Openvpn – Pfsense 2.1 OpenVPN can’t reach servers on the LAN

I have a small network set up like this:

enter image description here

I have a Pfsense for connecting my servers to the WAN, they are using NAT from the LAN -> WAN.

I have an OpenVPN server using TAP to allow remote workers to be put on the same LAN network as the servers.

They connect through the WAN IP to the OVPN interface.
The LAN interface also servers as the gateway for the servers to get internet connection and has an IP of 10.25.255.254
The OVPN Interface and the LAN interface are bridged in BR0
Server A has an IP of 10.25.255.1 and is able to connect the internet
Client A is connecting through the VPN and is assigned an IP address on its TAP interface of 10.25.24.1 (I reserved a /24 within the 10.25.0.0/16 for VPN clients)
Firewall currently allows any-any connection OVPN towards LAN and vice versa

Currently when I connect, all routes seem fine on the client side:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
300.300.300.300 0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.25.0.0       10.25.255.254   255.255.0.0     UG    0      0        0 tap0
10.25.0.0       0.0.0.0         255.255.0.0     U     0      0        0 tap0
0.0.0.0         300.300.300.300 0.0.0.0         UG    0      0        0 eth0

I can ping the LAN interface:

root@server:# ping 10.25.255.254

PING 10.25.255.254 (10.25.255.254) 56(84) bytes of data.
64 bytes from 10.25.255.254: icmp_req=1 ttl=64 time=7.65 ms
64 bytes from 10.25.255.254: icmp_req=2 ttl=64 time=7.49 ms
64 bytes from 10.25.255.254: icmp_req=3 ttl=64 time=7.69 ms
64 bytes from 10.25.255.254: icmp_req=4 ttl=64 time=7.31 ms
64 bytes from 10.25.255.254: icmp_req=5 ttl=64 time=7.52 ms
64 bytes from 10.25.255.254: icmp_req=6 ttl=64 time=7.42 ms

But I can't ping past the LAN interface:

root@server:# ping 10.25.255.1
PING 10.25.255.1 (10.25.255.1) 56(84) bytes of data.
From 10.25.255.254: icmp_seq=1 Redirect Host(New nexthop: 10.25.255.1)
From 10.25.255.254: icmp_seq=2 Redirect Host(New nexthop: 10.25.255.1)

I ran a tcpdump on my em1 interface (LAN interface which has the IP of 10.25.255.254)

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
08:21:13.449222 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 10, length 64
08:21:13.458211 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:14.450541 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 11, length 64
08:21:14.458431 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:15.451794 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 12, length 64
08:21:15.458530 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:16.453203 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 13, length 64

So traffic is reaching the LAN interface, it's also passed to the host and the host replies. But the traffic is not put on the LAN interface.

Best Answer

The problem wasn't with openvpn or the pfsense appliance, rather with the VMWare vSwitch. if you are running pfsense in VMWare you should change the vSwitch "Promiscuous Mode" associated with your pfsense networks from reject to accept. If you do not do this then the only host the OpenVPN bridged client will see is the pfsense server itself.

There is also an implicit rule on the firewall which can't be seen on the UI. You need to scrutinize the PF log and manually disable the rule.

Best Answer

Related Solutions

PfSense with a bridge as a LAN interface : traffic blocked between interfaces

OpenVPN Site2Site using PFSense

Related Topic