Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access to LAN net behind pfsense from OpenVPN net

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 775 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hAh0L13
      last edited by hAh0L13

      I have latest pfsense, installed on custom hardware. It has LAN net - 192.168.1.0/24 and WAN to provider's router - 10.10.10.1. I set up OpenVPN client on pfsense to remote server with subnet topology. Pfsense is 10.8.0.2 in OVPN net. I want to connect from other OpenVPN clients (10.8.0.4 and so) to some LAN clients.

      Now i can't:

      pinging 192.168.1.1 (pfsense LAN address) from 10.8.0.2 (OVPN address) successfull

      PING 192.168.1.1 (192.168.1.1) from 10.8.0.2: 56 data bytes
      64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.070 ms
      64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.022 ms
      64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.019 ms
      

      pinging 192.168.1.101 (LAN client behind pfsense) from 10.8.0.2 fail

      PING 192.168.1.101 (192.168.1.101) from 10.8.0.2: 56 data bytes
      
      --- 192.168.1.101 ping statistics ---
      3 packets transmitted, 0 packets received, 100.0% packet loss
      

      My settings are:

      • routes:
      default	        10.10.10.1	UGS	1855672	        1500	em0	
      10.8.0.0/24	10.8.0.1	UGS	5678	        1497	ovpnc1	
      10.8.0.1	link#9	        UH	17561	        1497	ovpnc1	
      10.8.0.2	link#9	        UHS	234	        16384	lo0	
      10.10.10.0/24	link#1	        U	906808	        1500	em0	
      10.10.10.4	link#1	        UHS	0	        16384	lo0	
      10.174.17.11	link#3	        UHS	0	        16384	lo0	
      10.174.17.11/32	link#3	        U	0	        1500	em2	
      127.0.0.1	link#6	        UH	225741262	16384	lo0	
      192.168.1.0/24	link#3	        U	521033894	1500	em2	
      192.168.1.1	link#3	        UHS	18	        16384	lo0
      
      • firewall rules in LAN tab:
        0_1551415813654_dfb26d38-609a-46cb-a1d9-526fcc5048a8-image.png
      • firewall rules in OVPN tab:
        0_1551416042798_0eb708df-9e66-45c0-89f3-6cfb1bd94659-image.png

      On VPN server, in ccd file added line:

      push "route 192.168.1.0 255.255.255.0 192.168.1.1"
      

      But receive in OpenVPN log on pfsense:

      Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
      
      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        The setup you describe is not clear to me.
        Maybe you can draw your network picture and share all OpenVPN settings.

        -Rico

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          Looks like you're double NAT'd. The first thing you'll want to do is have your ISP put their router in bridge mode so PFsense gets a public IP.

          Second, your push route command is not necessary if you've configured things correctly in the GUI. Not to mention, I doubt you're trying to push a route with a different gateway, plus the syntax is incorrect anyway, you can remove that push route. If you need something client specific, use the "Client Specific Overrides" tab on VPN -> OpenVPN -

          Post your server1.conf (/var/etc/openvpn).

          1 Reply Last reply Reply Quote 0
          • H
            hAh0L13
            last edited by hAh0L13

            Yep, LAN net is double NAT'd - I'm now working with ISP for switching router to bridge.
            My net is:
            0_1551583398678_c15a2547-b459-4c5e-8722-b83f9f7cff6f-image.png

            On VPS I have OpenVPN server + Zabbix (10.8.0.1). On pfSense I have Zabbix agent + proxy (10.8.0.2). Pfsense self-monitoring works fine (without proxy). I want to monitor some devices in LAN - 192.168.1.101. Now i've been stuck in settings - pinging LAN devices from OVPN interface is not work, but pinging pfsense LAN address works fine.

            UPD

            dev ovpnc1
            verb 1
            dev-type tun
            dev-node /dev/tun1
            writepid /var/run/openvpn_client1.pid
            #user nobody
            #group nobody
            script-security 3
            daemon
            keepalive 10 60
            ping-timer-rem
            persist-tun
            persist-key
            proto udp4
            cipher AES-256-CBC
            auth SHA512
            up /usr/local/sbin/ovpn-linkup
            down /usr/local/sbin/ovpn-linkdown
            local 10.10.10.4
            tls-client
            client
            lport 0
            management /var/etc/openvpn/client1.sock unix
            remote <ip> 31194
            ca /var/etc/openvpn/client1.ca
            cert /var/etc/openvpn/client1.cert
            key /var/etc/openvpn/client1.key
            tls-auth /var/etc/openvpn/client1.tls-auth 1
            ncp-disable
            resolv-retry infinite
            route-nopull
            link-mtu 1601
            remote-cert-tls server
            

            My goal is to set up Zabbix monitoring from VPS (IP 10.8.0.1) of devices on the LAN network (IP 192.168.1.101) through a proxy installed on pfSense router (IP 10.8.0.2). Now zabbix says "Timeout while connecting to "192.168.1.101:161"." In the diagnostics tab of the pfsense router in the ping section i can successfully ping pfsense itself: 192.168.1.1 from 10.8.0.2, but 192.168.1.101 from 10.8.0.2 fail: packages are lost somewhere

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.