pfSense self-sourced traffic across OpenVPN

I’m hitting a major wall here. I’ve got pfSense at a remote site running as an OpenVPN server with a site-to-site connection to a USG-Pro. Clients on the LANs at both locations can successfully communicate both ways with no issue. Clients on the LAN on the USG side can successfully connect to the pfSense at the remote site (ICMP, SSH). However, I cannot connect from the pfSense itself to the client LAN on the USG side. If I issue a traceroute from the client LAN of the USG to the pfSense, I get the full route successfully. However, when trying a traceroute from the pfSense, I can only get to the gateway hop on the USG side. I don’t really see any way to do a firewall rule specifically for the pfSense ‘self’, so I’m kind of stuck. I tried doing a static route, but that wasn’t successful.

This sounds like an issue that is present in IPSEC VPN tunnels (see: Virtual Private Networks — IPsec — Accessing Firewall Services over IPsec VPNs | pfSense Documentation), but following these steps did not yield any change.

Happy to give any additional details, and thank you advance for any direction you can give! :slight_smile:

It’s hard to follow what you have written but you can refer to the firewall in a rule.

Open up a rule under the Destination section inspect the dropdown options and you will see “This firewall (self)” option.

Though I’m not sure what you need it for in a site to site VPN. Perhaps you don’t.

Network

Ah, maybe I shouldn’t post late at night. This might help. :slight_smile:

OpenVPN between two sites. VPN is successfully connected. My end goal is to have Telegraf and SNMP configured on the pfSense itself to send data to host 172.19.250.100.

What works:
Ping/SSH/traceroute from 10.18.200.100 to 172.19.250.1 and 172.19.250.100
Ping/SSH/traceroute from 172.19.250.100 to 10.18.200.100
Ping/SSH/traceroute from 172.19.250.100 to 10.18.200.1

What doesn’t:
I cannot ping/SSH/traceoute from the pfSense itself to host 172.19.250.100. When I attempt a traceroute, I get the first hop of 10.100.200.2, but then it hangs.

I have seen the ‘This firewall (self)’ option as a destination, but not as a source option. The odd thing is that I don’t see anything in the firewall logs that suggest the traffic is being stopped by the firewall, so I don’t know if the firewall is actually blocking the traffic. I have attempted disabling the firewall altogether as a test, and it still fails.

Hope this helps!

Ah, I got it! It didn’t occur to me that the traffic headed over the OpenVPN connection would be sourced from the OpenVPN endpoint IP address (in this case, 10.100.200.1)! I kept thinking that it would be from the LAN interface (10.18.200.1). I just had to adjust the firewall on the USG side to allow from the 10.100.200.1 address, and all is now working! Woohoo!!

Ok cool you got it to work good ol’ trial and error :slight_smile: