Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Any way to disable the automatic gateway creation?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GuntherDW
      last edited by

      Hi there, i'll try to keep my topic as small as possible, whilst still providing enough details.

      I've been having issues with the dynamic gateways that pfsense seems to create for every OpenVPN server and client you create.
      This has been going on for quite some months actually, I've been searching on google, on these forums, but haven't found a conclusive answer.

      I know that you can edit the files yourself, but that would defeat the purpose .

      Now, the problem is that for my OpenVPN server and client, it doesn't seem to send a gateway address, so the gateway address that gets added is "255.255.255.0".
      Obviously that does create errors, but that's not the only issue I have.
      For as long as I've been having those problems, this message pops up every single second in my system logs.
      kernel: arpresolve: can't allocate llinfo for 255.255.255.0

      Looking at this reference thread http://forum.pfsense.org/index.php?topic=38438.0 , i checked the /tmp/*_routers file and sure enough,
      there were 3 files, 2 for the vpns, and 1 for my PPPoE WAN.

      those 2 vpn ones had 255.255.255.0 in them, even though the vpns themselves work just fine.

      So my final question actually is, is it possible to disable the automatic gateway creation for OpenVPN besides editing the files directly?

      edit: I should note though, that before pfsense would let me access the vpn from other pc's in the LAN subnet, i'd have to add some outbound NAT lines. Other than that (and the obvious question/problem at hand), everything works just fine.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Do you have these OpenVPN interfaces assigned as OPT interfaces?

        Are these OpenVPN interfaces using tun or tap mode?

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          GuntherDW
          last edited by

          They are assigned as OPT intefaces (renamed them accordingly), but I didn't let them set up an IP,
          seeing as they get one from the server.
          edit: So both have None/None for ipv4 and ipv6, but are enabled so i can have firewall rules for the VPN's networks

          They're both using TAP. I've had way too many issues with TUN, so i went with TAP.

          I do wonder if the fact that i enabled cryptodev has anything to do with it (it's running on a AMD Fusion e-350)

          Config for the client

          dev ovpnc1
          dev-type tap
          dev-node /dev/tap1
          writepid /var/run/openvpn_client1.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-256-CBC
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 83.101.5.155
          engine cryptodev
          tls-client
          client
          lport 0
          management /var/etc/openvpn/client1.sock unix
          remote 91.121.194.90 123
          ifconfig 192.0.2.2 192.0.2.1
          ca /var/etc/openvpn/client1.ca 
          cert /var/etc/openvpn/client1.cert 
          key /var/etc/openvpn/client1.key 
          tls-auth /var/etc/openvpn/client1.tls-auth 1
          

          config for the server

          dev ovpns3
          dev-type tap
          dev-node /dev/tap3
          writepid /var/run/openvpn_server3.pid
          #user nobody
          #group nobody
          script-security 3
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          proto udp
          cipher AES-128-CBC
          up /usr/local/sbin/ovpn-linkup
          down /usr/local/sbin/ovpn-linkdown
          local 83.101.5.155
          engine cryptodev
          tls-server
          server 172.16.100.0 255.255.255.0
          server-ipv6 2001:6f8:142f:4::/64
          client-config-dir /var/etc/openvpn-csc
          lport 53
          management /var/etc/openvpn/server3.sock unix
          push "route 192.168.8.0 255.255.252.0"
          push "route-ipv6 2001:6f8:142f::1/64"
          client-to-client
          ca /var/etc/openvpn/server3.ca 
          cert /var/etc/openvpn/server3.cert 
          key /var/etc/openvpn/server3.key 
          dh /etc/dh-parameters.1024
          tls-auth /var/etc/openvpn/server3.tls-auth 0
          comp-lzo
          persist-remote-ip
          float
          

          edit: oh, and here's a screenshot from the status tab http://www.wrongplace.be/files/OpenVPN.status.png

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Well tap is likely the reason you're getting that error, tun has way less problems, not sure what you've had with it before, but with pfSense, tun is by far less problematic.

            And you don't need to assign them, if you don't assign them, then you don't get the gateways.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • G
              GuntherDW
              last edited by

              To put it bluntly, if i don't assign them, i won't be able to apply firewall rules for them. (Well i could add floating rules but that's beside the point)

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                That's what the "openvpn" tab is for - you can apply rules there, and restrict them by subnet rather than separate interfaces.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • G
                  GuntherDW
                  last edited by

                  After some additional fiddling with outbound NAT it finally seems to work, in combination with the "just use the openvpn tab".
                  Thanks.

                  Had to reboot the machine before the messages went away though.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.