Cannot connect to LAN devices over VPN - Yes the old favourite! [RESOLVED]
-
Guys,
Hoping for a quick resolution here as I can see many, many posts with a similar issue. In fact I know what the problem is just not how to resolve it without making the problem worse or kicking myself off.
I have set up my firewall as a bridge as outlined in the following thread and it is working perfectly.
https://forum.pfsense.org/index.php?topic=75296.msg411660#msg411660The routers IP is assigned to the bridge interface and firewall rules assigned to both the WAN and LAN interface with an Any / Any rule on the bridge itself.
I now wish to implement OpenVPN having already set it up some years ago and was working fine.
This time I have gone through the wizard and successfully configured the OpenVPN server, Exported the Windows Installer via the Client Export package. Installed it as administrator on Windows 7 x64 and successfully connected remotely. I have therefore confirmed that the Any / Any rule for OpenVPN is present and correct.The problem is the old favourite of I can’t connect / ping / RDP to anything on the LAN side. I can only ping the VPN server itself.
It looks like the correct route is being pushed to the client because I can see it in the routing table,
Any pointers would be great as I’ve been trying to get this going for a week now.
-
"The problem is the old favourite of I can’t connect / ping / RDP to anything on the LAN side. I can only ping the VPN server itself. "
And the old fav answer is did you configure the firewall on the client to allow you to ping it or rdp to it from a different segment.. Windows by default firewall would not answer pings or allow rdp etc from a network other than its local one.
-
Hello yes - I had a fully working configuration for many years, well at least since I created the code-red theme that is included in every pfsense build :P
A couple of weeks ago I decided to turn my pfsense routing firewall into a filtered bridge so that the wireless devices hanging off the sky modem would appear in the same subnet as the Lan devices. This now works a treat. On trying to re-instate OpenVPN I have hit the old routing problem but this time I suspect the problem is due to a different issue.
I think - talking to my Cisco trained mate at work the problem is that the default gateway for the Lan devices is the Sky modem and not the filtered bridge, therefore the returning packets are going to the sky modem and not back up the 200.x VPN tunnel.
I will try changing one of the VM's default gateway to that of the pfsense filtered bridge and hope that this does not in turn break internet connectivity in that the internet bound packets will still be forwarded onto the sky modem when the firewall is operating in this bridge mode.
Many Thanks will report back either way.
-
Ah I didn't catch that you had different default route on the vpn local network.. Yes if a remote client needs to talk to the vpn client – he is going to have the correct routing back to it. This is normally not an issue because the vpn side devices would use pfsense as both their normal gateway, and pfsense knows how to route traffic down its vpn connect to the vpn clients, etc.
but if vpn client comes in with IP a.b.c.d -- the box your talking to needs to know to route that traffic back to the pfsense box to go back through the vpn to get to the remote guy.
-
Hello,
Sorry for the late reply - reporting back.
This issue is now resolved for me. It was as suspected that I needed to set the Pfsense firewall as the default gateway for the LAN devices so that the packets are routed back up the tunnel. The sky modem knows nothing of the .200.x network so would have dropped the returning packets.
One issue that remains is that if the Pfsense firewall is set as the default gateway for the WAN side devices (wireless laptops & tablets) they have poor internet performance (buffering & retries). I think this is down to some issue with the packets coming in and going out of the same interface or something IDK.
If I set the default gateway for the WAN side devices (the wan side of the pfsense firewall) to the IP address of the Sky modem (using DHCP scope to do this) everything is fine but then the pfsense box is no longer filtering their outbound traffic. I can live with that for now.
Thx for your time and hope one day this post helps someone.
-
"default gateway for the WAN side devices"
What? Your trying to use the wan as the gateway for clients? What rules did you set? That is not a common configuration no.
If you want to use pfsense as your router, then turn off the wifi on your sky box, turn it into just a modem if possible so pfsense wan gets a public IP - so your not double natting. And then connect a wireless AP on the lan side of pfsense. Any wireless router can be used as AP..
-
If you want to use pfsense as your router, then turn off the wifi on your sky box, turn it into just a modem if possible so pfsense wan gets a public IP - so your not double natting. And then connect a wireless AP on the lan side of pfsense. Any wireless router can be used as AP..
Yeh I had it this way some years back when I had 3 x NTL modems and a 3com AP. I don't have a separate AP anymore but this way works just fine, well kind of.
"default gateway for the WAN side devices"
What? Your trying to use the wan as the gateway for clients? What rules did you set? That is not a common configuration no.
I was ofc referring to the WAN side of the PFsense firewall (which is in transparent / bridge mode) which is still on the LAN side of the SKY modem router. I now have in effect two gateways to choose from on the same 100.x network, 192.168.100.254 & 192.168.100.1.
If I set all the clients to use 100.254 then any internet packets are then sent onto 100.1 then on to the ISP GW or up the VPN if destined for 200.x.
However if laptops and tablets (on the wan side of the bridge but LAN side of the modem) are set to use 100.254 internet access is sluggish and confused for them, but still works. So I have to set Laptops and tablets to use 100.1, not a massive problem but I loose control of their outbound traffic.
If I can fix this one bit by messing about with things I have yet to learn I will do but in the mean time it is a very good clever working solution. For me anyway.
Thx.