OpenVPN client accessing tunnel-network but not complete LAN-network …
-
Hi,
I am testing OpenVPN with pfSense (2.2.6) and used this tutorial for doing the setup : https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server
LAN network
192.168.100.0/24
pfSense Gateway 192.168.100.2 (for testing)
normal Gateway 192.168.100.1 (ISP Router)VPN-Tunnel netowork
10.0.8.0/24
OpenVPN Server 10.0.8.1
OpenVPN-Client got IP 10.0.8.6 when connectingI am able to ping / reach the following IPs from the connected OpenVPN-Client :
10.0.8.1
192.168.100.1
192.168.100.2That's all… I am not able to ping / reach any other IPs in the 192.168.100.0/24 network.
As I wrote, I did the setup as explained in the link above. What do I have to do to let the connected OpenVPN clients also reach all IPs in the LAN network ?
Regards Torsten
-
Ok, I got it to work … but I am not sure if it's the best solution / way ... ;-)
I changed the mode for "Firewall => NAT => Outbound" from "Automatic outbound NAT rule generation" to "Hybrid Outbound NAT rule generation" and added the following rule manually :
Interface : LAN
Protocol : any
Source : Network 10.0.8.0/24Is this the recommended way to be able to access my LAN network (192.168.100.0/24) from the VPN-Tunnel network (10.0.8.0/24) while connected via OpenVPN ?
regards Torsten
-
The difference between the tutorial and your setup is that pfSense isn't the default gateway in your LAN.
So if you access your LAN hosts from VPN with the IP 10.0.8.6, the hosts will send responses to the default gateway which is NOT pfSense, since they have no special route for your VPN IP.If pfSense is the default gateway that's no issue anymore.
But if another route is the default gateway, a solution is to do NAT as you have already set up. This is the easiest way and I think, it's sufficient if you have just one VPN client. In consequence, access seems to come from pfSense which has a LAN address and responses are sent back to pfSense.
The other way is to add static route to all your LAN hosts to direct VPN traffic to pfSense.
-
ok … thanks for the info. I also thought about the fact that pfSense is not my default gateway. Because its currently "only" a test, I do not want to modify anything on the current LIVE environment. At the moment, only a Broadband connection with about 6MBit is dirrectly attached to pfSense. Our main broadband connection at the moment with 50 MBit will stay also in future as our main, but then also directly attached to pfSense. Plan is to have the 6Mbit as Fallback. With this planned environment, pfSense will become the default gateway ... ;-)
Regards Torsten