Our own Openvpn server behind Pfsense firewall: can ping to all devices but cannot go websites



  • Hi All

    UPDATE: resolved.
    We checked Bypass firewall rules for traffic on the same interface in System - Advanced - Firewall & NAT

    SystemAdvancedFirewall & NAT
    Static route filtering Bypass firewall rules for traffic on the same interface

    We have been using our own Openvpn (Routed) server behind a GTA firewall for many years. Recently, we replaced the GTA firewall with Pfsense and found that our Openvpn clients can no longer go to websites in our LAN. We can ping to not just the Openvpn server but also to all machines behind the Pfsense firewall. This is made possible by creating a Static Route for 10.58.0.0/24 to use gateway 192.168.5.5 (our Openvpn server IP) and enabling net.ipv4.ip_forward in /etc/sysctl.conf on our Openvpn server.
    We can also go to a website on our Openvpn server.
    But although we can ping other servers in our LAN, we cannot go to websites hosted on them. We can SSH to our Openvpn server but not the other servers. That is, all the other servers are not accessible but are ping-able. The Openvpn server itself is fully accessible.

    In pfSense System Logs Firewall - we have these message:
    "Sep 12 23:43:33 LAN Default deny rule IPv4 (1000000103) 192.168.5.203:80 10.58.0.6:49587 "

    192.168.5.203 is a webserver in our LAN
    10.58.0.6 is a Openvpn Client IP address

    We tried adding a Pass Any to Any rule in LAN firewall but it didn't help.

    We googled and searched this forum and found no solution.
    This post has exactly the same problem as us:
    https://forum.netgate.com/topic/87364/openvpn-server-behind-pfsense-ping-is-possible-web-access-not

    Thank you very much
    CMG


Log in to reply