Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to connect to Company VPN with client machine behind pfSense

    Scheduled Pinned Locked Moved Firewalling
    18 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dwfa
      last edited by

      I am using pfSense v 21.05 on a Netgear SG-4860 1U box. I received a new MacBook Pro with Pulse Secure VPN and I am having issues.

      If I run the MBP and hotspot it to my mbile phone all works well (able to connect, get mail etc). But when I try to VPN in with the machine behind my pfSense. Nothing works. VPN client says it is connected but I cannot reach any servers (including google.com).

      All other VPN clients I have used never had this issue.

      Any suggestions? What other information is required to help diagnose this?

      Thx in advance.

      dwfa

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @dwfa
        last edited by

        @dwfa
        I doubt that pfSene is blocking it by default. It will rather be blocked by something you have configured yourself.
        So what LAN rules have you added?
        Are you running packages like pfBlockerNG, Squid, Suricata?

        D 1 Reply Last reply Reply Quote 0
        • D
          dwfa @viragomann
          last edited by

          @viragomann
          Thanks for the quick reply. I only have two lan rules to route traffic between two ISPs.

          f9cd7988-f147-4ada-a2fb-0e14da2f5b0b-image.png

          There are no lan other rules. And I have had no issues with other VPN clients using the default gateway.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @dwfa
            last edited by

            @dwfa
            No package installed?

            Is your client device a member or the SPEC_DEVICES alias?

            D 1 Reply Last reply Reply Quote 0
            • D
              dwfa @viragomann
              last edited by dwfa

              @viragomann
              No the client device is not part of the SPEC_DEVICE List, it goes through the default GW. As for packages:

              0a522fd8-b8f9-46be-a9b0-39899a34c1f6-image.png

              The only one I installed was the acme ...

              dwfa2

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @dwfa
                last edited by

                @dwfa
                Do you know, what the VPN really needs to work?

                Did you change the outbound NAT settings on pfSense?

                Try to connect the the MacBook by a cable to rule out wifi issues.

                D 1 Reply Last reply Reply Quote 0
                • D
                  dwfa @viragomann
                  last edited by

                  @viragomann

                  Yes, I know the VPN is required - if I don't use it I cannot access assets I require to work.

                  As for outbound NATing here is a pix
                  a7780c55-8549-4fbd-b6fd-bc9c8f45eb55-image.png

                  I thought I tried wired, but with all the testing I have done, I do not recall - so will try again...

                  NogBadTheBadN D 2 Replies Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad @dwfa
                    last edited by

                    @dwfa Pulse works fine here without doing anything special.

                    Is your lan subnet 10.0.0.0/8 if it is why ?

                    Maybe there is an overlap with your Pulse IP.

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      dwfa @NogBadTheBad
                      last edited by

                      @nogbadthebad
                      Yes my LAN subnet is 10.0.0.0/8. And I have had other VPN clients work fine which use a sub-divided 10.0.0.0/8 range (cisco for example) and it still works just fine for my wife.

                      So I did get the routes using netstat on my MBP and the VPN client's default gateway is the first route for all traffic. Unless I am missing something that default GW route should override all other.

                      dwfa

                      1 Reply Last reply Reply Quote 0
                      • D
                        dwfa @dwfa
                        last edited by

                        I tried via wired and same issue.

                        NogBadTheBadN 1 Reply Last reply Reply Quote 0
                        • NogBadTheBadN
                          NogBadTheBad @dwfa
                          last edited by

                          When you connect via the hotspot what up address do you get?

                          Maybe some of the other VPN connections you use tunnel everything over the the VPN and Pulse is split tunnel.

                          Regardless your LAN subnet is way too large.

                          Andy

                          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                          D 1 Reply Last reply Reply Quote 0
                          • D
                            dwfa @NogBadTheBad
                            last edited by

                            Yes if I am given a non 10 address it seems to work. I have never had this issue before. For me to change my network topology around will be a pain. There is a good reason I picked 10.

                            I found a work around 'til I can work with my companies IT team to fix this - or I live with the work around.

                            Thx to all for your support really appreciate it.

                            dwfa

                            NogBadTheBadN 1 Reply Last reply Reply Quote 0
                            • NogBadTheBadN
                              NogBadTheBad @dwfa
                              last edited by

                              @dwfa 10 is fine just don’t assign the whole 10.0.0.0/8 to a single interface.

                              Andy

                              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                              1 Reply Last reply Reply Quote 0
                              • V
                                viragomann
                                last edited by

                                @dwfa said in Unable to connect to Company VPN with client machine behind pfSense:

                                I found a work around 'til I can work with my companies IT team to fix this

                                Do you really beleave, they would change the campanies local subnet, because one of the employees who wants to vpn in uses a /8 subnet at home?
                                I don't think so.

                                You're using 94% of the private network address space.
                                Why? Do you have 16 million network devices at home?

                                If your devices uses DHCP, changing the mask would not be a bid deal.

                                D 1 Reply Last reply Reply Quote 1
                                • D
                                  dwfa @viragomann
                                  last edited by

                                  @viragomann
                                  Valid point, but this used to work with this company when I was there sometime ago. So they changed something on their side a nothing has changed on my side. If it is an easy fix I do not see why a change could not be done.

                                  V 1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @dwfa
                                    last edited by

                                    @dwfa
                                    Maybe there is a sort of NAT possible in Pulse Secure VPN and they are willing to configure it for your. Don't know.
                                    Good luck!

                                    NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                    • NogBadTheBadN
                                      NogBadTheBad @viragomann
                                      last edited by

                                      @viragomann Pulse isn’t very configurable TBH.

                                      They brought the rights to Junipers VPN solutions.

                                      Andy

                                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                      V 1 Reply Last reply Reply Quote 1
                                      • V
                                        viragomann @NogBadTheBad
                                        last edited by

                                        @nogbadthebad
                                        I see. I don't know it.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.