SG-1100 cannot reach LAN beyond PFSense firewall using Openvpn wizard



  • After unsuccessfully searching this forum and Google and the PfSense book, I am still stuck.

    I have used the wizard to set up an OpenVPN instance on my netgate device. I can connect from outside the network.

    From the GUI server configuration page:
    IPv4 Tunnel Network is: 10.8.2.0/24
    IPv4 Local Network is: 172.20.1.0/24
    Topology is Subnet

    There are automatically generated outbound NAT Rules I don't really understand but do contain the above networks.

    There is a firewall rule on the WAN allowing connections to 1194.

    There is a firewall rule on the OpenVPN tab allowing all created by the wizard.

    I can ping 10.8.2.1
    I can ping 10.8.2.2 (self)
    I can ping 172.20.1.1 (SG-1100)
    I cannot ping 172.20.1.3

    Route from SG-1100:

    default XX.XXX.184.1 UGS 87264 1500 mvneta0.4090
    10.8.2.0/24 10.8.2.2 UGS 0 1500 ovpns1
    10.8.2.1 link#13 UHS 0 16384 lo0
    10.8.2.2 link#13 UH 9 1500 ovpns1
    XX.XXX.184.0/22 link#10 U 31950 1500 mvneta0.4090
    XX.XXX.186.1 link#10 UHS 0 16384 lo0
    127.0.0.1 link#7 UH 327 16384 lo0
    172.20.1.0/24 link#11 U 459909 1500 mvneta0.4091
    172.20.1.1 link#11 UHS 0 16384 lo0

    Route of client when connected to openvpn:

    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.43.230 192.168.43.160 35
    10.8.2.0 255.255.255.0 On-link 10.8.2.2 291
    10.8.2.2 255.255.255.255 On-link 10.8.2.2 291
    10.8.2.255 255.255.255.255 On-link 10.8.2.2 291
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    172.20.1.0 255.255.255.0 10.8.2.1 10.8.2.2 291
    192.168.43.0 255.255.255.0 On-link 192.168.43.160 291
    192.168.43.160 255.255.255.255 On-link 192.168.43.160 291
    192.168.43.255 255.255.255.255 On-link 192.168.43.160 291
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 192.168.43.160 291
    224.0.0.0 240.0.0.0 On-link 10.8.2.2 291
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 192.168.43.160 291
    255.255.255.255 255.255.255.255 On-link 10.8.2.2 291

    Persistent Routes:
    None

    Sorry the formatting is terrible.

    There are no log entries from firewall indicating a block.

    In the past, when I've created a tunnel setup on Ubuntu, I had to enter NAT rules with masquerade to work but I thought the wizard would do it.

    Any help is greatly appreciated. Thanks.

    Devan



  • This worked for me...In Openvpn server under tunnel settings:

    Find Redirect IPv4 Gateway and check the box to force all client-generated IPv4 traffic through the tunnel.

    Save and see if you can ping the host LAN



  • Thank you for responding.

    After making the change, I now have many firewall entries between my SG-1100 and virtual IP address on the openvpn interface. Also from LAN hosts and virtual IP address on LAN interface.

    After updating the firewall rules, I still cannot ping the other hosts behind the LAN (172.20.1.3). I can ping them when connected to the LAN directly.

    I also turned off the firewall on the client.


Log in to reply