Access to LAN net behind pfsense from OpenVPN net



  • I have latest pfsense, installed on custom hardware. It has LAN net - 192.168.1.0/24 and WAN to provider's router - 10.10.10.1. I set up OpenVPN client on pfsense to remote server with subnet topology. Pfsense is 10.8.0.2 in OVPN net. I want to connect from other OpenVPN clients (10.8.0.4 and so) to some LAN clients.

    Now i can't:

    pinging 192.168.1.1 (pfsense LAN address) from 10.8.0.2 (OVPN address) successfull

    PING 192.168.1.1 (192.168.1.1) from 10.8.0.2: 56 data bytes
    64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.070 ms
    64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.022 ms
    64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.019 ms
    

    pinging 192.168.1.101 (LAN client behind pfsense) from 10.8.0.2 fail

    PING 192.168.1.101 (192.168.1.101) from 10.8.0.2: 56 data bytes
    
    --- 192.168.1.101 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss
    

    My settings are:

    • routes:
    default	        10.10.10.1	UGS	1855672	        1500	em0	
    10.8.0.0/24	10.8.0.1	UGS	5678	        1497	ovpnc1	
    10.8.0.1	link#9	        UH	17561	        1497	ovpnc1	
    10.8.0.2	link#9	        UHS	234	        16384	lo0	
    10.10.10.0/24	link#1	        U	906808	        1500	em0	
    10.10.10.4	link#1	        UHS	0	        16384	lo0	
    10.174.17.11	link#3	        UHS	0	        16384	lo0	
    10.174.17.11/32	link#3	        U	0	        1500	em2	
    127.0.0.1	link#6	        UH	225741262	16384	lo0	
    192.168.1.0/24	link#3	        U	521033894	1500	em2	
    192.168.1.1	link#3	        UHS	18	        16384	lo0
    
    • firewall rules in LAN tab:
      0_1551415813654_dfb26d38-609a-46cb-a1d9-526fcc5048a8-image.png
    • firewall rules in OVPN tab:
      0_1551416042798_0eb708df-9e66-45c0-89f3-6cfb1bd94659-image.png

    On VPN server, in ccd file added line:

    push "route 192.168.1.0 255.255.255.0 192.168.1.1"
    

    But receive in OpenVPN log on pfsense:

    Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    

  • LAYER 8 Rebel Alliance

    The setup you describe is not clear to me.
    Maybe you can draw your network picture and share all OpenVPN settings.

    -Rico



  • Looks like you're double NAT'd. The first thing you'll want to do is have your ISP put their router in bridge mode so PFsense gets a public IP.

    Second, your push route command is not necessary if you've configured things correctly in the GUI. Not to mention, I doubt you're trying to push a route with a different gateway, plus the syntax is incorrect anyway, you can remove that push route. If you need something client specific, use the "Client Specific Overrides" tab on VPN -> OpenVPN -

    Post your server1.conf (/var/etc/openvpn).



  • Yep, LAN net is double NAT'd - I'm now working with ISP for switching router to bridge.
    My net is:
    0_1551583398678_c15a2547-b459-4c5e-8722-b83f9f7cff6f-image.png

    On VPS I have OpenVPN server + Zabbix (10.8.0.1). On pfSense I have Zabbix agent + proxy (10.8.0.2). Pfsense self-monitoring works fine (without proxy). I want to monitor some devices in LAN - 192.168.1.101. Now i've been stuck in settings - pinging LAN devices from OVPN interface is not work, but pinging pfsense LAN address works fine.

    UPD

    dev ovpnc1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 10.10.10.4
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote <ip> 31194
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    ncp-disable
    resolv-retry infinite
    route-nopull
    link-mtu 1601
    remote-cert-tls server
    

    My goal is to set up Zabbix monitoring from VPS (IP 10.8.0.1) of devices on the LAN network (IP 192.168.1.101) through a proxy installed on pfSense router (IP 10.8.0.2). Now zabbix says "Timeout while connecting to "192.168.1.101:161"." In the diagnostics tab of the pfsense router in the ping section i can successfully ping pfsense itself: 192.168.1.1 from 10.8.0.2, but 192.168.1.101 from 10.8.0.2 fail: packages are lost somewhere


Log in to reply