Two clients cannot access the LAN after successfull connection to PfSense
-
Before I go into the topic I have seen similar problems to mine on this forum but neither of these solutions worked here. Here is my problem in detail:
We have android clients which are connected through OpenVPN on 192.168.70.0/24 (tunnel network). It goes into pfsense firewall which sits on 192.168.1.3 (network 192.168.1.0/24). Behind the firewall there are a few servers (plus a cisco switch between the firewall and server on 192.168.1.1). These servers are on the 192.168.1.0/24 network aswell. The goal here is to connect the android clients with the servers.
My issue is that the first client that connects receives the ip of 192.168.70.2 and can without any issue connect to the servers. The second client (192.168.70.3) that wants to connect gets in successfully (I can see on the Status -> OpenVPN that both clients are connected and sending bits) but I cannot reach anything inside of the LAN. The firewall rules are set to allow everything between the 192.168.70.0/24 and the 192.168.1.0/24.
I have also made sure in the OpenVPN server settings that the clients have access to the 192.168.1.0/24 and the 192.168.5.0/24 network (there is a DNS server on 192.168.5.1) The VPN-clients have their own certificates and users so they are not sharing the same certificate.
We do have an old PfSense firewall that is connected on the same network (192.168.1.2) that is using an OpenVPN server. This one works like a charm with multiple clients but it is an old machine (and running 2.4.4-RELEASE-p3) and we are trying to replace it with the new one that doesn’t work. The new firewall is a “copy paste” from the old firewall in terms of settings and rules. The only difference in OpenVPN settings is that the old one has SHA1 and the new one has SHA256.
Here are some more tweaks I have tried and some useful info:
- Checking the ToS button in the OpenVPN server settings
- Checking the "Allow multiple concurrent connections from the same user" button in the OpenVPN server settings.
- I have redone the whole process with setting up an OpenVPN server both from guides that instructs to create clients from the System -> User Manager menu, and from guides that creates users from the VPN -> OpenVPN -> Clients menu. No difference there in the result.
- I can ping the first client that connects from PfSense from the firewall, cisco switch and servers but not the second one that connects.
- Tried to disable the OpenVPN service on the old firewall just to eliminate any possibility of it blocking the new firewall and its services. Did not help at all.
- There is no difference in the systemlogs for the client that can access the LAN and the one that can’t:
M2/XXX.XXX.XXX.XXX:47694 SENT CONTROL [M2]: 'PUSH_REPLY,dhcp-option DOMAIN appsvc.localdomain.test,dhcp-option DNS 192.168.5.1,redirect-gateway def1,route-gateway 172.16.70.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.16.70.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
M1/XXX.XXX.XXX.XXX:36455 SENT CONTROL [M1]: 'PUSH_REPLY,dhcp-option DOMAIN appsvc.localdomain.test,dhcp-option DNS 192.168.5.1,redirect-gateway def1,route-gateway 172.16.70.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.16.70.3 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1).
-
What IPv4 address do those clients have? If it's the same as the server end the VPN will connect but not work. I came across this years ago, when I did a lot of travelling with my work. I'd try to VPN home, but couldn't do anything. Changing my home subnet fixed the problem.
-
@mike_7947 Take a look at the following for guidance regarding address selection.
https://routersecurity.org/ipaddresses.php
Ted Quade