OpenVPN behind pfSense 2.0 RC3, issue with access

  • Hi,
    I have a OpenVPN server on a VM, behind appliance with pfSense 2.0 RC3 installed.
    In order to work first I’ve made NAT rules to publish it.
    Then Added the IP of the VM as a Gateway, and in the Routes add a static route for the VPN.
    Last I’ve adjusted the LAN interface firewall rules.

    The issue is that after I connect successfully, not all resources on the LAN were available.
    For example I can ping a web server but the web site that it is serving is not accessible.
    If I try to brows a file share on another server I can’t access it, but again ping it successfully.

    After a lot of playing around what do the trick for me was enabling this option:
    Under - System > Advanced > Firewall / NAT
    Static route filtering  | Bypass firewall rules for traffic on the same interface
    This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

    My question is what are the risks with this option enabled?
    Is there some risk on the WAN side?

  • Hi,

    Traffic from your openvpn server to your other hosts on the network do not pass your pfsense appliance since the vpn server has an direct route to the "internal" network.
    However, traffic originated from your hosts on the network towards the openvpn client subnet, routes via your pfsense appliance, since the hosts on the internal network does not have a specific route to the openvpn client subnet. Therefore traffic arrives and goes out on the LAN interfaces of your pfsense box. I think you need a rule for that, or enable the option you mention. I have no experience with this kind of setup, but you need a rule like this I think:
    allow source <lan ip="" range="">destination <lan ip="" range="">on the LAN interface.

    The other approach is to add a static route on the LAN hosts, but is more work and harder to maintain. To test you can manual add a route on a LAN host.

    Also, only the first packet of any traffic will be directed through your pfsense box. Most operating systems has an "ICMP redirect" implementation, which you might have to enable. This way the host on the LAN network will learn the direct route to the openvpn clients through the openvpn server, bypassing the pfsense box.

    I Hope this will help you.</lan></lan>

Log in to reply