OpenVPN Access to LAN Question
I've followed the various tutorials on setting up an openvpn server/client with pfsense, and I'm almost there.. but I have a few questions.
OpenVPN Clients: 192.168.200/0/24
The vpn clients can access the DMZ servers fine, but cannot access anything on the LAN (windows shares, rdp, etc). I have the following routes being pushed down from the server:
Destination Mask Gateway Interface
10.10.10.0 255.255.255.0 192.168.200.5 192.168.200.6
192.168.1.0 255.255.255.0 192.168.200.5 192.168.200.6
192.168.200.1 255.255.255.255 192.168.200.5 192.168.200.6
I have NetBIOS unchecked which should allow for share access, but I get host not found (even though I know the remote 10.10.10.x system is online)
Oddly enough, I can access the pfsense firewall on 10.10.10.1, I just can't seem to access anything beyond that. I don't have any specific rules on either dmz or lan interface (based on what I read, I shouldn't need to as vpn clients are allowed full access automatically)
Am I missing something here?
can you ping any 10.10.10.x host via vpn?
Nope. Just the gateway.
so you have set 192.168.1.0/24 (your DMZ area) as "local network" in openVPN configuration form, and configured the route for your LAN using the advanced configuration field.
I have a similar configuration working.
other subnet in LAN 192.168.1.x, 192.168.2.x, 192.168.3.x …..
Using openVPN I can successfully connect with all this lan.
I just configured the openVPN in pfsense, opened the port on the firewall. no need to create static route or firewall rules. just config 192.168.100.0/24 as "local network" and added push command like this in "advanced configuration" under openVPN config in pfsense.
push "route 192.168.3.0 255.255.255.0";
I'm using pfsense 2.0 RC1, I was not able to make this work with 1.2.3 version.
hope this can help you.
Ah. Interesting. I'm using 1.2.3 which might be why. I've also had my 'local network' set to the 10.10.10.0/24 network space and only did a custom route to the DMZ (via push as well as manually on the client via route add). I'm wondering if there's a limitation with 1.2.3 which prevents LAN access.
may the 1.2.3 requires a firewall rule?
If so, what would that rule look like?
you shoul permit connections from your vpn to your dmz.
if your dmz is connected on LAN interface create a rule in LAN interface that permit all traffic from 192.168.200.0/24
That's what I thought, too. I added a rule on the LAN interface to allow any any from 192.168.200.0/24 but to no avail. As the DMZ network is reachable as-is (192.168.200.0/24 (vpn) has access to 192.168.1.0/24 (dmz) already), I suspect I only need to focus on LAN connectivity from the vpn subnet. Is there anything special I need to do rule-wise on the WAN interface as that's technically where the VPN is connecting from.
I think that you should see only the VPN call in WAN interface, once created the tunnel all comunications are between LAN and VPN interface.