OpenVPN and NAT newbie question
I am pretty new to pfSense and have a question I can't seem to figure out. My network has two layer 3, Cisco SG500 series of switches (SG500-52P and SG500-28P) and cannot access the switch GUIs via their interfaces at X.X.X.2 for any of the subnets. This is probably easier fixed via security settings in the switch but that isn't an option at this point as I am remote for a couple weeks and cant get into the switch via GUI or telnet.
I have a pfSense firewall (running the latest 2.4.2-RELEASE-p1) with the pfSense box functioning as the router as well.
My LAN is divided into 5 subnets on 4 separate physical interfaces from the pf box to 5 ports on the master switch (SG500-52P):
192.168.5.0 (5 on same physical interface as 4)
All interfaces for the 5 subnets are 1.2, 2.2, 3.3 etc. From physically within my LAN, I can ping and access the SG500-52P and 28P switch GUIs from any subnet. My computer has a DHCP (also done by the pfSense box) address of 192.168.1.xxx (usually 182) when physically on the LAN. Again, no issues accessing the switches or pinging any nodes on any subnet- all good.
The issue is when I VPN into the pfSense (using OpenVpn). I understand it is recommended that the subnet/ DHCP range for the VPN clients be one that isn't used as LAN subnets so I set it as 192.168.0.0 with ip range of 0.2, 0.3, etc. Via the VPN, I can ping and access all nodes on any of the LAN subnets such as NAS's on 192.168.2.0 with no problem but cannot ping or access and of the Switch GUI's (192.168.x.2) and conversely cannot ping the VPN client from the switch either. I am sure there is a very easy solution that I am overlooking but I is driving me crazy!
Thanks for any help you can give this poor novice and go easy on me please!
Do the switches have set the pfSense internal IP as gateway?
Just because the switches are layer 3.. Doesn't mean your using them as that.. If so pfsense would be on a transit network which you make no mention of.. And you state you have 5 interfaces running from pfsense to your switch..
My guess is you have SVIs setup on your different networks but not really doing routing on the switches? And viragomann is prob correct you didn't setup a gateway on the switches.
So you have 2 options here.. Setup the gateway on the interface you want to hit when you come from the vpn by remote one of your pcs and accessing your switch from that pc.. Or just source nat your vpn connection so it is on whatever network your trying to access.
Or just leave it how it is and access the switches from one of your lan machines when your vpn'd in.