OpenVPN on Pfsense Can Access the Netgate but no Other Resources on the LAN

ccgc

Greetings,

I am a volunteer with a small non-profit charged with securing our network. I am new to pfsense and in need of help

I have created an openVPN on my Netgate 2100.
My laptop (at a remote location) is on a 192.168.1.0/24
The OpenVPN Tunnel is on 192.168.60.0
The Netgate LAN is 192.168.10.1/24

I can remotely connect to the Netgate at 192.168.10.1, but nothing else on the 192.168.10.xxx subnet.

Here are screenshots of my rules

I am sure I am missing something obvious, but I cannot figure out. Assistance will be greatly appreciated!

Best,
Leon

johnpoz

@ccgc And what about what your trying to talk to? Do they run a firewall? Do they allow this 192.168.60/24 network? Do they point back to pfsense as their gateway?

These are 2 things what would cause your problem.

Either of them can normally be worked around by doing an outbound nat on your lan so that the device your talking to thinks is pfsense IP address on the lan, ie 192.168.10.1

ccgc

I guess I didn't make myself very clear.
I need to be able to remotely connect to devices on their network.

Yes, "they" have a firewall. "That firewall" is what I attempting to configure.

I have built the OpenVPN tunnel on 192.168.60/24 on the Netgate pfsense, so yes, they allow it.

And I can connect to 192.168.10.1 (the netgate pfsense) on "their" network so I am getting into their network, but I can't connect to any other devices on the 192.168.10.0/24 network and that is the problem.

johnpoz

@ccgc I guess I didn't make my self clear either.. I know exactly what you asked, and gave the answer..

You have this right..

If that destination device is running a firewall, that 192.168.10.x in my drawing it would have to be set to allow the 192.168.60 network which is what this remote client is going to look like to that destination box.

If that destination box does not point back to pfsense 192.168.10.1 address as its gateway or have a route on it that says hey to talk to 192.168.60/24 talk to 192.168.10.1 then its never going to work.

If using pfsense as its gateway make sure its firewall allow 192.168.60/24

Or quite often you can do an outbound nat on pfsense lan network (this 192.168.10.1) so that when traffic comes from this 192.168.60.x IP to go to the destination box.. It will look like it came from 192.168.10.1 - which the destination firewall might allow, and also would answer back directly without sending to its gateway, if that happens to be different than pfsense.

While the outbound nat can overcome the client not using pfsense as a gateway.. Its possible its firewall still won't allow what your trying to talk to even if the IP is on its local network, ie the 192.168.10.1 address

ccgc

Thank you very much for your guidance. I now have OpenVPN to the LAN working fine.

Now I'm trying to figure out the next problem. I have Used Port 4 on the Netgate 2100 to assign a VLAN with a completely different IP of 10.1.10.1/24. The VPN server does include 10.1.10.1/24. I added a rule to that interface (for now) as any to any, but the OpenVPN cannot get to a web server at 10.1.10.200.

Assistance will be GREATLY appreciated.

Leon