Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN behind pfSense 2.0 RC3, issue with access

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darko-san
      last edited by

      Hi,
      I have a OpenVPN server on a VM, behind appliance with pfSense 2.0 RC3 installed.
      In order to work first I’ve made NAT rules to publish it.
      Then Added the IP of the VM as a Gateway, and in the Routes add a static route for the VPN.
      Last I’ve adjusted the LAN interface firewall rules.

      The issue is that after I connect successfully, not all resources on the LAN were available.
      For example I can ping a web server but the web site that it is serving is not accessible.
      If I try to brows a file share on another server I can’t access it, but again ping it successfully.

      After a lot of playing around what do the trick for me was enabling this option:
      Under - System > Advanced > Firewall / NAT
      Static route filtering  | Bypass firewall rules for traffic on the same interface
      This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

      My question is what are the risks with this option enabled?
      Is there some risk on the WAN side?

      1 Reply Last reply Reply Quote 0
      • H
        hrodenburg
        last edited by

        Hi,

        Traffic from your openvpn server to your other hosts on the network do not pass your pfsense appliance since the vpn server has an direct route to the "internal" network.
        However, traffic originated from your hosts on the network towards the openvpn client subnet, routes via your pfsense appliance, since the hosts on the internal network does not have a specific route to the openvpn client subnet. Therefore traffic arrives and goes out on the LAN interfaces of your pfsense box. I think you need a rule for that, or enable the option you mention. I have no experience with this kind of setup, but you need a rule like this I think:
        allow source <lan ip="" range="">destination <lan ip="" range="">on the LAN interface.

        The other approach is to add a static route on the LAN hosts, but is more work and harder to maintain. To test you can manual add a route on a LAN host.

        Also, only the first packet of any traffic will be directed through your pfsense box. Most operating systems has an "ICMP redirect" implementation, which you might have to enable. This way the host on the LAN network will learn the direct route to the openvpn clients through the openvpn server, bypassing the pfsense box.

        I Hope this will help you.</lan></lan>

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.