PFSense 2.0 - Not able to bridge tap VPN.



  • Hi,

    I have a PFSense box with the latest firmware (updated today september 18th).  It have two network cards - LAN (192.168.100.0/24) and WAN (Assigned by DHCP).  I have configured a TAP OpenVPN who listen on the WAN interface on the standard port and the tunnel network is set for 192.168.101.0/24.  The only server options who are checked are : compression and dynamic ip and I gave a specific default domain name (the same as my pfsense box) and the two google DNS server IPs (8.8.8.8 and 8.8.4.4).

    I am able to connect fine with the client.  I can ping 192.168.100.1 and I have a LAN adress (192.168.100.124) assigned to the client.

    The problem is, I can't ping anything inside the LAN network.

    If I understood correctly, I should bridge the tap virtual interface (renamed to ovpns1 automaticaly by pfsense) to the LAN physical interface, but the bridge screen only shows LAN and WAN.

    I spent about 20 hours in 4 days to make this work.  I have the pfsense book (who is written for version 1.2) and section 15.9, who speaks about bridged openVPN indicates "this cannot be used on 2.0".  So does it means there can be no TAP VPN on pfsense 2.0 or only that the procedure indicated on the page is not compatible for 2.0 ?

    You will find enclosed the firewall rules who are set and the routing table on the client when I am connected to the VPN.  I find the route 192.168.100.124/32 to 192.168.100.124 stange, is it?

    Please, help me on that.
    ![lan firewall.png](/public/imported_attachments/1/lan firewall.png)
    ![lan firewall.png_thumb](/public/imported_attachments/1/lan firewall.png_thumb)
    ![openVpn firewall.png](/public/imported_attachments/1/openVpn firewall.png)
    ![openVpn firewall.png_thumb](/public/imported_attachments/1/openVpn firewall.png_thumb)
    ![wan firewall.png](/public/imported_attachments/1/wan firewall.png)
    ![wan firewall.png_thumb](/public/imported_attachments/1/wan firewall.png_thumb)



  • If you go to /Status/Services page is the OpenVPN service running?    When I tried to use tap, I could not make the service run…



  • show the openvpn configuration please



  • Yes, my service is running, as I am able to connect and ping the pf box.  Here is the detailed config of my server :

    ![config - part 1.png](/public/imported_attachments/1/config - part 1.png)
    ![config - part 1.png_thumb](/public/imported_attachments/1/config - part 1.png_thumb)
    ![config - part 2.png](/public/imported_attachments/1/config - part 2.png)
    ![config - part 2.png_thumb](/public/imported_attachments/1/config - part 2.png_thumb)
    ![config - part 3.png](/public/imported_attachments/1/config - part 3.png)
    ![config - part 3.png_thumb](/public/imported_attachments/1/config - part 3.png_thumb)



  • You're just missing the local network on the list.  Add your local lan address range to the mentioned box and see if that works for you then.
    You can also use the "force all generated traffic through tunnel" which will prevent any traffic from going over the network they're using outside of the company/business/home/etc.




  • Already tried both.  The problem is the same.  I tried to ping two machines in LAN (one of them is 192.168.100.110) and there is no response.  I can ping this machine when my client is in the LAN without VPN, so I suppose the windows firewall on 192.168.100.110 should see no difference between the ICMP paquet coming directly from LAN or coming from the VPN as I am bridged.  You will find the two routing tables corresponsing to the two states.

    ![force through tunnel.png](/public/imported_attachments/1/force through tunnel.png)
    ![force through tunnel.png_thumb](/public/imported_attachments/1/force through tunnel.png_thumb)
    ![local LAN specified.png](/public/imported_attachments/1/local LAN specified.png)
    ![local LAN specified.png_thumb](/public/imported_attachments/1/local LAN specified.png_thumb)



  • Try going to 'Interfaces' > 'assign' and create an interface for 'ovpns1'

    Then enable it under the interface drop down list, then go back to assign interfaces and you should be able to bridge the LAN and OVPN interfaces

    See attached screenshots, let me know if it works.

