[solved]pfSense TAP config: can't see LAN clients, no broadcast

Stepinsky

We are moving from Endian FW to pfSense 2.2.1. Our staff uses OpenVPN to get access to their PCs via remote desktop. We need to use broadcast packets for Wake on LAN, so I learned that we have to use TAP.
I tried to replicate our working OpenVPN setting from Endian, but on pfSense I can't see other clients when connecting over OpenVPN. Using my network scanner I can see just my own IP.
I'm reading a lot, but I didn't find any thread which was helpful for me. Most people are using TUN, lots of posts didn't give enough details.
I compared our pfSense OpenVPN server config to our old working setup, but didn't find any relevant differences. The only real difference is "–multihome": that isn't relevant in our new setup (just one WAN/ one LAN interface).

I read several OpenVPN docs, googled a lot, did a lot of testing with several different configs, but didn't find a solution.
I saw a reference to a tutorial using an additional bridge interface, but from my understanding TAP is already bridging, so I shouldn't need that.

Here is our setting:

Two NICs: WAN + LAN
Network 192.168.10.0/24

There are two VPN servers running: one for TUN (port 1194), one for TAP (port 1196).
TUN is not of interest at the moment, we are just looking at TAP. (Running or stopping TUN server doesn't seem to affect our TAP connection):

Server config:

dev ovpns1
verb 1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local xx.xx.xx.xx
engine cryptodev
tls-server
server-bridge 192.168.10.1 255.255.255.0 192.168.10.240 192.168.10.250
client-config-dir /var/etc/openvpn-csc
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN' 1"
lport 1196
management /var/etc/openvpn/server1.sock unix
max-clients 6
push "route 192.168.10.0 255.255.255.0"
push "dhcp-option DOMAIN ourdomain.local"
push "register-dns"
client-to-client
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
passtos
persist-remote-ip
float

Our client config:

dev tap
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote ourdyn.domain 1196 udp
lport 0
verify-x509-name "our VPN" name
auth-user-pass
pkcs12 pfSense-udp-1196.p12
tls-auth pfSense-udp-tls.key 1
ns-cert-type server
passtos

My route shows (client on Win 8.1 - rough translation):

IPv4-Routentabelle

active routes:
target mask gateway interface metric
0.0.0.0 0.0.0.0 10.156.191.194 10.156.191.196 296
10.156.191.0 255.255.255.0 Connected 10.156.191.196 296
10.156.191.196 255.255.255.255 Connected 10.156.191.196 296
10.156.191.255 255.255.255.255 Connected 10.156.191.196 296
127.0.0.0 255.0.0.0 Connected 127.0.0.1 306
127.0.0.1 255.255.255.255 Connected 127.0.0.1 306
127.255.255.255 255.255.255.255 Connected 127.0.0.1 306
192.168.10.0 255.255.255.0 Connected 192.168.10.240 276
192.168.10.0 255.255.255.0 192.168.10.1 192.168.10.240 21
192.168.10.240 255.255.255.255 Connected 192.168.10.240 276
192.168.10.255 255.255.255.255 Connected 192.168.10.240 276
192.168.56.0 255.255.255.0 Connected 192.168.56.1 276
192.168.56.1 255.255.255.255 Connected 192.168.56.1 276
192.168.56.255 255.255.255.255 Connected 192.168.56.1 276
224.0.0.0 240.0.0.0 Connected 127.0.0.1 306
224.0.0.0 240.0.0.0 Connected 192.168.56.1 276
224.0.0.0 240.0.0.0 Connected 10.156.191.196 296
224.0.0.0 240.0.0.0 Connected 192.168.10.240 276
255.255.255.255 255.255.255.255 Connected 127.0.0.1 306
255.255.255.255 255.255.255.255 Connected 192.168.56.1 276
255.255.255.255 255.255.255.255 Connected 10.156.191.196 296
255.255.255.255 255.255.255.255 Connected 192.168.10.240 276

static routes:
  no

See attachments for our FW settings.

Any one any clue what I'm missing here?

Stepinsky

Despite what some people told in other threads:
I seems that we need interface bridging to get our setup working.
I followed this old howto and now everything works perfect.

So, to get it short: if your OpenVPN clients should access your whole network, including broadcasting WOL packages, then follow the howto above (and don't listen to guys who tell you TAP doesn't need bridging  ;) )

haddock

Who was saying that TAP does not need bridging?

It has always needed bridging.

Stepinsky

Sorry, I don't remember who it was. I searched a lot here and I don't have time to look for this thread in my browser history.
Anyway, I found the solution and I don't care for this wrong information any more. That's the nature of forums at the internet. Not all information you find is correct  ;)