Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN - Network Segment - Firewall Rule

    General pfSense Questions
    3
    3
    543
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • penguinpagesP
      penguinpages
      last edited by

      I watched several postings on how to setup basic OpenVPN client access.

      I installed client export. Made reference to correct WAN DDNS target.. All seems good. Client connect and they show DNS from LAN, Route tables denoting the dedicated network within the environment, as well as routing to the Production LAN. But the clients are NOT able to communicate.

      I do see resolution of MAC to router "VPN" interface, so L2 is definatly working, and route tables / DNS is correct. My guess then is firewall rule. But, in various videos, I did not see any examples where the VPN LAN segment needs to be set to allow ingress to the various Intranet VLANs. Examples below

      Production LAN: VLAN 100 172.16.100.0/24 GW (router) .1
      DNS: 172.16.100.22
      VPN VLAN / Network: 172.16.104.0/24 GW (router) .1

      VPN: IP leased to client 172.16.104.2/24
      Route:
      172.16.104.0/24 172.16.104.2
      172.16.100.0/24 172.16.104.1

      So all that looks normal.

      Firewall rule: Only one for VPN for ingress on WAN 1194, destination any.

      So that look kocher.

      I don't think I have to create route logic within PFSense to forward.. but .. maybe I missed that part of the walk throughs.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @penguinpages
        last edited by

        @penguinpages said in OpenVPN - Network Segment - Firewall Rule:

        examples where the VPN LAN segment needs to be set to allow ingress

        Take a look at: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/firewall-rules.html#allowing-traffic-over-openvpn-tunnels

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 1
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          You need a firewall rule to pass traffic from VPN clients coming in over the tunnel. That either has to be on the OpenVPN tab on the firewall rules page or the assigned interface tave if you have assigned the OpenVPN server as an interface. Be aware that the OpenVPN tab acts as an interface group that includes all OpenVPN servers and clients. If you have assigned an OpenVPN interface you usually want the rules on the assigned interface tab and not on the group openvpn tab.

          Steve

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.