Help with VLAN firewall rules

jtbis

I have the following setup:

10.0.0.0/24 - default VLAN

10.100.0.0/24 - VLAN 100

10.8.0.0/24 - VPN network

10.0.0.99 - VPN server

I have a static route to 10.0.0.99 for the 10.8.0.3 subnet. Clients on the default VLAN (10.0.0.0/24) can ping clients on the VPN network (10.8.0.3). Clients on the 10.100.0.0/24 subnet can ping the VPN gateway, but aren't able to get to VPN clients. As far as I can tell, I am passing everything on the VLAN interface. I included tracert just in case it is a routing issue.

Here is my any-any rule on the VLAN interface:

tracert from client on default VLAN to vpn client:

Tracing route to [VPN CLIENT] [10.8.0.3]
over a maximum of 30 hops:

  1     1 ms    17 ms     4 ms  pfSense.[mydomain] [10.0.0.1]
  2     1 ms     1 ms     1 ms  [VPN SERVER].[mydomain] [10.0.0.99]
  3    61 ms    45 ms    60 ms  [VPN CLIENT] [10.8.0.3]

tracert from client on 10.100.0.0/24 to vpn client:

Tracing route to 10.8.0.3 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.100.0.1
  2    <1 ms    <1 ms    <1 ms  [VPN SERVER].[mydomain] [10.0.0.99]
  3     *        *        *     Request timed out.

viragomann

Do the VPN clients have a route to the 10.100.0.0/24 subnet?
You may have to push it to the clients.