    Also for my bridged client setup I had to modify the /var/etc/openvpn/server1.conf

    dev ovpns2
    dev-type tap
    dev-node /dev/tap2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local x.x.x.x
    tls-server
    mode server  <–---removed 'server x.x.x.x'
    client-config-dir /var/etc/openvpn-csc
    lport 1195
    management /var/etc/openvpn/server2.sock unix
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0








  • this issue will be fixed in the next release?



  • @nooblet:

    Try going to 'Interfaces' > 'assign' and create an interface for 'ovpns1'

    Then enable it under the interface drop down list, then go back to assign interfaces and you should be able to bridge the LAN and OVPN interfaces

    See attached screenshots, let me know if it works.

    Also for my bridged client setup I had to modify the /var/etc/openvpn/server1.conf

    dev ovpns2
    dev-type tap
    dev-node /dev/tap2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local x.x.x.x
    tls-server
    mode server   <–---removed 'server x.x.x.x'
    client-config-dir /var/etc/openvpn-csc
    lport 1195
    management /var/etc/openvpn/server2.sock unix
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0

    how did you set mode "server  <–---removed 'server x.x.x.x'" to stay in config after reboot?



  • This might be a slight kick, but did you try a (bogus) /30 subnet on the TAP? Don't forget to bridge the interface and allow traffic on the created OPT interface (Which you need to create a bridge, anyway).


  • Rebel Alliance Developer Netgate



  • Sorry to all, but I did not have time to try your suggestions.  I think i will wait until 2.1 is released if it is not too far.  Any date yet?


  • Rebel Alliance Developer Netgate

    No idea, probably on the order of 4-6+ months.

    It wouldn't be hard to adapt those changes to 2.0.1 but I'm not sure if the impact of the change would be considered too large to pull back from 2.1, considering we're trying to get 2.0.1 out in just a few days time.



  • Please, do try to get it in 2.0.1. The changes in the two files don't seem like they break machines or vpns when you update 'em to 2.0.1, or do they? ;-) As the code for tun interfaces stays the same.

    Quite a few people have problems with the tap interface. I would be really grateful if it'd be fixed in 2.0.1.



  • Hi!

    Have you seen it? - http://doc.pfsense.org/index.php/OpenVPN_Bridging

    I have successfully setup bridge between LAN and tap on the 2.0 version.



  • No, but you have seen the following, I suppose :

    _Caveat - There are some problems with the setup described here, this is currently being refactored.

    THIS CANNOT BE USED ON 2.0._



  • Yes, But it works fine on 2.0  :)



  • Can we get our hands on version 2.1?


  • Rebel Alliance Developer Netgate

    You can install the tap fix patch package I put up for 2.0 (though it needs updating… not so easy as the fixes don't merge cleanly from 2.1), and if you want 2.1 you can use gitsync to get the code, check the doc wiki for instructions.



  • Ah, I did not realize that you had added a Tap Fix Package for OpenVPN. It is now installed! Thank You, and Thanks for pfSense.
    It does everything I need for my SOHO Gateway and more, with minimal resources!



  • I've got that fix package installed and indeed it makes smart changes to the GUI, but still no dice for me.  I cannot for the life of me get pings to work from the clients. I know the tunnel is working because I can actually see some layer 2 traffic going across the tunnel (ARP broadcasts, multicasts) with tcpdump. But pinging etc will not work even to the pfsense box itself. It feels like a firewall issue but I've got allow * rules on all interfaces including the OPT1 bridge.
    Been struggling with this for a week any suggestions?
    Here is my tap config:



  • Rebel Alliance Developer Netgate

    Show the output of "ifconfig -a"

    Also if you switched between tun/tap on an existing connection, you must reboot. An unfortunate fact of dealing with tap interfaces.

    New connections should be fine for that, you just need to make sure they're assigned and bridged to LAN on both sides.



