[SOLVED] Problem with Proxmox, pfSense, OpenVPN

  • Hello guys,
    I have a confusing problem with proxmox, pfsense, openvpn.
    First i write my network structure...

    I have a Proxmox server with this configuration:

    Nic1: bridged for LAN access

    Nic2: bridge for Multi-WAN
    vmbr1: NO IP

    In my Proxmox server i have a pfSense with this configuration:

    em0 network card from vmbr1 for WAN:

    em1 network card from vmbr0 for LAN:
    Gateway: NONE

    every things is ok,
    pfSense has access to Internet
    pfSense has access to LAN
    pfSense can see and

    but when I'm using OpenVPN and connecting to server:
    I can see
    I can see
    but i cant see IPs behind Proxmox Server.
    I cant see

    After i set gateway for em1(LAN) to
    em1 from to vmbr0 for LAN:

    OpenVPN client can see for a while but after few minutes WAN gateway goes down and Internet connectivity lost.

    What do you thick about this issue?


  • I guess pfSense is not the default gateway on the machines you're not able to access. So responses to vpn packets are not sent back to pfSense.
    Configure your devices to use pfSense as default gateway.

    There shoult not be defined a gateway on LAN interface.

  • I'm testing with other scenario and working but it's not my needed solution.
    I'm running 2 pfSense on Proxmox:

    same as above.

    pfSense 1:
    same as above + this configuration:
    Not running OpenVPN server.
    Just forwarding openvpn port to pfSense 2 with IP

    pfSense 2:
    Just one NIC from vmbr0
    Running OpenVPN.

    In this configuration, clients can connect to pfSense 2 vpn through pfSense 1 internet with port forward and can access to without any configuration on and other IPs behind Promox server.

    but i want to solve issue and not using this trick.


  • Again, your pfSense 1 has to be the default gateway on all the devices you want to access.

    There may be some alternative solutions, but none of them is perfect:

    • Add a static route for the VPN tunnel network to each device you want to access pointing to pfSense 1 LAN IP.
    • Add a Outbound NAT rule to the LAN interface to translate the VPN packets to the LAN IP.

  • Thanks, all solutions works good for me.

Log in to reply