Two subnets, can't access one

  • Hi all, thanks in advance for any help.

    We have two separate internet connections at our office. Number 1 is connected to pfsense on WAN. Number 2 is connected to a CISCO appliance that connects our network to our head office via VPN.

    We have an "internal" and "external" network. The internal has IP addresses in the range. Hosts in this network have (the IP of the CISCO appliance) as gateway. Our external network is set up as OPT1 on pfsense. This network is, with OPT1 as The "LAN" interface on pfsense is connected to the "internal" network and has an IP of, with no gateway. But for the connections to the pfsense box, these two networks are completely separate.

    I have set up an LDAP connection in pfsense to our AD server in the internal network (, and this connection works correctly. It works to authenticate users via OpenVPN. Pinging hosts on works via the ping tool in pfsense.

    What I want to be able to do is have a user connect to pfsense through Internet #1 via OpenVPN, and be able to access the resources on the "internal" network (servers behind our CISCO appliance). Thus far, my configuration attempts have failed. I can give users access to hosts on the "external" network via OpenVPN (have access to no problem, but when I use the same config except substituting as the local network in the tunnel settings, I can't access anything in the range. I think this is because the hosts on the "internal" network have a gateway of

    The wrinkle is, this configuration was working using OpenVPN Access Server on Ubuntu in previous testing, so I suspect that this is a simple matter with a simple solution.

    Thanks for any help!!


  • By "external network" I am assuming it is not actually external to you - it is local on OPT1. It is a sort of DMZ, a subnet that you can manage locally separate to the corporate 10.129 stuff.
    For examples, lets say the OpenVPN tunnel network is
    The AD authentication will be working because that is just packets between and - local traffic on your internal LAN - no routing needed.
    The CISCO at is going to need a static route added to tell it that is reached through gateway (the pfSense), or;
    Every system on the LAN that needs access by the OpenVPN users has to have an extra route added for gateway

    I presume your LAN is the whole of - and the CISCO then routes to other office/s in other parts of the company, like head office If you want OpenVPN users to get to head office etc then the CISCO network in general needs to know routes to the OpenVPN - you do need to get cooperation of the rest of the organisation when you add "dial-in" VPN to a branch office and want those users to be able to access internal company network private IP address resources.

  • Would a possible solution be to NAT the OpenVPN network (for example to the LAN IP, so that the "internal" network thinks that any VPN requests are coming from and so would not need these additional routes?

    I've set up an outbound NAT rule as follows:

    I think that this should translate any traffic on destined for to the LAN IP address (in this case, But in my case, it still isn't working. Can anyone tell me if this looks correct?

    Or, do I need to add any firewall rules to allow this traffic, or is the default Allow to Any rule sufficient?

    Thanks again in advance.

  • The principle is fine - the NAT will hide the "real" OpenVPN network behind the pfSense LAN IP. Assuming is the OpenVPN then it should work. Can anyone else spot the error or extra step needed here?

  • Just wanted to post a follow-up. Not sure why, but this config (NAT through the LAN address with the posted config) is working properly today. Thanks for the replies!

Log in to reply