Firewall Rules and OpenVPN



  • Hello, I have a point to point VPN between two pfsense firewalls. 
    Under the OpenVPN Interface tab I have firewall rule that permits all.
    Under the LAN Interface tab I have a rule that Permits IPV4 LAN Net, all ports, to the RemoteNetwork. I have screenshots of both.

    For some reason I can only access two addresses in the 192.168.12.0/24 network. The pfSense internal interface and the file server. I have two other devices that I cannot reach. I log into the remote pfsense and they can be pinged from the remote firewall. I don't get why. I checked the firewall logs and it see it allowing traffic based on the LAN rule i mentioned earlier.

    What could be the possible problem? How can I troubleshoot it?

    ![OpenVPN Rule.png](/public/imported_attachments/1/OpenVPN Rule.png)
    ![OpenVPN Rule.png_thumb](/public/imported_attachments/1/OpenVPN Rule.png_thumb)
    ![LAN Interface Rule.png](/public/imported_attachments/1/LAN Interface Rule.png)
    ![LAN Interface Rule.png_thumb](/public/imported_attachments/1/LAN Interface Rule.png_thumb)



  • How did you try to reach the other hosts? Ping?
    Is there a firewall running on that hosts? Windows for instance doesn't respond to pings from unknown subets by default. You have to adjust your firewall to allow it.



  • Thanks for the reply. I was able to ping the devices by logging into the remote pfsense and using the Diagnostic tool there to ping it. I just can ping it from my computer on the local side. So again, I can reach some remote devices but not others. I don't get it. The logs are not showing me much at all. Or I am not looking in the right place.



  • If you ping the hosts from pfSense the ping comes from the local subnet. If you ping over VPN it comes from different subnet. Some sw firewalls block this by default.

    But there could also be other reasons for that:
    If the host you try to access use another default gateway than pfSense, responses will be sent to the gateway and not go back to the vpn client.
    Or the routes are not set correctly on the client so that the part of the subnet which includes the host is isn't routed over vpn. So check the routes.


Log in to reply