pfSense HA with openVPN multiple VLAN

Hi,

I just finished to get my pfSense to work in HA and I have openVPN working to access the main LAN network.
I have now created a new vlan (lan_office) on top of my LAN interface on a different subnet.
LAN: 172.16.10.1/24
LAN_OFFICE: 172.16.200.1/24

In my openVPN, I set IPv4 Local network(s) to
172.16.10.0/24, 172.16.200.0/24
From my windows machine, I connect to the vpn and I cannot ping the machine 172.16.200.201
In pfSense > Diagnostics > Ping I can ping the 172.16.200.201 when I select the openvpn source address

Can anyone please assist?

Thank you

Is that your tunnel IP ? I can’t tell from your wording, if is, then it should be on a different subnet to your vlan / lan. Then have a rule that allows traffic to move between the subnets.

1 Like

No, the 2 ip subnet above are my 2 lan.
Main LAN: 172.16.10.1/24
Second LAN : 172.16.200.1/24
The vpn tunel is just a ramdom IP I set

Do I create the rule on which interface?
At the moment I can access and ping all the machine on the main LAN when connected to the VPN

Well the way I’ve done it is to create an alias in Firewall > Aliases > IP just add your subnets 172.16.10.0/24 (include your OpenVPN tunnel subnet too) etc. Then create rules in each of your interfaces that either allow or deny your subnets/aliases as required. Then your vlans will be able to pass traffic, by default everything is blocked. At least for me it’s easier to then understand what’s going on versus having individual rules.

A side note you can also have an alias for ports then it’s trial and error to identify your ports.

Hi @neogrid
I tried adding rules but that didn’t work
I also added the following in custom code but no luck
push "route 172.16.200.0 255.255.255.0";

Basically I have three main rules, 1) allow traffic out to vlans (TCP/UDP) 2) invert the first rule to allow out of the WAN (TCP/UDP) 3) Allow ICMP traffic (ICMP).

Have these rules on all vlans slightly tweaked to my needs.

Don’t have to push routes on OpenVPN, I’ve basically treated it as another vlan.

I’d suggest get two vlans working with your rules, then mirror these on your OpenVPN rules.

Can you please screenshot the rules? I can do with a visual to help.

have a peruse of Mr Lawrence’s video, it covers off the basic points

This suite of rules are replicated across my vlans, without them no traffic is allowed by default.

I created a wide open rule on the LAN and NEW_LAN interface and I still cannot ping the machine on the new vlanfrom over vpn :frowning:

Does that fact that the pfSense is HA ans anything to do with it?

Did you allow ICMP protocol ? I believe that protocol allows devices on the network to ping each other, I have a separate for that.

yes, I ahve a wide open rule on all interface


I found this on the netgate doc:

If it appears that OpenVPN will not push routes to a client, ensure that a Multi-site style PKI/SSL setup is in use and not a shared key setup or an SSL/TLS setup using a /30 tunnel network.

Routes cannot be pushed on a shared key setup or an SSL/TLS setup using a /30 tunnel network. Routes may be directly added to the client configuration using the IPv4 Remote Networks list (e.g. 192.168.99.0/24, 192.168.203.0/24 )

not quite sure what it mean

Did you setup firewall rules for your OpenVPN Server ? If you have and allowed all traffic it should flow. They ought to be similar to your vlan rules.

Well I’m in no position to correct the people who made pfsense. Though I have used SSL/TLS + User Auth as my server mode though with /24 tunnel.

firewall rules for your OpenVPN Server is wide open

@LTS_Tom are you able to help please?

Bellow is the output for
route print
192.168.84.1 is Windows 10 gateway
172.16.10.1 is LAN gateway (datacenter)
So aI can see both ip been pickup but not
172.16.200.0 (NEW lan in datacenter)


===========================================================================
Interface List
26…f0 76 1c 27 d0 63 …Realtek PCIe GBE Family Controller
10…0a 00 27 00 00 0a …VirtualBox Host-Only Ethernet Adapter #2
13…00 ff 83 af 81 48 …TAP-Windows Adapter V9
6…76 29 af 14 82 23 …Microsoft Wi-Fi Direct Virtual Adapter #5
14…74 29 af 14 82 23 …Microsoft Wi-Fi Direct Virtual Adapter #6
20…00 ff b6 58 52 2d …Kaspersky Security Data Escort Adapter
25…00 ff e2 26 62 30 …Kaspersky Security Data Escort Adapter #2
15…00 ff 91 28 38 78 …Anchorfree HSS VPN Adapter
22…00 ff cd b0 d8 67 …Leaf Networks Adapter
5…74 29 af 14 82 23 …Realtek RTL8723BE Wireless LAN 802.11n PCI-E NIC
11…74 29 af 14 82 24 …Bluetooth PAN HelpText
1…Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.84.1     192.168.84.4     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      169.254.0.0      255.255.0.0         On-link   169.254.107.230    311
  169.254.107.230  255.255.255.255         On-link   169.254.107.230    311
  169.254.255.255  255.255.255.255         On-link   169.254.107.230    311
       172.16.2.0  255.255.255.240      172.16.70.1      172.16.70.2     25
      172.16.10.0    255.255.255.0      172.16.70.1      172.16.70.2     25
      172.16.70.0    255.255.255.0         On-link       172.16.70.2    281
      172.16.70.2  255.255.255.255         On-link       172.16.70.2    281
    172.16.70.255  255.255.255.255         On-link       172.16.70.2    281
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    281
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    281
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    281
     192.168.84.0    255.255.255.0         On-link      192.168.84.4    281
     192.168.84.4  255.255.255.255         On-link      192.168.84.4    281
   192.168.84.255  255.255.255.255         On-link      192.168.84.4    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link   169.254.107.230    311
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    281
        224.0.0.0        240.0.0.0         On-link       172.16.70.2    281
        224.0.0.0        240.0.0.0         On-link      192.168.84.4    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link   169.254.107.230    311
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    281
  255.255.255.255  255.255.255.255         On-link       172.16.70.2    281
  255.255.255.255  255.255.255.255         On-link      192.168.84.4    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 22    311 fe80::/64                On-link
 10    281 fe80::/64                On-link
 13    281 fe80::/64                On-link
 26    281 fe80::/64                On-link
 13    281 fe80::58ad:fc2d:6469:6d8a/128
                                    On-link
 22    311 fe80::61ae:1d17:8b84:6be6/128
                                    On-link
 10    281 fe80::b416:aba6:d6a2:f41/128
                                    On-link
 26    281 fe80::c11f:c62a:b13b:f735/128
                                    On-link
  1    331 ff00::/8                 On-link
 22    311 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
 26    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Do I need to create a new openVPN server to deal with that new network?

What is the 172.16.2.0 network I’m seeing? Is that the network you’re coming from?

You either have a typo in your networks/routes or you are simply not getting the route.
UAC in windows can sometimes cause problems with route creation.
I tested adding a second network to the local network fields with mine and was able to get a second route for that network, but I also have UAC turned off.

A good old REBOOT of the windows machine resolved my issue lol :exploding_head:

1 Like