Had to NAT OpenVPN to get to LAN
-
I setup OpenVPN. Connections to it from Windows worked fine. DNS worked. Tunnel to the internet worked (I didn't do split tunnel). Couldn't reach anything on the LAN.
Rules on LAN and OpenVPN looked good. I went with the auto-generated one and added some rules to catch anything else so I'd see it in the log.
pfSense is the gateway for the LAN side.
I tried to ping and tried some services on specific ports and nothing worked. I could see the traffic getting out but no response.
I made an out going NAT rule. OpenVPN IPs to LAN allow. It all started working.
I don't get it. It's like the OpenVPN is some networking out by itself.
I also noticed the DNS won't return any records that would resolve to LAN IPs. Like from the LAN side no problem. From the OpenVPN it gets responses like they don't exist.
-
@cylosoft
I suspect, your LAN devices are blocking access by their own firewall.For DNS resolution attach the domain to the host name.
-
@viragomann I tested everything on the LAN before testing through OpenVPN so I know all the services work. Also it all works with Outbound NAT on pfSense.
I have the domain in OpenVPN to be passed through. But I also tested giving it the entire query.
-
@cylosoft said in Had to NAT OpenVPN to get to LAN:
I tested everything on the LAN before testing through OpenVPN so I know all the services work. Also it all works with Outbound NAT on pfSense.
Another LAN device is within the same subnet. OpenVPN is another one. The devices firewalls treat this different by default.
NAT translates the VPN IP into a LAN address.I have the domain in OpenVPN to be passed through. But I also tested giving it the entire query.
You have to provide a DNS server in the OpenVPN settings, which can resolve the host names (NetBIOS doesn't work across a router), and ensure that the VPN client is able to access the DNS server.
And you have to use FQDNs on the VPN client.If the remote domain is yourdom.local and you want to access yourhost you have to state yourhost.yourdom.local.
The domain must be set in System >General Setup. -
@viragomann Yeah I'm aware of all that. OpenVPN gives the pfsense VPN IP as DNS server. It works with anything public. It doesn't work with anything that should resolve to LAN IP. Doesn't work with FQDN. From the LAN side same DNS server does resolve FQDN. The remote machine is using the same domain as pfsense and what the LAN machines get via DHCP. But again I tested FQDN so even if the remote machine didn't know the domain it should get the correct response from the DNS server.
I get what NAT does. I don't see why I'm having to use it. pfsense sees both the LAN and VPN networks as it's own literally everywhere I look. Usually with pf you are fighting to keep traffic from being able to go between different networks.