Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN clients can't reach LAN computers not using pfSense as gateway

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rickbharper
      last edited by

      I just took over IT for a company and I'm in the process of upgrading hardware and moving over to pfSense and OpenVPN.  My issue is as follows:

      I have a few computers on my LAN that are not using pfSense as their gateway, and I cannot reach these machines from a VPN client. (at this point I have to rout them out a different gateway for everything to function properly)

      I am running the latest build of pfSense 2.1

      Setup:
      LAN: 10.0.1.0/24
      OpenVPN: 10.0.10.0/24

      pfSense Gateway: 10.0.1.1
      Other Gateway: 10.0.1.3

      LAN Computers:
      Computer 1: I can reach this machine no problem from the OpenVPN clients
          10.0.1.2 - gateway 10.0.1.1

      Computer 2: I CANNOT hit this machine from any OpenVPN clients
          10.0.1.47 - gateway 10.0.1.3

      I'm using the push "10.0.1.0 255.255.255.0" option in my VPN config.

      A tracert from the vpn client machine reveals that it's routing to the pfSense router (10.0.10.1 for my VPN Tunnel network) but is not going any further.

      I can ping Computer 2 from pfSense with no issues.

      Changing Computer 2's gateway over to 10.0.1.1 allows me to reach it from the VPN clients, but as I stated above this screws up some other things (Computer 2 is actually a phone server routed out a dedicated T1 line to my SIP trunk provider)

      I've tried playing w/ some static routes, but I must be missing something as I've been unable to make this work.

      Any suggestions would be greatly appreciated!

      If the government is covering up knowledge of Aliens, they are doing a better job of it then they do at anything else.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        The gateway the phone server is using (10.0.1.3) needs a route back to 10.0.10.0/24 via 10.0.1.1
        If you don't have access, ask the phone vendor to add the static route.

        1 Reply Last reply Reply Quote 0
        • R
          rickbharper
          last edited by

          Of course!  I knew I was missing something simple.

          That worked perfectly.  Thank you!!!!

          On a side note, do you have any idea why my VPN Clients are getting a 255.255.255.252 subnet mask when I have openVPN set to use 10.0.10.0/24 as the tunnel network?

          If the government is covering up knowledge of Aliens, they are doing a better job of it then they do at anything else.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            @rickbharper:

            On a side note, do you have any idea why my VPN Clients are getting a 255.255.255.252 subnet mask when I have openVPN set to use 10.0.10.0/24 as the tunnel network?

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              On a side note, do you have any idea why my VPN Clients are getting a 255.255.255.252 subnet mask when I have openVPN set to use 10.0.10.0/24 as the tunnel network?

              And some words of explanation - OpenVPN can split the tunnel network into /30 pieces. The server looks like It is talking on .1, the first client gets .6 and thinks it is talking back to server on .5 - next one uses .10 back to .9 and so on. The OpenVPN server handles all that internally.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • R
                rickbharper
                last edited by

                Thank you all!!!  I really appreciate the help!

                If the government is covering up knowledge of Aliens, they are doing a better job of it then they do at anything else.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.