[solved] OpenVPN WinXP clients connects, but no LAN access
minimaster last edited by
Several days reading through forum posts and testing of various modifications but still no access to the LAN behind a pfsense 2.0 (Alix2D13) box.
Situation: The Open VPN client on a WinXP notebook connects fine with pfsense 2.0 box and gets an IP 192.168.2.6 but the LAN attached to the PFsense box is not accessible.
In front of the Pfsense box is a Router with integrated VDSL modem and static IP 192.168.0.1. This VDSL-router provides the outside WAN connection via PPPoe and DHCP is off. For OpenVPN the VDSL-router forwards port 80 to port 1194 on the WAN port of the pfsense box. The WAN port on the pfsense box has a static IP 192.168.0.2. The Openvpn client connects via normal http (port 80) to the external WAN and via port forwarding reaches the OpenVPN server on the PFsense box. The connection comes up okay. From the WinXP client the pfsense box with static IP address 192.168.1.3 can be reached ok - DHCP server active. The pfsense GUI is accessible from the client. The LAN address on the pfsense box is defined as std. gateway for all the local LAN clients.
The problem: A PC with IP 192.168.1.10 on the LAN can't be reached.
However it is possible to ping in the other direction from a LAN-PC (192.168.1.10) to the connected OpenVPn client (192.168.2.6).
In the OpenVPN server the specified address pool is 192.168.2.0/24 and local net 192.168.1.0/24. The OpenVPN setup has been arranged through the wizard in pfsense 2.0.
In the OpenVPN Server setup form - When the option box "Redirect Gateway o Force all client generated traffic through the tunnel" is checked
it is possible to ping in addition the IP's on the pfsense WAN/gateway. That is 192.168.0.1 - The VDSL router attached to the pfsense, and the pfsense WAN port itself -192.168.0.2 , but still no access to PC's on the LAN.
All firewall rules look good (as per Setup from the wizard). Testing some other rules and playing around with extra "OpenVPn"-interfaces and bridges without any good effect.
The routing table of the WinXp client looks good too. The two routers seem to work ok too.
In the pfsense routes table there is the OpenVPN server with the IP 192.168.2.1. This can be "pinged" too.
Destination Address Destination Mask Next Hop IF Index Metric Persistent
0.0.0.0 0.0.0.0 192.168.11.1 0x3 20
192.168.1.0 255.255.255.0 192.168.2.5 0x4 1
192.168.2.0 255.255.255.0 192.168.2.5 0x4 1
192.168.2.4 255.255.255.252 192.168.2.6 0x4 30
192.168.2.255 255.255.255.255 192.168.2.6 0x4 30
192.168.11.0 255.255.255.0 192.168.11.10 0x3 20
192.168.11.255 255.255.255.255 192.168.11.10 0x3 20
184.108.40.206 240.0.0.0 192.168.2.6 0x4 30
220.127.116.11 240.0.0.0 192.168.11.10 0x3 20
255.255.255.255 255.255.255.255 192.168.2.6 0x2 1
255.255.255.255 255.255.255.255 192.168.2.6 0x4 1
255.255.255.255 255.255.255.255 192.168.11.10 0x3 1
And this is the routing table from the pfsense box
Destination Gateway Flags Refs Use Mtu Netif Expire
default 192.168.0.1 UGS 0 7309 1500 vr1
127.0.0.1 link#6 UH 0 47 16384 lo0
192.168.0.0/24 link#2 U 0 67285 1500 vr1
192.168.0.2 link#2 UHS 0 0 16384 lo0
192.168.1.0/24 link#1 U 0 539292 1500 vr0
192.168.1.3 link#1 UHS 0 0 16384 lo0
192.168.2.0/24 192.168.2.2 UGS 0 79 1500 ovpns1
192.168.2.1 link#12 UHS 0 0 16384 lo0
192.168.2.2 link#12 UH 0 0 1500 ovpns1
18.104.22.168 192.168.0.1 UGHS 0 20 1500 vr1
22.214.171.124 192.168.0.1 UGHS 0 0 1500 vr1
The routes table on the local LAN PC looks good too. An optional transfer of a extra static route by the Pfsense DHCP server via option code 33 to the LAN client does not improve the situation either.
After seeing with Wireshark that the LAN PC receives the ping request just fine, but does not respond to it, I found that the Windows 7 firewall settings did prevent a response. After changing the firewall settings on the LAN PC all was fine and communication from the VPN client to the LAN PC was possible.
Changes to W7 firewall rules: http://www.fixya.com/support/r5359816-allow_ping_icmp_echo_request_windows_7
Just 4 nights of frustration to find this problem. >:(