Connect external client to internal client with OpenVPN through pfSense Firewall

bostongeorge

Hi all. I am really new to pfsense and routing.
I have this test environment where I want to allow an external client to access an internal webserver to a specific port.
So far now I was able to set Openvpn rules that give the clien 2 host an internal IP but I am not able to ping any host. why?
I dont know ho to proceede further in order to connect client 2 to server.
I can think something like port forwarding but I am a bit lost that is why I am asking for help here.
thanks in advance! 

viragomann

@bostongeorge
You internal machines may block traffic from outside of the own subnet.
Check the firewalls on the devices and allow access from the OpenVPN tunnel network.

bostongeorge

@viragomann The server can ping PC1 and Firewall(internal IP) but not Client2
Client 1 can ping Firewall (internal IP) but not server or PC2. But can connect to server via FTP.
Client 2 cannot ping anyon, event with vpn address.
Firewall cannot ping anyone.

So i am not able to troubleshoot why.
I understand that in the moment PC2 get (using VPN), the same IP address range as server and PC1, they should be able to communicate (via FTP) , or ping each other at least

bostongeorge

@bostongeorge --Update --
I did this: took down firewall in client 1 and server, now internally all can ping each other but from client 2 (external) i get this ping answer which say packets received but host unreachable?
what does that mean`?

Rico

Your drawing screams asymmetric traffic flow. Why is Client 2 connected to pfSense WAN and not behind pfSense (LAN)?

-Rico

bostongeorge

@rico Client 2 is an external client. Is not part of the internal network,
I neet to simulate client 2 can connect to server on ftp port 8070.
Client 1 can connect to server on ftp port 8070 (but they are on same lan segment so yeah).

Client 2 has to request to the firewall the possibility to go to server.
So firewall must allow that.

Rico

Consider while testing....connecting a Client to pfSense WAN RFC1918 is not the same as a Client connecting from the Internet.
If you really want to test your local installation, use something like a mobile connection.

-Rico

bostongeorge

@rico I understand that. I am testing all using VM

At the moment internally all devices can ping each other and external device can ping internal ip of firewall, but cannot ping internal server or internal pc1.

tsmalmbe

@bostongeorge Don't make your OpenVPN subnet the same as the internal LAN. Begging for issues and problems there. Make it completely different, then add a firewall rule to access whatever you need in the 70-subnet.

bostongeorge

@tsmalmbe you mean that the problem could be here?

tsmalmbe

@bostongeorge That will surely screw up your setup.

bostongeorge

@tsmalmbe I am now using this setup and all is working. I have followed a guide. so for the one interested let me know if you are in same problem (not sure i can post the link here).

I have follow this:

CONFIGURATION VM

pc real 192.168.0.0
FW bridged +Vmnet2 (host only)
Server custom Vmnet2
Client 1 custom Vmnet2
Client 2 bridged

IP ADDRESS

FW WAN 192.168.0.133
FW LAN 192.168.70.1
Client1 192.168.70.5
Server 192.168.70.230
Tunnel 192.168.60.0
Client2 192.168.0.137
Client 2 vpn 192.168.60.2

CONFIG ISNTALLATION

• Create CA authority
• Create server ceritficate
• Create User
• Create user certificate
• Enbable interface
• Openvpn wizard

tsmalmbe

You should probably somehow mark this thread as "solved".