[solved] OpenVPN WinXP clients connects, but no LAN access

  • Several days reading through forum posts and testing of various modifications but still no access to the LAN behind a pfsense 2.0 (Alix2D13) box.
    Situation: The Open VPN client on a WinXP notebook connects fine with pfsense 2.0 box and gets an IP but the LAN attached to the PFsense box is not accessible.

    The setup:
    In front of the Pfsense box is a Router with integrated VDSL modem and static IP This VDSL-router provides the outside WAN connection via PPPoe and DHCP is off.  For OpenVPN the VDSL-router forwards port 80 to port 1194 on the WAN port of the pfsense box. The WAN port on the pfsense box has a static IP The Openvpn client connects via normal http (port 80) to the external WAN and via port forwarding reaches the OpenVPN server on the PFsense box. The connection comes up okay. From the WinXP client  the  pfsense box with static IP address can be reached ok - DHCP server active.   The pfsense GUI is accessible from the client. The LAN address on the pfsense box is defined as std. gateway for all the local LAN clients.

    The problem: A PC with IP on the LAN can't be reached.
    However it is possible to ping in the other direction from a LAN-PC ( to the connected OpenVPn client (

    In the OpenVPN server the specified address pool is and local net  The OpenVPN setup has been arranged through the wizard in pfsense 2.0.

    In the OpenVPN Server setup form - When the option box "Redirect Gateway o Force all client generated traffic through the tunnel" is checked
    it is possible to ping in addition the IP's on the pfsense WAN/gateway. That is - The VDSL router attached to the pfsense, and the pfsense WAN port itself - , but still no access to PC's on the LAN.
    All firewall rules look good (as per Setup from the wizard). Testing some other rules and playing around with extra "OpenVPn"-interfaces and bridges without any good effect.

    The routing table of the WinXp client looks good too. The two routers seem to work ok too.
    In the pfsense routes table there is the OpenVPN server with the IP This can be "pinged" too.

    OpenVPN client (WinXP) Routing Table, (without local host routes)

    Destination Address Destination Mask    Next Hop            IF Index  Metric    Persistent              0x3       20            0x4       1            0x4       1            0x4       30            0x4       30          0x3       20          0x3       20              0x4       30            0x3       20            0x2       1            0x4       1          0x3       1

    And this is the routing table from the pfsense box
    Destination Gateway Flags Refs Use Mtu Netif Expire
    default UGS 0 7309 1500 vr1 link#6 UH 0 47 16384 lo0 link#2 U 0 67285 1500 vr1 link#2 UHS 0 0 16384 lo0 link#1 U 0 539292 1500 vr0 link#1 UHS 0 0 16384 lo0 UGS 0 79 1500 ovpns1 link#12 UHS 0 0 16384 lo0 link#12 UH 0 0 1500 ovpns1 UGHS 0 20 1500 vr1 UGHS 0 0 1500 vr1

    The routes table on the local LAN PC looks good too. An optional transfer of a extra static route by the Pfsense DHCP server via option code 33 to the LAN client does not improve the situation either.

    After seeing with Wireshark that the LAN PC receives the ping request just fine, but does not respond to it, I found that the Windows 7 firewall settings did prevent a response.  After changing the firewall settings on the LAN PC all was fine and communication from the VPN client to the LAN PC was possible.
    Changes to W7 firewall rules: http://www.fixya.com/support/r5359816-allow_ping_icmp_echo_request_windows_7

    Just 4 nights of frustration to find this problem.  >:(

Log in to reply