SG-1100 cannot reach LAN beyond PFSense firewall using Openvpn wizard

  • After unsuccessfully searching this forum and Google and the PfSense book, I am still stuck.

    I have used the wizard to set up an OpenVPN instance on my netgate device. I can connect from outside the network.

    From the GUI server configuration page:
    IPv4 Tunnel Network is:
    IPv4 Local Network is:
    Topology is Subnet

    There are automatically generated outbound NAT Rules I don't really understand but do contain the above networks.

    There is a firewall rule on the WAN allowing connections to 1194.

    There is a firewall rule on the OpenVPN tab allowing all created by the wizard.

    I can ping
    I can ping (self)
    I can ping (SG-1100)
    I cannot ping

    Route from SG-1100:

    default XX.XXX.184.1 UGS 87264 1500 mvneta0.4090 UGS 0 1500 ovpns1 link#13 UHS 0 16384 lo0 link#13 UH 9 1500 ovpns1
    XX.XXX.184.0/22 link#10 U 31950 1500 mvneta0.4090
    XX.XXX.186.1 link#10 UHS 0 16384 lo0 link#7 UH 327 16384 lo0 link#11 U 459909 1500 mvneta0.4091 link#11 UHS 0 16384 lo0

    Route of client when connected to openvpn:

    Network Destination Netmask Gateway Interface Metric 35 On-link 291 On-link 291 On-link 291 On-link 331 On-link 331 On-link 331 291 On-link 291 On-link 291 On-link 291 On-link 331 On-link 291 On-link 291 On-link 331 On-link 291 On-link 291

    Persistent Routes:

    Sorry the formatting is terrible.

    There are no log entries from firewall indicating a block.

    In the past, when I've created a tunnel setup on Ubuntu, I had to enter NAT rules with masquerade to work but I thought the wizard would do it.

    Any help is greatly appreciated. Thanks.


  • This worked for me...In Openvpn server under tunnel settings:

    Find Redirect IPv4 Gateway and check the box to force all client-generated IPv4 traffic through the tunnel.

    Save and see if you can ping the host LAN

  • Thank you for responding.

    After making the change, I now have many firewall entries between my SG-1100 and virtual IP address on the openvpn interface. Also from LAN hosts and virtual IP address on LAN interface.

    After updating the firewall rules, I still cannot ping the other hosts behind the LAN ( I can ping them when connected to the LAN directly.

    I also turned off the firewall on the client.

Log in to reply