Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    when connected to vpn i'm not able to access esxi server through pfsense router

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 898 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rajukarthik
      last edited by rajukarthik

      Im not able to access ESXI server web console/controller through Cisco VPN Client (Client is Shrew Soft) on pfsense firewall. If i remove pfsense firewall out of network then Im able to access ESXI server web console via same VPN clinet.

      My Internet Architecture is as below,

      Router- Firewall - Switch- ESXI and all client Systems

      I mean to say if I remove the Firewall out of the network and connect switch directly to the router, Im able to access the ESXI web Console via VPN.

      Kindly advise on how to fix this issue.

      Thanks and Regards,
      Karthik Raja

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Where is the VPN client connecting to?

        How is the connection to the ESXi console coming in?

        Do you see blocked traffic in the firewall logs?

        Steve

        R 1 Reply Last reply Reply Quote 0
        • R
          rajukarthik @stephenw10
          last edited by

          @stephenw10
          VPN is connecting to our office network (Cisco RV 345 Router)
          Connection for ESXI comes from switch, which is connected to the Pfsense Firewall. Pfsense is connected to the router.
          I could see blocked traffic in the firewall. Please find the attachment below,
          accessibility issue 2.35.png

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @rajukarthik
            last edited by

            @rajukarthik well out of the box pfsense doesn't allow anything inbound to the wan. You would have to allow for that either with a firewall rule, or port forward if your doing nat, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            R 1 Reply Last reply Reply Quote 0
            • R
              rajukarthik @johnpoz
              last edited by

              @johnpoz Thanks for the reply.

              I will try as you suggested and update.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @rajukarthik
                last edited by johnpoz

                @rajukarthik also even if you create a firewall rule or port forward - you would need to disable the block rfc1918 rule that defaults on the wan that blocks source rfc1918 Ips.. Since from what you posted that source is rfc1918.. You must of turned off the rfc1918 rule already or that would of been the rule to block it vs just the default deny.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                R 1 Reply Last reply Reply Quote 1
                • R
                  rajukarthik @johnpoz
                  last edited by rajukarthik

                  @johnpoz
                  I have disabled the rfc1928 rule and created a firewall rule as below, but still not able to access.
                  Could you please help.
                  Below is the firewall rule,firewall rule for allowing kvm via shr vpn.png

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    The blocked traffic you showed is on the WAN. To pass that traffic you would need to a firewall rule on the WAN. That screenshot shows a rule in LAN.

                    However if you are trying pass the VPN traffic to the Cisco router behind pfSense you need to add a port forward. By default that will add a firewall rule for you:
                    https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#adding-port-forwards

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.