Cannot get internet connectivity for LAN and VPN_LAN clients at the same time



  • I am trying to configure my first pfSense 2.2.2 install, but running into trouble with the routing of traffic when the openvpn client is configured. Basically, if I enable the VPN client, all devices in the VPN LAN have internet access, while devices in my normal LAN don't, and vice-versa. It seems that the vpn client alters the pfsense routing table, from a server push request, to force ALL traffic through the vpn_wan gateway, but if I select the -nopull option to stop that, the LAN traffic can pass out the WAN, but the LAN_VPN has no route out anymore!

    What I am trying to do is the following:

    • Three local LANS.
          - LAN:        10.10.10.0/24
          - LAN_VPN: 10.10.20.0/24 (VPN client net)
          - VPN_LAN: 10.10.30.0/24 (Remote Access clients net)

    • LAN traffic reaches internet through WAN.

    • LAN_VPN traffic reaches internet through VPN_WAN.

    • Local traffic can pass between LAN, LAN_VPN, & Remote Access clients.

    • DNS resolver is used for LAN only.

    • LAN_VPN uses external DNS through VPN tunnel, assigned by interface.

    Basically I have tried to follow the following guides without much luck: http://irj972.co.uk/articles/pfSense-VPN-setup & https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/.

    Can anybody provide any guidance, based on the attached pics of my config??

    Much appreciated.

    Edit: Network diagram

    NAT Outbound:

    LAN Rules:

    LAN_VPN Rules:

    LAN_VPN DHCP:

    -nopull Routing Table:



  • when using the -nopull option, you need to assign an interface to your openvpn instance (interfaces–>assign--><+>-->ovpncx)

    then goto interfaces-->optx--> set type to 'none' ---> save
    you should now have a gateway / if you don't create a gateway for the optx interface.
    use the gateway in your vpn_lan firewall rules

    oh yeah, you probably need to create some 'PASS' rules on the optx interface and if you have manual NAT, you'd have to sort that too



  • Thanks heper.

    I think I already have that interface, named VPN_WAN, which i identify in NAT and lan_vpn already right?
    If I add PASS rules on the VPN_WAN gateway, wouldn't that be only for inbound connections from the internet?? Currently I just have a block all rule…
    See attached pics for VPN_WAN gateway and firewall details.

    ![2015-05-25 08.13.47.jpg](/public/imported_attachments/1/2015-05-25 08.13.47.jpg)
    ![2015-05-25 08.13.47.jpg_thumb](/public/imported_attachments/1/2015-05-25 08.13.47.jpg_thumb)



  • Bump.

    So referencing my LAN_VPN rules i have attached, what do I need to change to route that lan out the VPN WAN??


  • LAYER 8 Netgate

    This is too much for me to want to process (sans compensation) without an accurate, detailed network diagram.



  • @Derelict:

    This is too much for me to want to process (sans compensation) without an accurate, detailed network diagram.

    Diagram added.


  • LAYER 8 Netgate

    There is no reason to set the gateway on your LAN rules to WAN_PPPOE.  Set it back to default.  If you REALLY need to policy route everything out WAN_PPPOE, you need to bypass policy routing for everything that needs to route elsewhere, such as traffic from LAN to LAN_VPN.

    With one WAN there is no reason to use policy routing.  Set it to default.  Note that you also need to bypass policy routing on LAN_VPN if you want those hosts to be able to access any "local" resources like LAN.

    https://doc.pfsense.org/index.php/What_is_policy_routing

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

    What is in the VPN_DNS alias?

    Are you sure you are having a traffic routing problem or a DNS problem?  I am not sure about the policy routing out the VPN with the /32 routes in the table for 8.8.8.8 and 8.8.4.4 since you have those name servers "glued" to WAN_PPPOE in pfSense and you're trying to policy route the same DNS servers (Those are the servers you're giving to LAN_VPN clients via DHCP).

    For instance, with the VPN connection up can you ping 208.67.222.222 from Host A2?



  • Derelict, thanks for providing some help here. I have updated the pics in my original post to reflect some changes, as directed by yourself.

    Unfortunately, I still cannot get Internet connectivity out the VPN subnet, while using the -nopull option. I updated the monitor IP for the VPN_WAN gateway to 8.8.8.8, and interestingly that allows me to ping that particular IP out the VPN, but nothing else. i.e. I cannot ping 208.67.222.222 from the LAN_VPN subnet unless I set it to be the monitor IP for the VPN_WAN gateway.

    @Derelict:

    What is in the VPN_DNS alias?

    This was just and alias for 8.8.8.8 & 8.8.4.4

    Any other hints or advice?


  • LAYER 8 Netgate

    You don't have any old IPsec configs or anything covering 10.10.20.0/24 do you?



  • @Derelict:

    You don't have any old IPsec configs or anything covering 10.10.20.0/24 do you?

    Nope. This is a fresh install with openvpn only.


  • LAYER 8 Netgate

    Don't know, dude.  It works every time I do it.


Log in to reply