Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't connect to internet hosts when VPNed into internal VPN Server behing PFSense Router

    Scheduled Pinned Locked Moved Routing and Multi WAN
    openvpn routingrouting
    3 Posts 1 Posters 596 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      grillp
      last edited by

      Hey Folks,

      Newby here with PFSense, running 2.5.0.

      All in all, got the setup going fine, but having some problems with my OpenVPN Server connections, where my VPN connected devices (OpenVPN Server running on a separate host in my network through port forwarding) can not connect to any internet hosts.

      See diagram for my setup:

      42308e31-08c9-4bf3-a771-fd4ca77b3e0f-image.png

      With the setup, I can connect to the OpenVPN Server(s) from the outside (UPD or TCP). When connected I can ping/http/ssh to any of the IP addresses in my LAN Address Space (192.168.0.0/23).

      However, I can not access any hosts on the internet (Ping/HTTP etc).

      I want my VPNClients internet connections to go through my OpenVPN Servers and out through my PPoE/WAN so that they appear to be coming from my network.

      I previously had this working with a Tomato/Shibby router and the exact same OpenVPN Servers (although the LAN network was 192.168.0.0/24 previously), but I remember had to add static routes on the router for 10.8.0.0/24 and 10.9.0.0/24 to go through the OpenVPN Server Host - 192.168.1.201. otherwise, the responses from the internet hosts could not find their way back to the VPN Clients through the VPN Servers.

      So, I added a gateway for the OpenVPN Host to PFSense and added 2 static routes for the 2 VPN network address ranges. But no go.
      0fa67cdd-fb21-416b-a7c0-50a87c55dc85-image.png
      I also added (not sure if I need it) Outbound NAT rules for the VPN Networks to NAT through the WAN:
      775bd7bc-194c-49a8-91c7-dd5e03c47438-image.png
      But still no go.

      Any ideas of what I am missing? Is it the mix of /23 and /24 network address ranges that is causing the issue?

      Please let me know.

      Cheers

      G./

      1 Reply Last reply Reply Quote 0
      • G
        grillp
        last edited by

        I added a firewall rule to log if I am passing or dropping traffic from LAN on 10.9.0.x to the WAN, but it looks like they are being passed on:
        7a9dcf54-49d0-46f8-9666-cc98b1d44706-image.png
        Is there a way I can check if the responses are being routed back to the 10.9.0.x network over the static route to 192.169.1.201?

        Cheers

        G./

        1 Reply Last reply Reply Quote 0
        • G
          grillp
          last edited by grillp

          OK, I worked it out!

          I had the following Firewall rule for LAN:

          Screen Shot 2021-04-06 at 8.17.46 pm.png

          But of course, the 10.8.0.0/23 and 10.9.0.0/23 (I changed them to /23 instead of /24) are not in the "LAN Net", so I had to add extra rules to allow that traffic out:

          baecb64d-b9fb-4d84-b216-035dbd903399-image.png
          That as well as the static routes fixed it!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.