Access to LAN net behind pfsense from OpenVPN net
-
I have latest pfsense, installed on custom hardware. It has LAN net - 192.168.1.0/24 and WAN to provider's router - 10.10.10.1. I set up OpenVPN client on pfsense to remote server with subnet topology. Pfsense is 10.8.0.2 in OVPN net. I want to connect from other OpenVPN clients (10.8.0.4 and so) to some LAN clients.
Now i can't:
pinging 192.168.1.1 (pfsense LAN address) from 10.8.0.2 (OVPN address) successfull
PING 192.168.1.1 (192.168.1.1) from 10.8.0.2: 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.070 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.022 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.019 mspinging 192.168.1.101 (LAN client behind pfsense) from 10.8.0.2 fail
PING 192.168.1.101 (192.168.1.101) from 10.8.0.2: 56 data bytes --- 192.168.1.101 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet lossMy settings are:
- routes:
default 10.10.10.1 UGS 1855672 1500 em0 10.8.0.0/24 10.8.0.1 UGS 5678 1497 ovpnc1 10.8.0.1 link#9 UH 17561 1497 ovpnc1 10.8.0.2 link#9 UHS 234 16384 lo0 10.10.10.0/24 link#1 U 906808 1500 em0 10.10.10.4 link#1 UHS 0 16384 lo0 10.174.17.11 link#3 UHS 0 16384 lo0 10.174.17.11/32 link#3 U 0 1500 em2 127.0.0.1 link#6 UH 225741262 16384 lo0 192.168.1.0/24 link#3 U 521033894 1500 em2 192.168.1.1 link#3 UHS 18 16384 lo0- firewall rules in LAN tab:
- firewall rules in OVPN tab:
On VPN server, in ccd file added line:
push "route 192.168.1.0 255.255.255.0 192.168.1.1"But receive in OpenVPN log on pfsense:
Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
-
The setup you describe is not clear to me.
Maybe you can draw your network picture and share all OpenVPN settings.-Rico
-
Looks like you're double NAT'd. The first thing you'll want to do is have your ISP put their router in bridge mode so PFsense gets a public IP.
Second, your push route command is not necessary if you've configured things correctly in the GUI. Not to mention, I doubt you're trying to push a route with a different gateway, plus the syntax is incorrect anyway, you can remove that push route. If you need something client specific, use the "Client Specific Overrides" tab on VPN -> OpenVPN -
Post your server1.conf (/var/etc/openvpn).
-
Yep, LAN net is double NAT'd - I'm now working with ISP for switching router to bridge.
My net is:
On VPS I have OpenVPN server + Zabbix (10.8.0.1). On pfSense I have Zabbix agent + proxy (10.8.0.2). Pfsense self-monitoring works fine (without proxy). I want to monitor some devices in LAN - 192.168.1.101. Now i've been stuck in settings - pinging LAN devices from OVPN interface is not work, but pinging pfsense LAN address works fine.
UPD
dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.10.10.4 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote <ip> 31194 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 ncp-disable resolv-retry infinite route-nopull link-mtu 1601 remote-cert-tls serverMy goal is to set up Zabbix monitoring from VPS (IP 10.8.0.1) of devices on the LAN network (IP 192.168.1.101) through a proxy installed on pfSense router (IP 10.8.0.2). Now zabbix says "Timeout while connecting to "192.168.1.101:161"." In the diagnostics tab of the pfsense router in the ping section i can successfully ping pfsense itself: 192.168.1.1 from 10.8.0.2, but 192.168.1.101 from 10.8.0.2 fail: packages are lost somewhere