  • Here is the output (note:the lan iface is dot1q trunked into the switch.)

    em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 150                                                                                                0
            options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:0c:29:af:78:7e
            inet6 fe80::20c:29ff:feaf:787e%em0 prefixlen 64 scopeid 0x1
            inet 10.0.1.253 netmask 0xffffff00 broadcast 10.0.1.255
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
            nd6 options=3 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    pflog0: flags=100 <promisc>metric 0 mtu 33200
    enc0: flags=0<> metric 0 mtu 1536
    em0_vlan2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 m                                                                                                tu 1500
            options=3 <rxcsum,txcsum>ether 00:0c:29:af:78:7e
            inet6 fe80::20c:29ff:feaf:787e%em0_vlan2 prefixlen 64 scopeid 0x7
            inet 10.0.6.253 netmask 0xffffff00 broadcast 10.0.6.255
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
            vlan: 2 parent interface: em0
    bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            ether f2:39:a5:31:42:98
            id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
            maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
            root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
            member: ovpns1 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 9 priority 128 path cost 2000000
            member: em0_vlan2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 7 priority 128 path cost 20000
    ovpns1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu                                                                                                  1500
            options=80000 <linkstate>ether 00:bd:39:07:00:01
            inet6 fe80::2bd:39ff:fe07:1%ovpns1 prefixlen 64 scopeid 0x9
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 48350
    ovpns3: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
            options=80000 <linkstate>inet6 fe80::20c:29ff:feaf:787e%ovpns3 prefixlen 64 scopeid 0xa
            inet 10.0.7.1 –> 10.0.7.2 netmask 0xffffffff
            nd6 options=3 <performnud,accept_rtadv>Opened by PID 13380
    tun1: flags=8010 <pointopoint,multicast>metric 0 mtu 1500
            options=80000 <linkstate>pptpd0: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd1: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd2: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd3: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd4: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd5: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd6: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd7: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd8: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd9: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd10: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd11: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd12: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd13: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd14: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500
    pptpd15: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500</pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></pointopoint,noarp,simplex,multicast></linkstate></pointopoint,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></performnud,accept_rtadv></linkstate></up,broadcast,running,promisc,simplex,multicast></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast>


  • Rebel Alliance Developer Netgate

    That appears to be OK at a glance. Looks about like my VM test setup that works (though it doesn't use vlans)



  • that's exactly what it is, if this works then I get to buy me real hardware to use for pfSense. The vlan part of it works fine, I can ping on lan etc. But what to do about TAP?! driving me crazy.
    How can I test firewall rules?


  • Rebel Alliance Developer Netgate

    Set the rules you have to log - if the packets hit the rule and log as being passed, then firewall rules are not your problem.

    Doing captures on the tap interface on both ends while you try can help.

    Is this a site-to-site or are you bridging in remote access clients?



  • Ok- I solved it. There is a problem with bridging the vlan interface. Either a bug or a incompatibility. I noticed a message on the console something to the effect of problem adding the vlan-iface to bridge0. (I had only been using ssh so hadn't seen the message) So I switched off a vlan interface to a real one and all was copacetic. Too many variables makes for a tough diagnosis.. Thanks for your help!



  • Tugi, I tried your suggestion, but now, OpenVPN do not want to start with "–server and --server-bridge cannot be used together".  How did you overcome this?



  • Forget it, I installed the OpenVPN patch and it works great!  Thank you.



  • Hi,

    Thanks to Jimp for the ovpn bridge fixes in 2.1 which worked great in my testing.  (Spent a lot of time trying to get 2.0 and 2.0.1 to work but never succeded).

    Is there or will there be a way to specify the client IP address connecting to the OVPN bridge in the GUI?  I currently use this for some clients whose IP address must remain static on the bridge.  I am guessing I could put the ifconfig-pool-persist directive in the advanced configuration but was wondering where the file (with the respective client to IP address) the directive points to should be saved?

    2.1-DEVELOPMENT (i386)
    built on Fri Nov 25 17:45:38 EST 2011
    FreeBSD 8.1-RELEASE-p6


  • Rebel Alliance Developer Netgate

    Probably would work with something to make the IP static in a client-specific override entry. Not sure what it would be offhand for a tap IP, but I thought it was supported (I know it is for tun, but the syntax is likely different)


Locked