OpenVPN and DHCP
I was sure this was working before, but it's not now - so something may have changed, or more likely I'm crazy … ;). Either way though, it's not working ... :(.
Let me explain my setup. I have two OpenVPN servers - one "inside" pfSense, the other behind it on the LAN side. I use Load Balancing to share them (backup), and it works fine. I can connect to both of them (OpenVPN connection), that part works. When I connect to the machine on the LAN, OpenVPN passes DHCP requests to pfSense, and gets an IP address on the subnet - so I can access all the machines on the subnet remotely. Again, this works great.
However (there has to to a however, doesn't there? ... ;)), when I connect to the pfSense OpenVPN server, I cannot get an IP address from DHCP. I do have the TAP adapter (OpenVPN) and LAN bridged. If I run tcpdump on the LAN interface of pfSense, I can see the DHCP Request and Inform packets ... but pfSense never responds. I have also opened the firewall, to allow packets from TAP to get to the LAN (or I wouldn't see these) - but again, pfSense just won't respond to DHCP requests.
Any thoughts? Anything obviously stupid?
Anything in the openvpn log at the time? Firewall log? System log?
What does the output of "ifconfig -a" show for the OpenVPN tap interface? What about the bridge interface?
Does it help if you Edit/Save/Apply the assigned OpenVPN interface from Interfaces > (whatever you named it)?
I tried adding a floating (firewall) rule, basically allowing all traffic destined for the OpenVPN connection (from LAN or OpenVPN). This Band-Aid seems to work, so the ACK from the DHCP server was being blocked? Does this make sense? I would have thought that the LAN rules would allow traffic on the bridge?
And sort of related … is it captured somewhere what order the firewall rules are applied (i.e. does floating come before LAN)?
Still struggling with firewall rules - can't seem to capture (log) traffic going out the OpenVPN interface … :(. Can capture incoming, not outgoing.
It seems like the DHCP server is not responding to the incoming DHCP request (from tcpdump) - the broadcast message (to 0.0.0.0). It does ACK the Inform message. Thoughts?
OK, I got it figured out … :). BTW, this came from monitoring tcpdump on the LAN and OpenVPN interfaces, seeing differences. Let me explain, in case others have similar issues ...
- You have to add a firewall rule to allow incoming traffic from OpenVPN (any destination is the way I went). This allows some traffic to get to the bridge, but ...
- You have to enable inter-client communications on the OpenVPN server, then broadcast traffic (like DHCP requests) will actually get to the LAN ... if not, they don't, and you don't get an IP address to the OpenVPN client (if you are using the DHCP server in pfSense to assign client addresses for OpenVPN).
After that ... life is good ... 8).
Thanks for the help! And hope this helps others out.
OK, my apologies … :(. It thought I had this working, but not quite. I was fooled by being on my local LAN (for debugging, it's easier), and some traffic "bypassed" the VPN connection. Not working as well once remote.
Trying to debug it, but having a heck of a time with the Firewall Rules. I have added a floating rule (which should be applied first), passing and logging all DHCP traffic between / on LAN and OpenVPN (TAP) ... but it's not catching anything - even though I see the traffic in the DHCP log, and also using tcpdump on the server (LAN interface). Very frustrating ... :(.
Any suggestions on the firewall would be greatly appreciated, as it's hard to debug this blind.