• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Openvpn tap cannot access LAN

Scheduled Pinned Locked Moved OpenVPN
7 Posts 2 Posters 371 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    darker
    last edited by darker Jul 16, 2024, 1:12 PM Jul 16, 2024, 1:11 PM

    I created an OpenVPN server with tap, but it can only ping the gateway (pfSense) and not any local devices. The local devices can neither ping the OpenVPN tap clients.

    It does work in TUN, but I need the broadcast domain.

    The VPN clients do get an IP from pfSense, but no matter what I change they can't access any LAN hosts (I don't really understand what would I need these settings for if the bridge is doing all the "heavy lifting"?).
    b2f998c2-a074-466f-96ad-09bb35e9384c-image.png

    574d1a71-b5e1-42ec-9c1b-8f38610abcde-image.png

    I made a floating firewall rule to allow everything, but the VPN clients still can't access/ping the LAN hosts.

    Actual host in LAN (10.10.30.11):
    57075505-4df9-486f-afef-ec4ebedde8ed-image.png

    VPN Client (10.10.30.10):
    35d6b598-ac2f-4cc3-b789-a1d5c73a57cd-image.png
    457b3bd4-3377-4844-971c-8f467e4aaf30-image.png

    V 1 Reply Last reply Jul 16, 2024, 1:50 PM Reply Quote 0
    • V
      viragomann @darker
      last edited by Jul 16, 2024, 1:50 PM

      @darker said in Openvpn tap cannot access LAN:

      I made a floating firewall rule to allow everything

      On the VPN interface?

      D 1 Reply Last reply Jul 17, 2024, 9:23 AM Reply Quote 0
      • D
        darker @viragomann
        last edited by darker Jul 17, 2024, 9:30 AM Jul 17, 2024, 9:23 AM

        @viragomann on the "any" interface
        516988be-9f5a-4bcd-98ee-49828ed20ea1-image.png

        I also added a rule to allow everything on the tap, OpenVPN and LAN interface, and they still can't ping each other.

        This is very confusing to me since it can perfectly load the pfSense web configurator.

        It's like the bridge between LAN and the tap interface is not working. Maybe allowing everything to everywhere is a mistake and the packets are going where they shouldn't, and it somehow only works VPN client <-> pfSense?

        V 1 Reply Last reply Jul 17, 2024, 10:15 AM Reply Quote 0
        • V
          viragomann @darker
          last edited by Jul 17, 2024, 10:15 AM

          @darker
          How did you configure the bridge?
          Did you enable it and assign an IP?

          D 1 Reply Last reply Jul 17, 2024, 10:47 AM Reply Quote 0
          • D
            darker @viragomann
            last edited by darker Jul 17, 2024, 10:50 AM Jul 17, 2024, 10:47 AM

            @viragomann I did not set the bridge up.

            a586ec3b-3c33-4337-bacf-56ad811513a5-image.png

            Thinking about how bridges work, it should have the .1 IP not .12. What about the LAN interface?
            ee3c6d21-0432-43d4-aa50-d9f8e54a589c-image.png
            b5b6d35d-0b3f-4b5c-bb15-a385e07c0332-image.png

            I tried to fix it, but it's still not working
            1456caa5-a5ed-45c8-b83e-35a69f18f25b-image.png
            1e5b11dc-b137-46e5-bf40-75b8ac066fec-image.png

            843946e3-cd2f-4d86-8fbd-fe158f28233d-image.png
            5265fe9e-4b22-479e-a369-64b8bf977131-image.png

            I moved the DHCP server to the bridge interface, but no host is getting addresses now.

            V D 2 Replies Last reply Jul 17, 2024, 10:55 AM Reply Quote 0
            • V
              viragomann @darker
              last edited by Jul 17, 2024, 10:55 AM

              @darker
              Basically when bridging an interface to LAN, you should take over all the network settings to the bridge interface.

              To avoid loosing access to the pfSense web GUI, enable the bridge interface and give it a free IP in the LAN subnet, which you connect to with your browser then.

              Disable DHCP on LAN and then set the LAN IP setting to none.
              Now you can change the bridge IP to the former LAN IP, set the correct mask and configure the DHCP on the bridge after.

              1 Reply Last reply Reply Quote 1
              • D
                darker @darker
                last edited by Jul 17, 2024, 11:33 AM

                Apparently ESXi vSwitch was blocking the bridge interface on the LAN and only the VPN clients were getting IPs I disabled all the security features on the vSwitch and LAN, and it's all working now.

                Thank you, @viragomann

                1 Reply Last reply Reply Quote 1
                5 out of 7
                • First post
                  5/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received