OpenVPN Clients can't access LAN or OPT1



  • Hi all,

    I've setup an Open VPN server to listen on the WAN interface.  I'm trying to get the client to connect and tunnel through to the OPT1 interface.

    I can connect perfectly fine and I can ping pfSense on the OPT1 interface (10.44.11.201) but I can't ping or access the rest of the 10.44 network.

    I tried pushing some routes via the config but that made no difference.  Also after further testing, the same problems apply if I connect through to the LAN interface so the OPT1 interface may be a bit of a red herring.

    I think its something obvious such as a firewall/nat rule/gateway I've missed out but I'm turning a blank here and would really appreciate some fresh eyes to the problem.

    Anyway here is the detailed info that might help narrow the problem down:

    pfSense 2.0.1 with 3 NICs:

    WAN: DMZ Pass through straight to the Internet which gives it an IP address starting 62 which is the external IP for the second Internet line(ISP didn't like PPPOE so the router has to stay there for now)
    LAN: 192.168.20.1/24
    OPT1: 10.44.11.201/16 (the 10.44 network has its own Internet connection unrelated to pfSense)

    From pfSense diagnostics I can ping 10.44.11.1 (the gateway for all 11 addresses on the Cisco kit VLAN 110).  I can then ping any other PC on the network e.g. 10.44.6.100 so thats working fine.

    From my 10.44 network I can ping and access the pfSense web GUI so the reverse also seems fine.

    My Open VPN Setup is as follows:

    Tunnel Network: 10.43.11.0/24 (My understanding is this can be anything not already in use)
    Local Network: 10.44.0.0/16

    My firewall rules are as follows:

    WAN:
    Block private networks + Block bogon networks
    UDP any source to WAN port 1194 (OpenVPN) (OpenVPN wizard rule)

    OPT1:
    Anything from OPT1 net to any destination

    OpenVPN:
    Anything from anywhere to anywhere (OpenVPN Wizard rule)

    I changed to manual NAT rules and have the following rules:

    WAN 192.168.20.0/24 on Port 500 (Auto created rule for ISAKMP - LAN to WAN)
    WAN 192.168.20.0/24 all ports and destinations
    WAN 10.43.11.0/24 all ports and destinations (Auto created rule for OpenVPN server) (This is the range for client IPs once connected via OpenVPN)
    WAN 10.44.11.0/24 on Port 500 (Auto created rule for ISAKMP - OPT1 to WAN)
    WAN 10.44.11.0/24 all ports and destinations

    On the client, if I traceroute 10.44.11.201 I get straight to 10.44.11.201 without any hops.  If I however trace route 10.44.11.1 I hop through to 10.33.11.1 and then just get request timed out.

    I tried pushing routes to the VPN but that made no difference.

    Interestingly pfSense is convinced that my WAN gateway is down even though clients connect through to the Internet just fine and I can ping google.com via diagnostics.

    Any help would be much appreciated.



  • you are probably missing a route …..
    as i understand the opt1 subnet has a gateway that is NOT pfsense ....

    lets say PC1 is a computer connecting from your openvpn with ip=10.43.11.10 / gateway 10.43.11.1 (pfsense)
    lets say PC2 is a computer with ip=10.44.11.20 / gateway 10.44.11.1 (cisco)

    i'm guessing you have a route working in one direction like this:

    vpnclient --> pfsense  ---> opt1 subnet
    ```  –> PC2
    
    so PC2 receives ip packets from PC1 --> PC2 tries to send a reply, but as the destination address is not with the same subnet it send it to its gateway (cisco)
    this is where the story probably ends ....
    
    If my guess is right, then there are 2 solutions:
    
    *   manually add a route for 10.43.11.0/24 through pfsense on every computer in the 10.44.11.0/24 subnet  <–- easiest way to test my theory
    
    *   add a route in the cisco router so the gateway knows to send the 10.43.11.0 traffic to pfsense
    
    kind regards
    
    jeroen


  • Thank you for your reply, it gave me a new route to explore.  Sadly it wasn't as simple as messing with the Cisco config however it turned out to be an even simpler solution (and probably an oversight on my part).

    I ended up factory resetting several times over.  This cured my problem of the LAN not pinging clients however OPT1 was still a cause for concern.

    I finally stumbled across the solution more by luck than knowledge.  I added a gateway to the OPT1 interface which corresponded to 10.44.11.1 (My Cisco gateway via the switches).  Then everything started working.

    One very odd thing I did notice however was that in the course of factory resetting, my VPN connection was automatically pushing the route 10.44.0.0/255.255.0.0 to the clients.  On my last attempt though, the routes weren't being pushed so I also had to add push "route 10.44.0.0 255.255.0.0"; to the VPN config.

    Thanks again for the advice, I appreciate that getting through the mountain of text is not a 5 second job.


Locked