[SOLVED] Problem with Proxmox, pfSense, OpenVPN



  • Hello guys,
    I have a confusing problem with proxmox, pfsense, openvpn.
    First i write my network structure...

    I have a Proxmox server with this configuration:

    Nic1: bridged for LAN access
    vmbr0:
    IP: 192.168.1.10/24
    Gateway: 192.168.1.1

    Nic2: bridge for Multi-WAN
    vmbr1: NO IP

    In my Proxmox server i have a pfSense with this configuration:

    em0 network card from vmbr1 for WAN:
    IP: PUBLIC INTERNET
    Gateway: PUBLIC INTERNET

    em1 network card from vmbr0 for LAN:
    IP: 192.168.1.15/24
    Gateway: NONE

    every things is ok,
    pfSense has access to Internet
    pfSense has access to LAN
    pfSense can see 192.168.1.10 and 192.168.1.1

    but when I'm using OpenVPN and connecting to server:
    I can see 192.168.1.15
    I can see 192.168.1.10
    but i cant see IPs behind Proxmox Server.
    I cant see 192.168.1.1

    After i set gateway for em1(LAN) to 192.168.1.10:
    em1 from to vmbr0 for LAN:
    IP: 192.168.1.15/24
    Gateway: 192.168.1.10

    OpenVPN client can see 192.168.1.1 for a while but after few minutes WAN gateway goes down and Internet connectivity lost.

    What do you thick about this issue?

    Thanks.



  • I guess pfSense is not the default gateway on the machines you're not able to access. So responses to vpn packets are not sent back to pfSense.
    Configure your devices to use pfSense as default gateway.

    There shoult not be defined a gateway on LAN interface.



  • I'm testing with other scenario and working but it's not my needed solution.
    I'm running 2 pfSense on Proxmox:

    Proxmox:
    same as above.

    pfSense 1:
    same as above + this configuration:
    Not running OpenVPN server.
    Just forwarding openvpn port to pfSense 2 with IP 192.168.1.16

    pfSense 2:
    Just one NIC from vmbr0
    IP: 192.168.1.11/24
    Gateway: 192.168.1.10
    Running OpenVPN.

    In this configuration, clients can connect to pfSense 2 vpn through pfSense 1 internet with port forward and can access to 192.168.1.1 without any configuration on 192.168.1.1 and other IPs behind Promox server.

    but i want to solve issue and not using this trick.

    Thanks.



  • Again, your pfSense 1 has to be the default gateway on all the devices you want to access.

    There may be some alternative solutions, but none of them is perfect:

    • Add a static route for the VPN tunnel network to each device you want to access pointing to pfSense 1 LAN IP.
    • Add a Outbound NAT rule to the LAN interface to translate the VPN packets to the LAN IP.


  • Thanks, all solutions works good for me.


Log in to reply