Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn tap cannot access LAN

    OpenVPN
    2
    7
    265
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darker
      last edited by darker

      I created an OpenVPN server with tap, but it can only ping the gateway (pfSense) and not any local devices. The local devices can neither ping the OpenVPN tap clients.

      It does work in TUN, but I need the broadcast domain.

      The VPN clients do get an IP from pfSense, but no matter what I change they can't access any LAN hosts (I don't really understand what would I need these settings for if the bridge is doing all the "heavy lifting"?).
      b2f998c2-a074-466f-96ad-09bb35e9384c-image.png

      574d1a71-b5e1-42ec-9c1b-8f38610abcde-image.png

      I made a floating firewall rule to allow everything, but the VPN clients still can't access/ping the LAN hosts.

      Actual host in LAN (10.10.30.11):
      57075505-4df9-486f-afef-ec4ebedde8ed-image.png

      VPN Client (10.10.30.10):
      35d6b598-ac2f-4cc3-b789-a1d5c73a57cd-image.png
      457b3bd4-3377-4844-971c-8f467e4aaf30-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @darker
        last edited by

        @darker said in Openvpn tap cannot access LAN:

        I made a floating firewall rule to allow everything

        On the VPN interface?

        D 1 Reply Last reply Reply Quote 0
        • D
          darker @viragomann
          last edited by darker

          @viragomann on the "any" interface
          516988be-9f5a-4bcd-98ee-49828ed20ea1-image.png

          I also added a rule to allow everything on the tap, OpenVPN and LAN interface, and they still can't ping each other.

          This is very confusing to me since it can perfectly load the pfSense web configurator.

          It's like the bridge between LAN and the tap interface is not working. Maybe allowing everything to everywhere is a mistake and the packets are going where they shouldn't, and it somehow only works VPN client <-> pfSense?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @darker
            last edited by

            @darker
            How did you configure the bridge?
            Did you enable it and assign an IP?

            D 1 Reply Last reply Reply Quote 0
            • D
              darker @viragomann
              last edited by darker

              @viragomann I did not set the bridge up.

              a586ec3b-3c33-4337-bacf-56ad811513a5-image.png

              Thinking about how bridges work, it should have the .1 IP not .12. What about the LAN interface?
              ee3c6d21-0432-43d4-aa50-d9f8e54a589c-image.png
              b5b6d35d-0b3f-4b5c-bb15-a385e07c0332-image.png

              I tried to fix it, but it's still not working
              1456caa5-a5ed-45c8-b83e-35a69f18f25b-image.png
              1e5b11dc-b137-46e5-bf40-75b8ac066fec-image.png

              843946e3-cd2f-4d86-8fbd-fe158f28233d-image.png
              5265fe9e-4b22-479e-a369-64b8bf977131-image.png

              I moved the DHCP server to the bridge interface, but no host is getting addresses now.

              V D 2 Replies Last reply Reply Quote 0
              • V
                viragomann @darker
                last edited by

                @darker
                Basically when bridging an interface to LAN, you should take over all the network settings to the bridge interface.

                To avoid loosing access to the pfSense web GUI, enable the bridge interface and give it a free IP in the LAN subnet, which you connect to with your browser then.

                Disable DHCP on LAN and then set the LAN IP setting to none.
                Now you can change the bridge IP to the former LAN IP, set the correct mask and configure the DHCP on the bridge after.

                1 Reply Last reply Reply Quote 1
                • D
                  darker @darker
                  last edited by

                  Apparently ESXi vSwitch was blocking the bridge interface on the LAN and only the VPN clients were getting IPs I disabled all the security features on the vSwitch and LAN, and it's all working now.

                  Thank you, @viragomann

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.