Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot connect to LAN from VPN

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sacksd
      last edited by

      So I have setup OpenVPN on my PFSense server using the wizard and following the instructions. However, I can access any LAN computers. I have fought this for way to many hours now. I've read just about every related forum entry and I cannot understand why this is not working. Here are my details. Maybe someone can see something that I am missing.

      I am using PFSense as our gateway, DHCP server, Firewall and OpenVPN server.
      Tunnel Network: 10.0.8.0/24
      Local Network: 10.21.0.0/16
      I am using windows as my client OS and used the VPN client downloaded from PFSense.

      Like many most. I attach to the VPN just fine. I am assigned 10.0.8.6 as my IP and my gateway is 10.0.8.5
      I can ping and open the web console for PFSense just fine through the VPN.
      I have the standard firewall rules (anything to anything) for the LAN and the OpenVPN

      I can ping IPs on my LAN using PFSense, but not through the VPN.

      Any help would be appreciated. I'll see if I can upload images.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        I assume your LAN is 10.21.0.0/16. And you have entered this in your OVPN server configuration in Local Networks field to get pushed the route at client?

        Another reason could be that the IP you want to access from client is part of a network range which is configured on one of its interfaces.

        With which IP can you reach your pfSense? The OVPN gateway 10.0.8.5, WAN or LAN IP?

        1 Reply Last reply Reply Quote 0
        • S
          sacksd
          last edited by

          So I can get into my PFSense using it's LAN IP which is 10.21.26.254 and I can get in using 10.0.8.1.

          Here is my computers route table. You can see that it is using 10.0.8.5 as it's gateway which I assume is correct:

          Network Destination        Netmask          Gateway      Interface  Metric
                    0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.120    10
                  10.0.8.1  255.255.255.255        10.0.8.5        10.0.8.6    20
                  10.0.8.4  255.255.255.252        On-link          10.0.8.6    276
                  10.0.8.6  255.255.255.255        On-link          10.0.8.6    276
                  10.0.8.7  255.255.255.255        On-link          10.0.8.6    276
                  10.21.0.0      255.255.0.0        10.0.8.5        10.0.8.6    20
                  127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                  127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
            127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                169.254.0.0      255.255.0.0        On-link    169.254.46.53    261
              169.254.46.53  255.255.255.255        On-link    169.254.46.53    261
            169.254.255.255  255.255.255.255        On-link    169.254.46.53    261
                192.168.1.0    255.255.255.0        On-link    192.168.1.120    266
              192.168.1.120  255.255.255.255        On-link    192.168.1.120    266
              192.168.1.255  255.255.255.255        On-link    192.168.1.120    266
                  224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                  224.0.0.0        240.0.0.0        On-link          10.0.8.6    276
                  224.0.0.0        240.0.0.0        On-link    169.254.46.53    261
                  224.0.0.0        240.0.0.0        On-link    192.168.1.120    266
            255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
            255.255.255.255  255.255.255.255        On-link          10.0.8.6    276
            255.255.255.255  255.255.255.255        On-link    169.254.46.53    261
            255.255.255.255  255.255.255.255        On-link    192.168.1.120    266

          1 Reply Last reply Reply Quote 0
          • S
            sacksd
            last edited by

            Here is the route table on the PFSense

            pfsense-route-table.PNG
            pfsense-route-table.PNG_thumb

            1 Reply Last reply Reply Quote 0
            • S
              sacksd
              last edited by

              Here are my openvpn settings

              pfsense-openvpn-settings.PNG
              pfsense-openvpn-settings.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • S
                sacksd
                last edited by

                Here is the openvpn firewall rule

                pfsense-openvpn-rule.PNG
                pfsense-openvpn-rule.PNG_thumb

                1 Reply Last reply Reply Quote 0
                • S
                  sacksd
                  last edited by

                  Here is the LAN rule

                  pfsense-lan-rule.PNG
                  pfsense-lan-rule.PNG_thumb

                  1 Reply Last reply Reply Quote 0
                  • M
                    marvosa
                    last edited by

                    Post your server1.conf.

                    Looking at what you've posted so far, it appears the tunnel is routing and allowing traffic as expected.  I'm betting your packets are making it to their destination, but getting blocked at the endpoint.  A couple things:

                    • Verify the device you are trying to ping is using PFsense as the default gateway

                    • Assuming you're trying to connect to a windows machine, remember the Windows Firewall blocks ICMP echo requests by default unless the traffic is sourced from the firewall's local subnet.  On Win 7/8 you have to either disable the windows firewall or add an explicit rule allowing ICMP echo from all IP's.  e.g. -> http://www.sysprobs.com/enable-ping-reply-windows-7

                      On Server 2008/2012, you can enable this inbound rule -> "File and Printer Sharing (Echo Request - ICMPv4-In)"

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.