OpenVPN can only connect to HTTPS on gateway
-
@CatSpecial202
Is this pfSense device the default gateway in all VLANs?You say, you can ping from one VLAN to the other one? Can you ping any device from a VPN client?
Consider that most devices block access from outside of their own subnet.
-
Yes, I can ping each gateway on each VLAN and also the devices. I was also able to connect to synology through HTTPs on one of the VLANs.
I cannot ping devices on the VLAN that has firewall HTTPS access. The gateway on this vlan does respond however and I cannot connect to other HTTPS on the same VLAN as the firewall https.
-
How would the traffic be hitting my switch GUI from the tunnel IP? My switch GUI is accessed from a VLAN. Does the VPN tunnel come out untagged? Can I tag the traffic?
-
@CatSpecial202 said in OpenVPN can only connect to HTTPS on gateway:
I cannot ping devices on the VLAN that has firewall HTTPS access.
Can you be more clear, please? What do you mean with "devices that has firewall HTTPS access".
The gateway on this vlan does respond however and I cannot connect to other HTTPS on the same VLAN as the firewall https.
With gateway, you mean the interface IP of pfSense, correct?
If you can ping the pfSense interface IP, but not other devices the reason could be, that the devices does not use pfSense as default gateway. That's why I requested this.
But it could also be, that the destination devices themself blocks access from outside of their subnet.ow would the traffic be hitting my switch GUI from the tunnel IP?
You just need to push the route for this VLAN to the VPN clients by adding the subnet to the "local networks" in the OpenVPN server settings. In case, you have "redirect gateway" enabled, this is not necessary.
My switch GUI is accessed from a VLAN. Does the VPN tunnel come out untagged?
No, the tagging is done by pfSense on outgoing traffic on the interface. This has nothing to do with VPN at all.
-
@viragomann I apologize for my poorly worded original explanation, and thank you for helping me out.
Can you be more clear, please? What do you mean with "devices that has firewall HTTPS access".
The devices that I cannot connect to their HTTPS on the sub-net respond to ping. The issue is accessing HTTPS on these devices that are on this same sub-net.
The gateway on this VLAN does respond however and I cannot connect to other HTTPS on the same VLAN as the firewall HTTPS.
This particular sub-net that I'm having trouble accessing is my management VLAN. I can access my firewall GUI while connected to OpenVPN on this sub-net which is the gateway address. However, I'm having issues accessing the HTTPS servers that are on this same management sub-net. The gateway (firewall) on the same VLAN is accessible via HTTPS when accessed from the tunnel, so the problem seems specific to these devices.
...that the destination devices themself blocks access from outside of their subnet.
Yes, this must be the problem. I tested another HTTPS server last night and I was able access it from the same sub-net that I cannot access my switch/AP GUIs. The issue seems to stem from accessing my Cisco switches and my Aruba APs.
What do I need to do within these devices to allow access from my OpenVPN tunnel? Is it that the traffic is hitting devices from the tunnel IP?
thank you for your help!
-
@CatSpecial202 hey there,
It is then no pfsense related problem it seems.
You use a tunnel with its own ip range. Your vpn client gets an ip out of that range trying to connect to ie your cisco switch.
Did you set your switch so it accepts that ip (range)...?I use soho cisco. First I desperately tried accessing the management gui from another vlan, tried all kinds of rules on pfsense. Well, had nothing to do with that. Instead, i had to configure those sg 250s the right way.
-
@the-other Okay. That was my thinking. Do you have any links or guides you can recommend on how to set that up? What is the option called in cisco?
-
@CatSpecial202 well, if (!) I remember correctly, for getting access from another subnet, I had to configure under IP configuration > IPv4 interface...i think. There I gave one of the subnets an IP out of subnets range (ie vlan 10 ip 192.168.10.3/24).
If i remember correctly that was the only way to make the switch reachable from other subnets, giving it an access ip from needed subnet.Why would you need to get access to your switch or ap from far away via vpn? Usually those things are configured once and then just run...once in a while an update. Except for business I don't see any use (for my needs)...
-
Another thought came up...
Did you allow access to the switch via https in the first step? Is it possible at home from same subnet? Or isn't that working? -
@CatSpecial202 said in OpenVPN can only connect to HTTPS on gateway:
Yes, this must be the problem. I tested another HTTPS server last night and I was able access it from the same sub-net that I cannot access my switch/AP GUIs. The issue seems to stem from accessing my Cisco switches and my Aruba APs.
Is pfSense the default gateway on these devices?
This was my very first question here, but you didn't clarify.Are the concerned devices even accessible from another local subnet, presumed you allow it on pfSense?
If not check the network settings on the devices, gateway and network mask.
If the settings are correct and there is no way to allow access from outside on them you can masquerade the traffic on pfSense to circumvent their access restrictions.
-
@viragomann Sorry for that. Yes, it looks like there was a misconfiguration here. I had to change my default gateway it was still setup to be the 10.0.0.1 that the switch comes with. I thought it would be set from DHCP but i guess it wasn't. It's all working now! Thanks!
