PfSense to TomatoVPN routing issue. SOLVED!



  • Thanks to this great guide here, I've configured pfSense/OpenVPN at work and connected to it from home via TomatoVPN in a site-to-site configuration.

    The pfSense machine is not and can not currently be made the default gateway of the work domain.  That said, the connection is easily made and I can ping, SSH, etc. to the pfSense server from home.  I can not ping any other machine on the network, nor can the machines at work ping mine at home.  If I change their default gateway to the pfSense we can see each other.  If I add a route to 192.168.1.0 -> 10.1.1.18 (pfSense Internal IP) at the default gateway they can see me but I still can't see them.  It is as if pfSense doesn't know where to send my requests on arrival if it is not the default gateway, even though it's on the same subnet.

    Anyone have any idea on a possible solution?  Any pointers on DNS, etc. would be great, I haven't had a chance to experiment much as I've been stuck here.  Thanks in advance for your time.

    My configuration is as follows: (pfSense Server)
    Protocol:            UDP
    Dynamic IP:        Checked
    Local Port:         1194
    Address Pool:     10.8.1.0/24
    Client-to-client:  Checked
    Cryptography:     BF-CBC
    Authentication:   (PKI)
    (Keys in place)
    LZO:                 Checked
    Custom Options:  route 192.168.1.0 255.255.255.0;push "route 10.1.0.0 255.255.0.0"
    Desc:                site-to-site
    Client-specific configuration (pfSense Server)
    Common name:    (matches key)
    Custom options:   iroute 192.168.1.0 255.255.255.0
    Desc:                 192.168.1.0/24

    VPN-> Client-> Basic (TomatoVPN client)
    Interface Type:    TUN
    Protocol:             UDP
    Server Addr:        (server's WAN ADDR):1194
    Firewall:              Automatic
    Auth Mode:          TLS
    Extra HMAC:         Disabled
    Nat on tunnel:      Checked
    VPN-> Client-> Advanced (TomatoVPN client)
    Poll:                    0
    Accept DNS Conf:  Disabled
    Encryption:           BF-CBC
    Compression:         Enabled
    ReNego:               -1
    (Keys in Place)

    Firewall Rules:LAN

    • LAN * * * *   Default LAN -> any

    Firewall Rules:WAN
    UDP * * * 194 *



  • I've solved my own problem.

    The REAL default gateway at work needed a route added for the ADDRESS POOL, not the client side's LAN.  Using a route for the client side's LAN allowed them to see me, but not respond to me.

    Hope this helps anyone else attempting to configure a similar setup.


Log in to reply