pfSense new install(s) not routing OpenVPN client traffic

First, let me say I think this is a PEBKAC error. pfSense is a very tested and solid platform, so I have no illusions that it’s broken. Me, on the other hand, that’s a different story.

I had an old computer (Dual core I5 with 4GB RAM) and decided to make my first foray into pfSense. I popped in an old RTL8139 NIC and installed pfSense. Easy peasy.

Onboard NIC was WAN port with a 192.168.x.x address. RTL NIC was LAN with a 10.0.20.x address. I connected a Windows 10 PC to the LAN via a Netgear 5 port desktop switch and was instantly online. Did a speed test and got 630MB on my 500MB fiber connection. Happiness ensued.

I then watched Tom’s excellent video on setting up OpenVPN. I installed the Client Export plugin (wow is that awesome) and ran the wizard step by step with Tom’s video, setting the VPN tunnel network to 10.0.25.x. Client export was set to use the WAN IP. Installed the client on both another Win10 box (not on the pfSense LAN) and my Chromebook. Both of them connected easily and I brought up the pfSense admin page like lightening. I was stoked.

I decided that since this had worked so well I was going to expand it just a bit. I run an OpenMediaVault file server on an HP DL360 G7 and it has performed great for a couple years now. It has only used one of the ethernet ports on a 192.168.x.x address, so I configured another port for 10.0.20.x and plugged that into the switch on the pfSense LAN. The Win10 box on the PFS LAN used it with no issues. Worked great.

I then connected my other Win10 box and connected to the VPN. Brought up the pfSense admin page easily using the VPN IP of 10.0.20.x. I typed in the IP of the OMV box and got nothing. Hmm. I opened a command prompt and pinged the PFS IP. 4 returns <1ms. Pinged the OMV IP and got fail, fail, 6ms, fail. Ping again to get 5ms, fail, 10ms, fail. Very intermittent returns, and the ping times were longer than I thought they should be.

I thought that perhaps the old RTL8139 might be causing issues moving traffic across to the LAN, so got another NIC with an RTL8111 (?) chipset. Reassigned the LAN to this interface and tried again. LAN traffic routed to the internet fast and easy. Great performance, but the old card also had great performance doing this. Connected to the VPN again and same result. Almost nothing being routed to the LAN through the VPN.

Again thinking it might be a hardware thing, I decided to use another DL360 G7 (dual 12 core Xeon with 16GB RAM - overkill) I had and installed a fresh pfSense load. Ran through the config again (again, while watching the video) and got the exact same response. Obviously this is something I’m not setting properly.

The only think I’ve noticed is that Tom’s video was done in 2.4 and I have the current 2.5, so a few of the options were a bit different.

Does anyone have any insight into why the VPN traffic is so slow that it only aspires to be lethargic?

Under rules for the VPN, is traffic allowed to pass from 10.0.20.x network to the 192.168.x.x network? A network diagram and screenshots of your Pfsense rules would be helpful

Here are the firewall rules for OpenVPN:

image857×329 15.9 KB

Network setup (New user, so can only put 1 image per post)

image1153×572 64.8 KB

I don’t understand how Pfsense can communicate to anything on the 192.168 network.

Dows the OMV have 2 network ports? One on the 192.168 network and one on the 10.0 network? Can you ping the OMV from Pfsense?

One thing to try…in your OpenVPN configuration setup there is a checkbox to route all traffic thru the VPN…check that and try again. Your clients might be having issues deciding whether to go out over the internet or VPN…see if there is any change when that box is checked

The pfSense box doesn’t communicate on the 192 network. That was intentional.

Yes, the OMV has 2 configured NICs. One on the 10 network and one on the 192. Yes, I can ping the 10 network interface from the Windows 10-2 box. I can easily bring up the admin page and access file shares on the 10 network from W10-2. Just not across the VPN.

I tried checking that box and it didn’t fix it. Still got internet access with no problem, just not local LAN. I also have the Chromebook that I took offsite and connected just via the internet. Had exactly the same performance and results.

In the vpn rules, put in a pass rule to the specific IP address of the media box. If that doesn’t work there is a configuration issue on the media box or the vpn. I’d have to see your configuration but be careful what you post online…

That had no effect.

The thing is, it’s not just the file server that can’t respond. It’s anything. I set up an http file server and a Windows share on Win10-2 and no joy. Shut off the Windows firewall altogether and still nothing. Nothing on file sharing, http, or even a ping.

This is puzzling.
Since you can access the pfsense admin web server lan ip through vpn, it seems like the firewall is passing traffic.

I suggest running tcpdump/Wireshark on both pfsense LAN side and the server boxes, watching for the test traffic. If the packets are hitting the windows servers, then it’s not a pfsense issue.
I had to punch holes in windows firewall to allow clients from a non - local network to access windows file share, but you mentioned disabling the firewall so it shouldn’t be that.

I’d been meaning to do this anyway, so I changed the OpenMediaVault for TrueNAS Core. It reached this just fine via the VPN, so apparently it was indeed something on the OMV server that was causing the block. I couldn’t find anything in the OMV settings that would do that. The firewall wasn’t enabled and there wasn’t anywhere I found to say what subnets were allowed access. It still confuses me that it would sporadically allow access, but then not allow it mere seconds later.

I really appreciate everyone trying to figure out what was going on. This is a nice community.