Cannot access WIFI hosts on OpenVPN



  • Hello,

    I have some problems with my openvpn configuration.
    I installed pfsense on a physical box and set up a LAN interface and a WIFI interface like so:
    Screen Shot 2019-06-04 at 11.29.17 AM.png
    LAN and WIFI interfaces work, I attached a switch to the LAN and a Wireless router to the WIFI. Both the clients on the switch and on the wifi router are connected and can browse online.
    I have only the openvpn port open on the WAN, for the rest everything else internally is open (please don't mind the redundant rules):
    Screen Shot 2019-06-04 at 11.32.10 AM.png
    Screen Shot 2019-06-04 at 11.32.18 AM.png
    Screen Shot 2019-06-04 at 11.32.28 AM.png
    LAN and WIFI have different subnets (LAN 192.168.1.1/24, WIFI 192.168.0.1/24), and I can ping each other fine if I am at home on either subnet. I can reach the router page, no problems.
    However when I connect via VPN, I can access the LAN and ping any LAN host (and access pfsense webui) but I cannot access any WIFI host.
    Best thing I can do is to ping the router (192.168.0.1) but nothing else connected to it. I cannot even access the web management page of the router (same address for which the ping works).

    Can anyone help me? Thank you.



  • Your new "any any" rules on your LAN and WIFI interfaces are pretty much unnecessary..

    Id be more interested in your VPN config. Did you remember to add your WIFI subnet into that config?

    Is this a road-warrior setup?


  • LAYER 8 Global Moderator

    also what is providing the wifi... Is its some wifi router plugged in via its wan port to your 192.168.0 network and doing nat?



  • @chpalmer that's why i said to not mind the unnecessary rules, I will clean those later :)
    I did add both subnets to the setting IPv4 Local network(s) separated by coma when i created the vpn.
    I also added these rules in the custom options based on some suggestions i found in some other post:
    Screen Shot 2019-06-04 at 12.02.55 PM.png
    It's not a road warrior setup, I'm still testing it for now to get it to work, I left pretty much everything default.



  • @johnpoz I plugged an asus GT-AC5300 from the WIFI interface to its wan port, correct.
    I disabled the firewall, left the DHCP but I tried to disable that and was not making much difference.
    NAT I can find only these settings, everything is pretty much default, I just disabled the firewall.
    NAT_Passthrough.jpg



  • Your WIFI access point is still doing NAT. Can you go to the WAN tab and see what your options are?



  • @chpalmer This is what I have. NAT is enabled, but if I disable I notice I cannot browse online anymore from the wifi hosts.
    WAN.jpg
    Thank you.



  • Under WAN Connection Type is there an "Access Point Mode" or similar option?

    Once you put it in access mode you will have to reset all your clients behind the WIFI unit..

    https://www.asus.com/us/support/FAQ/1015009/



  • So the only way is to set it up in AP Mode? I thought that may do it but wanted to try different options first.



  • @Jin84 said in Cannot access WIFI hosts on OpenVPN:

    I thought that may do it but wanted to try different options first.

    Like a router after router setup ? No way ...
    Who is doing DHCP here ? pfSense or your Wifi router ? Should be pfSense.

    You don't need a router after a router setup, and later on, you don't want a router after pfSense. Just put the Wifi thing in AP mode, and done with it.



  • I set up the router in AP mode, now I am able to ping the hosts, however seems I cannot access anymore the AP webui, I'll try later to assign a static ip.

    Thank you!


  • LAYER 8 Global Moderator

    To use a wifi router as just an AP.. You don't need to do anything with their nonsense interface... Just turn off its dhcp server - connect it to your network via one of its LAN Ports!!! Set an IP on this lan port to work on your network.

    Most of these nonsense native firmwares do not even allow you to put a gateway on the lan side interface.. So no you wouldn't be able to get to it remotely from another network.

    Put some 3rd party on it like ddwrt or openwrt... If that doesn't work an it will not allow you to put a gateway on the lan interface - then source nat it on pfsense so that traffic going to the AP looks like it comes from the pfsense interface IP in that network.


Log in to reply