Vlan, LAN and Openvpn



  • Hi!
    I wonder if somone could guide me. Going crazy.
    I want to be able to reach LAN when connected to any external Openvpn-server. Windows openvpn client => VLAN =>LAN and WAN

    Connection from VLAN to LAN and/or WAN works fine…until I connect Openvpn from my windows client. Then I can only reach internet,WAN.

    My configuration;
    Interfaces WAN, LAN, OPT1
    One VLAN (OPT1) from wireless accesspoint.

    Thanks in advance for any help.
    Jonna
    Pfsense 2.26


  • LAYER 8 Global Moderator

    so your running the vpn on windows itself, most likely that is setting your gateway to vpn, and forces all traffic out your vpn.  If you want to at the same time talk to stuff on your network then you need to alter the configuration so local traffic uses your local connection and not the vpn.

    Why don't you just run a client on pfsense, and then you can use policy based routing to have any device on your network use the vpn, or not, etc..



  • Hi
    Thanks for quick answer!

    I do have an Openvpnclient on the firewall itself also. Some of the stuff is always connected to a vpn server through that.
    But it´s nice to be able to sometimes use the laptop (that mostly is connected directly to WAN) and connect quickly to a vpnserver without losing the possibility to reach LAN.

    So what you wrote in your answer is exactly what I want to do….without success...

    Jonna


  • LAYER 8 Global Moderator

    what do you mean your laptop is directly connected to wan??  So this laptop is not behind pfsense, and you want to connect to stuff behind pfsense?



  • Oh sorry my mistake!
    Of course I dont connect direct to WAN.
    Everything goes through Pfsense.

    Jonna


  • LAYER 8 Global Moderator

    So you want to go through a different vpn out on the public internet, that you run on on your windows client and this traffic goes through pfsense.  But is not policy based routed to the other vpn?  Your not going to try to nest vpn connections are you?  That is not going to be very good performance wise.

    Is this other network your trying to access on your opt1 network and not the network your laptop is connected too?

    So I have multiple segments.. lan 192.168.9.0/24 but I also have stuff on my 192.168.2.0/24 segment, and etc…  If I connect to a vpn from this windows machine - I can still access stuff that is on the 192.168.9.0/24 but without creating a route to 192.168.2.0/24 then sure that would be broken..

    Here is my windows machine route table.  See how I have routes to 192.168.2.0/24 3.0/24 and 4.0/24, so even when my default route points to a vpn I still know how to connect to those other local networks.

    When I get home I can show you my route table when connected to my vpn how the default route changes out the vpn.




  • I appreciate your help.
    I think I have soon tried all possible firewallcombinations there is…no maybe not.... but I´ve certainly tried very many.Changing settings in NAT and the firewall. After a while I start making more mistakes and have to revert to a saved config file time after time..

    Befor I started to use VLAN there was no problem since everything went trough the LAN.

    Thanks
    Jonna


  • LAYER 8 Global Moderator

    why are you messing with firewall rules?

    Can your client get to your other network(s) when its not using the its own vpn client?  If so then your firewall rules are fine, and you need to to have routes on this client so it knows not to send traffic for your other networks out its vpn connection.



  • Ok
    yes, when i`m not using the vpnclient I can connect to everything….so I guess you are right..I need to fix the routes on the client pc. But how, do you know?

    thanks
    Jonna


  • LAYER 8 Global Moderator

    yes what is your other network(s)..

    Lets say your lan network is 192.168.1.0/24 with pfsense having an IP of 192.168.1.1, your other network off pfsense lets call it 192.168.2.0/24 with pfsense having an IP of 192.168.2.1 in this network.

    So if your on 192.168.1.100 say for your client that uses the vpn, and you want to got to say something on 192.168.2.14 on the vpn client box just create a route.

    from an elevated cmd prompt

    route add 192.168.2.0 mask 255.255.255.0 192.168.1.1

    Then look in your route table with route print

    Now you should be able to get to stuff on 192.168.2.0/24 even when you have vpn client connected on that 192.168.1.100 box.


  • LAYER 8 Global Moderator

    I saw your pm, but could not post pictures..

    Here see how I can access my printer on different segment, even when I connect to my vpn - because I have a route!

    Se my public IP is now showing vpn IP.





Log in to reply