Static raoue issue

  • Ok heres a situation thats bugging me. behind my pfsense box i have a open vpn server setup running a routed interface and i cannot get the traffic to go through my pfsense box. The pf box has a lan ip of the open vpn server has a ip of the server hands out ip's of and has a gw of It opperates on tcp port 443 and i have the proper forwarding setup. I can get a client to connect and can ping itself of and can ping and however i cannot ping the lan interface on the router or anything past that. below is the static route configuration of the pf box. In my firewall logs i can see the packets from being dropped.

    • <staticroutes>- <route><interface>lan</interface>
        <descr>VPN server traffic</descr></route></staticroutes>
      ![Network config.jpg](/public/imported_attachments/1/Network config.jpg)
      ![Network config.jpg_thumb](/public/imported_attachments/1/Network config.jpg_thumb)

  • Do you have a rule on your LAN-interface that allow traffic from your VPN-subnet?
    If you see the traffic dropped i assume you didnt change the default allow rule on LAN which only allows traffic from your LAN-subnet.

    Or do you want your openVPN server to NAT the openVPN subnet?
    If you're running pfSense on the machine running the openVPN server you need to add an advanced outbound NAT rule.

  • Here is my LAN rule list, so no i do not have a route setup there, however i do have a static route that should pass all traffic that it sees on the /24 range to as that is the server that i want all traffic to come from… I did however try that and it wouldnt work. My pf box is not the vpn server the vpn server is behind the router. and its running a routed interface not a bridged interface. the only thing i havent tried yet is to change the rule from to /24?

    <filter>- <rule><type>pass</type>
      <descr>Default LAN -> any</descr>

    • <source>

    • <destination><any></any></destination></rule>

  • As i've wrote before: If you have only one rule with as source your LAN subnet, the traffic has to be dropped since it doesnt match the allow rule.
    I'm talking here about FIREWALL rules. Not routes.

    (there is an invisible "block all"-rule at the very bottom of the rule list)

    create a rule that allows traffic from your VPN subnet.

Log in to reply