OpenVPN Bridging - Breaks LAN
-
Running OpenVPN 1.2.3-RELEASE
The overview: OpenVPN to bridge in road warrior clients to the LAN, dishing out IPs starting at 10.0.0.200 through 10.0.0.220. The LAN IP is 10.0.0.1/24. When OpenVPN connection is established, it appears to be bridged to the LAN as expected and works great (Bonjour, OSX environment, etc).
The problem: Once a OpenVPN client connects - the LAN can not reach the WAN. DNS appears to be resolving correctly on the LAN, but pings are not making it out. As soon as the OpenVPN client drops connection, the LAN returns to normal operation, and can freely access the WAN.
Any ideas? I'm probably missing something fundamental. I've been scouring the forums, cobbling together any of the online guides and tutorials, and would like to share the solution with the community.
Here are the details of the site config:
Interfaces:
WAN (fxp1)
Bridge learning
LAN (fxp0)
IP address 10.0.0.1/24
Bridge learning
TAP0 (tap0)
Bridge learningOpenVPN
Protocol TCP
Dynamic IP (unchecked)
Local Port 1194
Address pool 10.0.0.0/24
Use Static IPs checked
Local Network 10.0.0.0/24
Remote Network (blank)
Client-to-client VPN (blank)
Authentication method PKICerts etc. all verified to be working
DHCP-Opt.: DNS-Domainname (blank)
DHCP-Opt.: DNS-Server 10.0.0.1
DHCP-Opt.: WINS-Server (blank)
DHCP-Opt.: NBDD-Server (blank)
DHCP-Opt.: NTP-Server (blank)
DHCP-Opt.: NetBIOS node (none)
DHCP-Opt.: NetBIOS Scope (blank)
DHCP-Opt.: Disable NetBIOS (blank)
LZO compression (checked)
Custom options dev tap0 255.255.255.0; server-bridge 10.0.0.1 255.255.255.0 10.0.0.200 10.0.0.220
Descrition Orbit-OpenVPNConfig.xml:
The following lines added to the config.xml as per the bridging guide<earlyshellcmd>ifconfig bridge0 create</earlyshellcmd>
<earlyshellcmd>ifconfig bridge0 addm fxp0 up</earlyshellcmd>
<shellcmd>ifconfig bridge0 addm tap0</shellcmd>System Logs:
Here are some possibly related errorsrouted[1109]: possible netmask problem between tap0:10.0.0.0 (mask 0xa000002) and fxp0:10.0.0.0/24
routed[1109]: possible netmask problem between tap0:10.0.0.0 (mask 0xa000002) and lo0:127.0.0.1/32
kernel: arplookup 0.0.0.0 failed: host is not on local networkOpenVPN Log:
openvpn[480]: WARNING: Since you are using –dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)(I can't see where the word 'netmask' is dropping into this command anywhere in the config)
openvpn[480]: /sbin/ifconfig tap0 10.0.0.1 netmask 10.0.0.2 mtu 1500 up
openvpn[480]: /etc/rc.filter_configure tap0 1500 1576 10.0.0.1 10.0.0.2 init(I have no idea where the '10.0.0.2' is coming from, searching the config.xml doesn't return anything.)
Reports from ifconfig:
$ ifconfig bridge0
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether xx:53:87:15:87:cf
id xx:d0:c9:69:44:43 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id xx:d0:c9:69:44:43 priority 32768 ifcost 0 port 0
member: tap0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 10 priority 128 path cost 2000000
member: fxp1 flags=1e7 <learning,discover,stp,edge,autoedge,ptp,autoptp>ifmaxaddr 0 port 2 priority 128 path cost 200000 proto rstp
role designated state forwarding
member: fxp0 flags=1e7 <learning,discover,stp,edge,autoedge,ptp,autoptp>ifmaxaddr 0 port 1 priority 128 path cost 200000 proto rstp
role designated state forwardingAnd finally some Firewall Rules:
LAN
-
-
-
-
-
- Default LAN -> any
TAP0
- Default LAN -> any
-
-
-
-
WAN
TCP/UDP * * * 1194 * OpenVPN
TCP * * * 80 *</learning,discover,stp,edge,autoedge,ptp,autoptp></learning,discover,stp,edge,autoedge,ptp,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast> -
-
A follow up on this:
Scrapped bridging for now - followed the tip on enabling the Avahi package and I've got the functionality I was looking for.
http://forum.pfsense.org/index.php/topic,22561.0.html
Hope this helps others out there - Thank you!