Access to LAN only *AFTER* ping.

eekay

Yes. You are correct. There is a gateway to 172.28.35.22 for all 172.28.40.0/24 traffic. Thanks for the info! This is exactly what I thought. I went ahead and moved the VPN server to the pfSense gateway and everything seems to be working as expected. Thanks again for all your replies and help. I certainly appreciate it.

viragomann

@eekay:

@viragomann:

I think your LAN hosts don't know the way to your VPN client and send their packets to the default gateway.
You should add a NAT rule to the VPN server, translating the source IP of packet from VPN clients to the servers LAN IP when they are going to LAN network.

Thanks for the reply. On the firewall/gateway, I currently have an additional gateway setup (vpn server) and also a static route that points all VPN network traffic to the VPN server. Is this not the correct way to do it? Should I remove these and use NAT instead? If so, what would the proper way to add an NAT rule to translate the source be?

No. You need a NAT rule on your VPN server for fixing that, not on pfSense. A VPN server is also a router on the other side and should be able to do NAT.
The NAT rule must translate the whole traffic coming from VPN clients to the servers LAN IP (172.28.35.22). This way response packets from other hosts are addressed to 172.28.35.22 and enter the VPN server where they are translated to client IPs.