PfSense OpenVPN > Ubiquiti USG > LAN not routing properly
-
Recently I added a Ubiquiti USG to my setup, behind pfsense and in front of my LAN. Current layout looks like this:
PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN
I have a static route in pfsense from 10.42.9.0/24 to 10.42.8.0/24 via 10.42.9.12. NATting is disabled on the USG.
I'm currently able to connect to openvpn on pfsense and access anything in the 10.42.9.0 net, but nothing in the .8.0/24. I've read extensively (though, admittedly, not fully comprehended) how to add routes to the openvpn config on the server / client side but I still cannot hit anything in 8.
Configs:
Disclaimer–I've done a lot of tweaking here... between multiple attempts at this and a lack of complete understanding, there may be some glaring mistakes here...
server1.conf:
dev ovpns1 verb 5 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local <ip>tls-server server 10.90.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 verify-client-cert none username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user <hash>false server1 1194" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls '<dns>' 1" lport 1194 management /var/etc/openvpn/server1.sock unix push "dhcp-option DNS 10.42.9.205" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1.tls-auth 0 ncp-ciphers AES-256-GCM:AES-128-GCM persist-remote-ip float topology net30 push "route 10.42.8.0 255.255.255.0 vpn_gateway" push "redirect-gateway def1" route 10.42.8.0 255.255.255.0</dns></hash></ip>
client:
push "redirect-gateway def1" iroute 10.42.8.0 255.255.255.0
Any idea what i'm missing? I'm starting to lose it..
-
Figured it out – it was my USG WAN-IN interface FW -- blocking all traffic. I thought I had this off but I was incorrect.
-
@boelter said in PfSense OpenVPN > Ubiquiti USG > LAN not routing properly:
PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN
Wow, does this actually work with DPI stats in the Unifi controller? Do you have any VLANs behind there? I.e., can the pfSense do the VLAN routing and let the USG just be a "dumb" router/bridge?