Internal LAN access stops when gateway removed



  • I set up an instance of pfsense to act as an OpenVPN server.  It's been working fine for the past 2 months.  When I first installed it, I set a gateway that points to our MS ISA server.  Now we're looking to punt MS ISA and just use the pfsense box as the gateway.  When I go to LAN config and remove the gateway value, OpenVPN users can no longer access any of the internal network.  What did I do wrong?  Do I have to define the gateway for the pfsense box as being itself?  Is the OpenVPN config dependent on the gateway, so I have to reconfig OpenVPN if it is changed?



  • What exactly is the network topology? Is your real LAN behind the MS ISA server?
    You should just be able to have your real LAN devices on a switch connected to the pfSense LAN port, then put the LAN subnet in the the OpenVPN server "IPv4 Local Network/s" field. Make sure there is a rule on OpenVPN tab to allow traffic with destination LANnet.


  • LAYER 8 Global Moderator

    Yeah how do you have pfsense connected in your network.. With pfsense you do NOT put gateways on LAN connections, to pfsense if it has a gateway it is a WAN interface and would automatically do nat to it, etc.

    If you want to move pfsense act as your gateway of your network.. Then it would have WAN connection tied to your internet/wan and then a LAN connection this is your local network.



  • Thanks for the reply, gents.

    Our network is pretty simple and flat.  Yes, our real LAN is behind the ISA server.  I'm using VMware vSphere to run both the ISA server and the pfSense box.  The VMware hosts all have a direct connection to our public router, and the pfSense box has a dedicated public IP adddress for WAN – it doesn't go through the ISA server.  I wanted to have our VPN users to be able to connect to the network, but I also wanted them to be subject to the rules of our MS ISA server (which is our current gateway) if they use the virtual machines on our network to go out.  I can't have VPN users using our network to surf kiddie porn externally, for instance.  When installing pfSense, I gave the LAN connection our ISA server as a gateway out of habit (I was and am still very new to pfSense) but it all seemed to work anyway, and like I said before, everything has been working great until I removed the LAN gateway.  My firewall rules - OpenVPN tab has a list of rules that direct specific IP addresses (users) to specific virtual machines, and this has worked well to control access to servers on our network by the VPN users.


Log in to reply