Static raoue issue



  • Ok heres a situation thats bugging me. behind my pfsense box i have a open vpn server setup running a routed interface and i cannot get the traffic to go through my pfsense box. The pf box has a lan ip of 192.168.10.4 the open vpn server has a ip of  192.168.10.24 the server hands out ip's of 10.8.0.6+/24 and has a gw of 10.8.0.1. It opperates on tcp port 443 and i have the proper forwarding setup. I can get a client to connect and can ping itself of 10.8.0.6 and can ping 10.8.0.1 and 192.168.10.24 however i cannot ping the lan interface on the router or anything past that. below is the static route configuration of the pf box. In my firewall logs i can see the packets from 10.8.0.6 being dropped.

    • <staticroutes>- <route><interface>lan</interface>
        <network>10.8.0.0/24</network>
        <gateway>192.168.10.24</gateway>
        <descr>VPN server traffic</descr></route></staticroutes>
      ![Network config.jpg](/public/imported_attachments/1/Network config.jpg)
      ![Network config.jpg_thumb](/public/imported_attachments/1/Network config.jpg_thumb)


  • Do you have a rule on your LAN-interface that allow traffic from your VPN-subnet?
    If you see the traffic dropped i assume you didnt change the default allow rule on LAN which only allows traffic from your LAN-subnet.

    Or do you want your openVPN server to NAT the openVPN subnet?
    If you're running pfSense on the machine running the openVPN server you need to add an advanced outbound NAT rule.



  • Here is my LAN rule list, so no i do not have a route setup there, however i do have a static route that should pass all traffic that it sees on the 10.8.0.0 /24 range to 192.168.10.24 as that is the server that i want all traffic to come from… I did however try that and it wouldnt work. My pf box is not the vpn server the vpn server is behind the router. and its running a routed interface not a bridged interface. the only thing i havent tried yet is to change the rule from 10.8.0.0/34 to 10.8.0.6 /24?

    <filter>- <rule><type>pass</type>
      <descr>Default LAN -> any</descr>
      <interface>lan</interface>

    • <source>
        <network>lan</network>

    • <destination><any></any></destination></rule>
      -</filter>



  • As i've wrote before: If you have only one rule with as source your LAN subnet, the traffic has to be dropped since it doesnt match the allow rule.
    I'm talking here about FIREWALL rules. Not routes.

    (there is an invisible "block all"-rule at the very bottom of the rule list)

    create a rule that allows traffic from your VPN subnet.


Log in to reply