VPN -> LAN (OK) | LAN -> VPN (OFF) need both working
-
@BRQ_michael I believe it is to pass, because there is a rule to allow everything (LAN)
-
Where are you testing this from? If it's inside one of those aliases you may be policy routing it via the Rede_Wan gateway.
-
@stephenw10 How do I do that?
-
@stephenw10 I do the tests as follows, access through the OpenVPN client and try to ping my Lan XDD
-
I mean when testing the other way, from LAN to OpenVPN, if the client you are testing from on LAN gets policy routed it will be forced via that gateway can cannot reach the VPN.
So that means whatever is inside the User_Liberados or SiteLiberadosLab aliases.
-
@stephenw10 Even if I am within these rules or not, I cannot ping either the IP that the Gateway got from the other side, nor the IP of its LAN.
-
What IPs specifically are you trying to ping? I assumed other clients inside the tunnel subnet but do you mean remote subnets behind other clients?
For that to work you need to add routes and iroutes so both pfSense and OpenVPN know where to send traffic.
-
@stephenw10 I'm trying to ping my machine, and even the firewall, the option within the firewall to ping, but if I don't have to add some static routing and some outbound NAT? If so, how do I do it?
-
What is 'your machine' in this context?
-
@stephenw10 My notebook on the LAN within PFSENSE, on the LAN where I couldn't talk to OPENVPN clients but the OPENVPN client accesses my machine, pings, etc...
192.168.140.57
-
And you are trying to ping that from Diag > Ping in pfSense? And it's failing?
Is 192.168.140.57 in either of those aliases?
What remote client IP are you trying to connect to from the notebook?
-
@stephenw10
Exactly, I'm trying to ping from my notebook (192.168.140.57) and PFSENSE (192.168.140.1) and the ping doesn't work, both for the IP that the client got from the VPN, and for the client's LAN.192.168.140.57 I was, but I removed it, and it didn't work the same way, whether or not it was in the aliases.
50.50.50.2/32(OPENVPN Client) or 192.168.100.1(Local LAN OpenVPN Client)
-
Ok. So you should be able to ping the VPN client IP in the tunnel subnet but the client itself would have to allow it. Is that also pfSense? If so you would need a firewall rule there.
To ping a subnet behind the client you need routes and iroutes. That means adding them as remote networks in the server setup and adding Client Specific Overrides for the client with that subnet defined:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html#create-client-specific-overridesSteve
-
@stephenw10 Okay, but I don't want clients to be visible on my network just to ping, I need them to talk to everything, from ping to remote access, everything in fact
-
@BRQ_michael But this step by step is just to add in case PFSENSE was a client of another OpenVPN server, no?
-
No that's the server side for an SSL/TLS site to site which is what you have.
Is the client end here also pfSense?
-
@stephenw10 No, it's a computer
-
So how is it routing traffic from the subnet behind it? You enabled some software routing on the 'computer'?
-
@stephenw10 I don't understand the question sorry, I'm on a computer on the pfsense local network and that's why I can access it, to test I disconnect from the company's LAN network, connect from my cell phone data and do the tests connected to openvpn, if it is What you wanted to know from the question, I ended up not understanding.
-
You said you need to be able to access the VPN clients from LAN is that not true?
