Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN Bridging - Breaks LAN

    OpenVPN
    1
    2
    3005
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spmky last edited by

      Running OpenVPN 1.2.3-RELEASE

      The overview: OpenVPN to bridge in road warrior clients to the LAN, dishing out IPs starting at 10.0.0.200 through 10.0.0.220. The LAN IP is 10.0.0.1/24. When OpenVPN connection is established, it appears to be bridged to the LAN as expected and works great (Bonjour, OSX environment, etc).

      The problem: Once a OpenVPN client connects - the LAN can not reach the WAN. DNS appears to be resolving correctly on the LAN, but pings are not making it out. As soon as the OpenVPN client drops connection, the LAN returns to normal operation, and can freely access the WAN.

      Any ideas? I'm probably missing something fundamental. I've been scouring the forums, cobbling together any of the online guides and tutorials, and would like to share the solution with the community.

      Here are the details of the site config:

      Interfaces:
      WAN (fxp1)
      Bridge learning
      LAN (fxp0)
      IP address 10.0.0.1/24
      Bridge learning
      TAP0 (tap0)
      Bridge learning

      OpenVPN
      Protocol TCP
      Dynamic IP (unchecked)
      Local Port 1194
      Address pool 10.0.0.0/24
      Use Static IPs checked
      Local Network 10.0.0.0/24
      Remote Network (blank)
      Client-to-client VPN (blank)
      Authentication method PKI

      Certs etc. all verified to be working

      DHCP-Opt.: DNS-Domainname (blank)
      DHCP-Opt.: DNS-Server 10.0.0.1
      DHCP-Opt.: WINS-Server (blank)
      DHCP-Opt.: NBDD-Server (blank)
      DHCP-Opt.: NTP-Server (blank)
      DHCP-Opt.: NetBIOS node (none)
      DHCP-Opt.: NetBIOS Scope (blank)
      DHCP-Opt.: Disable NetBIOS (blank)
      LZO compression (checked)
      Custom options dev tap0 255.255.255.0; server-bridge 10.0.0.1 255.255.255.0 10.0.0.200 10.0.0.220
      Descrition Orbit-OpenVPN

      Config.xml:
      The following lines added to the config.xml as per the bridging guide

      <earlyshellcmd>ifconfig bridge0 create</earlyshellcmd>
      <earlyshellcmd>ifconfig bridge0 addm fxp0 up</earlyshellcmd>
      <shellcmd>ifconfig bridge0 addm tap0</shellcmd>

      System Logs:
      Here are some possibly related errors

      routed[1109]: possible netmask problem between tap0:10.0.0.0 (mask 0xa000002) and fxp0:10.0.0.0/24
      routed[1109]: possible netmask problem between tap0:10.0.0.0 (mask 0xa000002) and lo0:127.0.0.1/32
      kernel: arplookup 0.0.0.0 failed: host is not on local network

      OpenVPN Log:
      openvpn[480]: WARNING: Since you are using –dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)

      (I can't see where the word 'netmask' is dropping into this command anywhere in the config)

      openvpn[480]: /sbin/ifconfig tap0 10.0.0.1 netmask 10.0.0.2 mtu 1500 up
      openvpn[480]: /etc/rc.filter_configure tap0 1500 1576 10.0.0.1 10.0.0.2 init

      (I have no idea where the '10.0.0.2' is coming from, searching the config.xml doesn't return anything.)

      Reports from ifconfig:

      $ ifconfig bridge0

      bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      ether xx:53:87:15:87:cf
      id xx:d0:c9:69:44:43 priority 32768 hellotime 2 fwddelay 15
      maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
      root id xx:d0:c9:69:44:43 priority 32768 ifcost 0 port 0
      member: tap0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 10 priority 128 path cost 2000000
      member: fxp1 flags=1e7 <learning,discover,stp,edge,autoedge,ptp,autoptp>ifmaxaddr 0 port 2 priority 128 path cost 200000 proto rstp
              role designated state forwarding
      member: fxp0 flags=1e7 <learning,discover,stp,edge,autoedge,ptp,autoptp>ifmaxaddr 0 port 1 priority 128 path cost 200000 proto rstp
              role designated state forwarding

      And finally some Firewall Rules:

      LAN

                • Default LAN -> any
                  TAP0

      WAN
      TCP/UDP * * * 1194 * OpenVPN
      TCP * * * 80 *</learning,discover,stp,edge,autoedge,ptp,autoptp></learning,discover,stp,edge,autoedge,ptp,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast>

      1 Reply Last reply Reply Quote 0
      • S
        spmky last edited by

        A follow up on this:

        Scrapped bridging for now - followed the tip on enabling the Avahi package and I've got the functionality I was looking for.

        http://forum.pfsense.org/index.php/topic,22561.0.html

        Hope this helps others out there - Thank you!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy