but now I can not access any computer on the LAN. o make a remote desktop connection like Windows RDP.

      is there any new rull in the firewall i need to make ? am lost

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Do you try to connect to host names or IPs?

        Do you drive the OpenVPN server in tap mode?

        1 Reply Last reply Reply Quote 0
        • T
          tgilcas
          last edited by

          Thanks for the help, i have openvpn server running in tun mode.
          I could not ping any ip or hostname.

          I solved it!

          here is the solution if others have the same problem as me.

          It was that disabling DHCP on pfsense Automatic NAT doesn't route openvpn ip to internal lan any more, so i changed to Hybrid Outbound NAT rule generation.(Automatic Outbound NAT + rules below) and added the mapping rule source (ipenvpn ip's) can get to LANs IP. and that was all.

          Now i can ping any ip or connect to shared folders..

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Huh?

            Makes ZERO sense.. Are you trying to say that turning off the dhcp server on the lan network removes the openvpn tunnel network from the automatic nat?  Yeah that makes no sense at all.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • T
              tgilcas
              last edited by

              Yes, this is what am saying. i had to manually add route, here is a picture.

              With dchp disable it doesn't route openvpn to lan. with dchp enabled, i did not have to add this route.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Dude your source natting is all… See how you picked lan interface.. What your doing there is natting traffic that comes in from your openvpn to the lan IP address of pfsense!!

                You can see in your automatic rules that 10.12.0/14 is still being natted outbound..

                You for sure do not need to do what your doing to access shit on your lan from openvpn..  Unless your trying to fool their host firewalls to thinking your on their network.  Or they use some other gateway other than pfsense.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  That NAT rule makes no sense. And it is not a route. It is an outbound NAT rule. It has nothing to do with the DHCP server or the direction in which traffic flows (is routed).

                  I assume 10.12.10.0/24 is your OpenVPN tunnel address?

                  What that rule is doing is telling the system to masquerade all traffic from 10.12.10.0/24 to the LAN address on their way out LAN. One reason to do that is if the hosts on LAN have a default gateway that is not that pfSense node. Another would be the hosts on LAN do not have a default gateway set at all.

                  That rule would NEVER be created by Automatic NAT, DHCP server or not.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • T
                    tgilcas
                    last edited by

                    Okay, yes i understand, outbound nat doesn't have nothing to do with DCHP server I get it. And yes 10.12.10.0/24 is my openvpn address, but there is something i don't get. Why when PFSENSE had DCHP server and DNS forwarding enable i did not need to map that rule?

                    When I disable it and got windows server handle DHCP Server and DNS for my computers on the lan, I could not connect to any computer anymore over VPN unless I ad that mapping rule.

                    What is the correct way to configure it?

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Is the other DHCP server giving all the correct information? Particularly pfSense as the client hosts' default gateway?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • T
                        tgilcas
                        last edited by

                        This is what a machine on lan receive from Windows server DHCP

                        Gateway is 10.13.11.1 (Pfsense)

                        10.13.11.20 (Windows Server 2016)

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          dude your mask is /8 – WTF??  255.0.0.0

                          Yeah that is BORKED...  So now your tunnel network as the clients source network.. So why would he talk to the gateway to get back out the tunnel.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • T
                            tgilcas
                            last edited by

                            Well, I did not really understand what you sed.

                            That was a capture from a Virtual Machine from hyper v, I connect from my house using Mac (viscosity) to openvpn that has pfsense configured. I can't ping any pc on lan (Office computers) if i dont map openvpn to lan on PFsense NAT, but ur saying i dont need to map to get to the lan, thats not the correct o good way to do it.(thats what u sed before)

                            So now, mask 255.0.0.0 nothing have to do with that.

                            Windows server DHCP server gives 10.13.11.100-254 ips  default  gateway is Pfsense 10.13.11.1.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Dude a mask of 255.0.0.0 means that

                              10.anything is the same network..

                              10.13.11.100 is the same network as 10.12.10

                              So a client on 10.13.11.100 that gets traffic from something say 10.12.10.14 would just say oh hey buddy nice to talk to you.. Here is my answer.. it would NOT send it to its gateway because its the same network…  Fix your mask to be 24 bit and your problem will go away.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.