Strange VPN Problem - VPN Only Allows Access to PFSense on LAN Subnet

stephenw10

The NAT rule should be on the LAN interface. That is where it needs to be applied outbound.

Jake Biker

@stephenw10

Thanks Stephen - I will try this.

Can I ask - why does this just "work" on all my other installs ? :)

stephenw10

It will work 'out of the box' as long as the hosts on LAN are able to respond to connections from the tunnel subnet.

If those hosts have an invalid default route they can only respond to connection from inside their own subnet.

If they have any sort of filtering they may block connections from outside their own subnet.

Both are quite common for IoT type devices.

Jake Biker

@stephenw10 Thanks mate --

We make those IOT devices, and they don't behave like this usually...

Anyway - this PFsense was originally a 2.3 32 bit device, I remapped the ports and moved it to 2.72 - all the VPN's are up and the multi-wan is working all fine.

Maybe this is a hangover from the migration from the old 32bit variant PFsense. XML?

stephenw10

It shouldn't be.

Are you policy routing traffic via a gateway group somewhere?

One thing that could be an issue is the negate networks rule. The behaviour of that has changed a few times since 2.0. A very old install might have negated the policy routing automatically but a 2.7.2 install will not. If it is applied to OpenVPN clients for example they will not reach the LAN without a bypass rule.

Jake Biker

@stephenw10

There are static routes - I need to look at these - should be able to do some work on this tomorrow.
Was thinking about virtualising the config - and bashing at it offline trying to suss it,

NightlyShark

@Jake-Biker What did you enter here:

?
Here?

stephenw10

No policy routing though? No gateway set on any firewall rules?

Jake Biker

@NightlyShark 192.168.1.0/24

Jake Biker

@stephenw10

Finally got some time to fix these two problems once and for all.

I noticed that I was able to ping some IP's on the LAN Subnet from the VPN.

But not others.

I created a NAT Rule.

Outbound
Interface LAN
IP both
Proto ANY
Source Manually Entered VPN Subnet
Dest LAN Subnets
Translation LAN Address

This works ...

On all IP addresses .
I tested local pings to make sure the gear was really available on ICMP and it was .. then I knew I had to fix it.

Thanks Stephen - I don't understand why this works and it didn't from scratch.

But ..all good.

THANKS!

stephenw10

Ah, nice. That implies some devices on the LAN are blocking connections from outside their subnet. That's common for Windows firewall for example. The NAT rule makes all connections from VPN clients appear to come from the LAN IP address so hosts allow it.

Jake Biker

@stephenw10
I need to go on a dang course :) :)

I am great with Virt and Linux and MS - but I suck at firewalls :)

Thanks mate :)