[solved]pfSense TAP config: can't see LAN clients, no broadcast
We are moving from Endian FW to pfSense 2.2.1. Our staff uses OpenVPN to get access to their PCs via remote desktop. We need to use broadcast packets for Wake on LAN, so I learned that we have to use TAP.
I tried to replicate our working OpenVPN setting from Endian, but on pfSense I can't see other clients when connecting over OpenVPN. Using my network scanner I can see just my own IP.
I'm reading a lot, but I didn't find any thread which was helpful for me. Most people are using TUN, lots of posts didn't give enough details.
I compared our pfSense OpenVPN server config to our old working setup, but didn't find any relevant differences. The only real difference is "–multihome": that isn't relevant in our new setup (just one WAN/ one LAN interface).
I read several OpenVPN docs, googled a lot, did a lot of testing with several different configs, but didn't find a solution.
I saw a reference to a tutorial using an additional bridge interface, but from my understanding TAP is already bridging, so I shouldn't need that.
Here is our setting:
Two NICs: WAN + LAN
There are two VPN servers running: one for TUN (port 1194), one for TAP (port 1196).
TUN is not of interest at the moment, we are just looking at TAP. (Running or stopping TUN server doesn't seem to affect our TAP connection):
dev ovpns1 verb 1 dev-type tap dev-node /dev/tap1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local xx.xx.xx.xx engine cryptodev tls-server server-bridge 192.168.10.1 255.255.255.0 192.168.10.240 192.168.10.250 client-config-dir /var/etc/openvpn-csc auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN' 1" lport 1196 management /var/etc/openvpn/server1.sock unix max-clients 6 push "route 192.168.10.0 255.255.255.0" push "dhcp-option DOMAIN ourdomain.local" push "register-dns" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1.tls-auth 0 passtos persist-remote-ip float
Our client config:
dev tap persist-tun persist-key cipher AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote ourdyn.domain 1196 udp lport 0 verify-x509-name "our VPN" name auth-user-pass pkcs12 pfSense-udp-1196.p12 tls-auth pfSense-udp-tls.key 1 ns-cert-type server passtos
My route shows (client on Win 8.1 - rough translation):
target mask gateway interface metric
0.0.0.0 0.0.0.0 10.156.191.194 10.156.191.196 296
10.156.191.0 255.255.255.0 Connected 10.156.191.196 296
10.156.191.196 255.255.255.255 Connected 10.156.191.196 296
10.156.191.255 255.255.255.255 Connected 10.156.191.196 296
127.0.0.0 255.0.0.0 Connected 127.0.0.1 306
127.0.0.1 255.255.255.255 Connected 127.0.0.1 306
127.255.255.255 255.255.255.255 Connected 127.0.0.1 306
192.168.10.0 255.255.255.0 Connected 192.168.10.240 276
192.168.10.0 255.255.255.0 192.168.10.1 192.168.10.240 21
192.168.10.240 255.255.255.255 Connected 192.168.10.240 276
192.168.10.255 255.255.255.255 Connected 192.168.10.240 276
192.168.56.0 255.255.255.0 Connected 192.168.56.1 276
192.168.56.1 255.255.255.255 Connected 192.168.56.1 276
192.168.56.255 255.255.255.255 Connected 192.168.56.1 276
126.96.36.199 240.0.0.0 Connected 127.0.0.1 306
188.8.131.52 240.0.0.0 Connected 192.168.56.1 276
184.108.40.206 240.0.0.0 Connected 10.156.191.196 296
220.127.116.11 240.0.0.0 Connected 192.168.10.240 276
255.255.255.255 255.255.255.255 Connected 127.0.0.1 306
255.255.255.255 255.255.255.255 Connected 192.168.56.1 276
255.255.255.255 255.255.255.255 Connected 10.156.191.196 296
255.255.255.255 255.255.255.255 Connected 192.168.10.240 276
See attachments for our FW settings.
Any one any clue what I'm missing here?
Despite what some people told in other threads:
I seems that we need interface bridging to get our setup working.
I followed this old howto and now everything works perfect.
So, to get it short: if your OpenVPN clients should access your whole network, including broadcasting WOL packages, then follow the howto above (and don't listen to guys who tell you TAP doesn't need bridging ;) )
Who was saying that TAP does not need bridging?
It has always needed bridging.
Sorry, I don't remember who it was. I searched a lot here and I don't have time to look for this thread in my browser history.
Anyway, I found the solution and I don't care for this wrong information any more. That's the nature of forums at the internet. Not all information you find is correct ;)