Access Webconfigurator on standby firewall's LAN interface from OpenVPN Client



  • We want to disable external Webconfigurator access to our firewalls.
    Before we can do that, we have to be able to connect to the Webconfigurator via the LAN interfaces of both servers.
    We have OpenVPN configured to use a CARP IP.
    We are using HASync to keep the 2 firewalls the same (FW1, FW2).
    We can connect to the GUI via FW1's lan interface but we can not connect to the standby via it's LAN interface. We can only access the GUI via the WAN.
    I think it's a routing issue as the firewall rules are in place to allow OpenVPN clients GUI access. When I look at the routes, the only difference I see is on the one currently running OpenVPN (FW1):

    Dest 192.168.1.0/24
    GW 192.168.1.2
    Flag UGS
    Use 1752640
    MTU 1500
    Netif ovpns2

    Dest 192.168.1.2
    GW link#16
    Flag UH
    USE 644803
    MTU 1500
    Netif ovpns2

    Those 2 routes.

    Do I need to add a static route on FW1 from the OpenVPN client network to the LAN interface of FW2?

    If I do that - what happens when FW1 goes away, and OpenVPN starts running on FW2?

    Or is there a better way to achieve this?



  • A solution for that is described here under "You cannot reach the slave pfSense via OpenVPN":
    https://vorkbaard.nl/openvpn-in-a-pfsense-carp-cluster



  • @viragomann
    Worked like a charm - thanks!