Pfsense blocks LAN VPN traffic
gepi last edited by
Hi everybody I’m new at this and still learning. A few day ago I installed last version of Pfsense and everything works perfect till moment when I try to use my local VPN which connects to other PC at the same network.
In fact VPN is a application which connects herself to a Middle-Tier Server on Windows Server machine but connections are refused. I find nothing in the logs that can help me solve the problem.
I’m grateful for any advice
More information required.
The VPN client and server are on the same subnet?
That subnet is behind pfSense?
How is the client connecting, by IP? By FQDN? By hostname?
What type of VPN is it?
Could be this:
But just a guess at this point.
gepi last edited by
Yes VPN and client are on the same subnet (192.168.3.0/24) and yes everything is behind PFsense including DC (Zentyal)
Client use IP to connect. Application was made by some Greek guys years ago and I do not have any information about it. What I know is that the Middle-Tier server use net.tcp protocol for some reason.
Could not connect to net.tcp://10.0.0.4:8899/WCFService
TCP error code 10060
Ok, so 10.0.0.4 is not in the 192.168.3.0/24 subnet.
Is the VPN server actually at 10.0.0.4? How is that subnet connected?
If the client and server really are both in the 192.168.3.0 subnet that that’s the wrong IP address the client is using. In that instance the traffic would go directly between them so pfSense would never see it.
However running a VPN between two devices on the same subnet seems… unusual at best.
leonard last edited by leonard
With “local networks” setting in OpenVPN setup you can just specify the routes which should be pushed to the clients. But this wouldn’t deny access to your networks. You can add additional routes to the client so you can access other subnet if it is not inhibited by firewall rules on pfSense.
So access permissions are controlled by firewall rules. I assume you will have an any to any allow rule at your OpenVPN interface. To prevent DMZ access edit this rule, check “not” at Destination area, change type to “DMZ net” and save it.
This rule will permit access to anywhere, but not DMZ subnet.