Unable to connect to Company VPN with client machine behind pfSense
-
I am using pfSense v 21.05 on a Netgear SG-4860 1U box. I received a new MacBook Pro with Pulse Secure VPN and I am having issues.
If I run the MBP and hotspot it to my mbile phone all works well (able to connect, get mail etc). But when I try to VPN in with the machine behind my pfSense. Nothing works. VPN client says it is connected but I cannot reach any servers (including google.com).
All other VPN clients I have used never had this issue.
Any suggestions? What other information is required to help diagnose this?
Thx in advance.
dwfa
-
@dwfa
I doubt that pfSene is blocking it by default. It will rather be blocked by something you have configured yourself.
So what LAN rules have you added?
Are you running packages like pfBlockerNG, Squid, Suricata? -
@viragomann
Thanks for the quick reply. I only have two lan rules to route traffic between two ISPs.
There are no lan other rules. And I have had no issues with other VPN clients using the default gateway.
-
@dwfa
No package installed?Is your client device a member or the SPEC_DEVICES alias?
-
@viragomann
No the client device is not part of the SPEC_DEVICE List, it goes through the default GW. As for packages:
The only one I installed was the acme ...
dwfa2
-
@dwfa
Do you know, what the VPN really needs to work?Did you change the outbound NAT settings on pfSense?
Try to connect the the MacBook by a cable to rule out wifi issues.
-
Yes, I know the VPN is required - if I don't use it I cannot access assets I require to work.
As for outbound NATing here is a pix
I thought I tried wired, but with all the testing I have done, I do not recall - so will try again...
-
@dwfa Pulse works fine here without doing anything special.
Is your lan subnet 10.0.0.0/8 if it is why ?
Maybe there is an overlap with your Pulse IP.
-
@nogbadthebad
Yes my LAN subnet is 10.0.0.0/8. And I have had other VPN clients work fine which use a sub-divided 10.0.0.0/8 range (cisco for example) and it still works just fine for my wife.So I did get the routes using netstat on my MBP and the VPN client's default gateway is the first route for all traffic. Unless I am missing something that default GW route should override all other.
dwfa
-
I tried via wired and same issue.
-
When you connect via the hotspot what up address do you get?
Maybe some of the other VPN connections you use tunnel everything over the the VPN and Pulse is split tunnel.
Regardless your LAN subnet is way too large.
-
Yes if I am given a non 10 address it seems to work. I have never had this issue before. For me to change my network topology around will be a pain. There is a good reason I picked 10.
I found a work around 'til I can work with my companies IT team to fix this - or I live with the work around.
Thx to all for your support really appreciate it.
dwfa
-
@dwfa 10 is fine just don’t assign the whole 10.0.0.0/8 to a single interface.
-
@dwfa said in Unable to connect to Company VPN with client machine behind pfSense:
I found a work around 'til I can work with my companies IT team to fix this
Do you really beleave, they would change the campanies local subnet, because one of the employees who wants to vpn in uses a /8 subnet at home?
I don't think so.You're using 94% of the private network address space.
Why? Do you have 16 million network devices at home?If your devices uses DHCP, changing the mask would not be a bid deal.
-
@viragomann
Valid point, but this used to work with this company when I was there sometime ago. So they changed something on their side a nothing has changed on my side. If it is an easy fix I do not see why a change could not be done. -
@dwfa
Maybe there is a sort of NAT possible in Pulse Secure VPN and they are willing to configure it for your. Don't know.
Good luck! -
@viragomann Pulse isn’t very configurable TBH.
They brought the rights to Junipers VPN solutions.
-
@nogbadthebad
I see. I don't know it.
