Access to LAN net behind pfsense from OpenVPN net
hAh0L13 last edited by hAh0L13
I have latest pfsense, installed on custom hardware. It has LAN net - 192.168.1.0/24 and WAN to provider's router - 10.10.10.1. I set up OpenVPN client on pfsense to remote server with subnet topology. Pfsense is 10.8.0.2 in OVPN net. I want to connect from other OpenVPN clients (10.8.0.4 and so) to some LAN clients.
Now i can't:
pinging 192.168.1.1 (pfsense LAN address) from 10.8.0.2 (OVPN address) successfull
PING 192.168.1.1 (192.168.1.1) from 10.8.0.2: 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.070 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.022 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.019 ms
pinging 192.168.1.101 (LAN client behind pfsense) from 10.8.0.2 fail
PING 192.168.1.101 (192.168.1.101) from 10.8.0.2: 56 data bytes --- 192.168.1.101 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
My settings are:
default 10.10.10.1 UGS 1855672 1500 em0 10.8.0.0/24 10.8.0.1 UGS 5678 1497 ovpnc1 10.8.0.1 link#9 UH 17561 1497 ovpnc1 10.8.0.2 link#9 UHS 234 16384 lo0 10.10.10.0/24 link#1 U 906808 1500 em0 10.10.10.4 link#1 UHS 0 16384 lo0 10.174.17.11 link#3 UHS 0 16384 lo0 10.174.17.11/32 link#3 U 0 1500 em2 127.0.0.1 link#6 UH 225741262 16384 lo0 192.168.1.0/24 link#3 U 521033894 1500 em2 192.168.1.1 link#3 UHS 18 16384 lo0
- firewall rules in LAN tab:
- firewall rules in OVPN tab:
On VPN server, in ccd file added line:
push "route 192.168.1.0 255.255.255.0 192.168.1.1"
But receive in OpenVPN log on pfsense:
Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
The setup you describe is not clear to me.
Maybe you can draw your network picture and share all OpenVPN settings.
marvosa last edited by
Looks like you're double NAT'd. The first thing you'll want to do is have your ISP put their router in bridge mode so PFsense gets a public IP.
Second, your push route command is not necessary if you've configured things correctly in the GUI. Not to mention, I doubt you're trying to push a route with a different gateway, plus the syntax is incorrect anyway, you can remove that push route. If you need something client specific, use the "Client Specific Overrides" tab on VPN -> OpenVPN -
Post your server1.conf (/var/etc/openvpn).
hAh0L13 last edited by hAh0L13
Yep, LAN net is double NAT'd - I'm now working with ISP for switching router to bridge.
My net is:
On VPS I have OpenVPN server + Zabbix (10.8.0.1). On pfSense I have Zabbix agent + proxy (10.8.0.2). Pfsense self-monitoring works fine (without proxy). I want to monitor some devices in LAN - 192.168.1.101. Now i've been stuck in settings - pinging LAN devices from OVPN interface is not work, but pinging pfsense LAN address works fine.
dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.10.10.4 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote <ip> 31194 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 ncp-disable resolv-retry infinite route-nopull link-mtu 1601 remote-cert-tls server
My goal is to set up Zabbix monitoring from VPS (IP 10.8.0.1) of devices on the LAN network (IP 192.168.1.101) through a proxy installed on pfSense router (IP 10.8.0.2). Now zabbix says "Timeout while connecting to "192.168.1.101:161"." In the diagnostics tab of the pfsense router in the ping section i can successfully ping pfsense itself: 192.168.1.1 from 10.8.0.2, but 192.168.1.101 from 10.8.0.2 fail: packages are lost somewhere