pfSense English Support > Firewalling

Firewall blocks outgoing OpenVPN traffic to not local network (solved)

(1/4) > >>

Jürgen Garbe:

pfSense is configured using the following Interfaces:
WAN: (in /24 net)
LAN: (in /24 net)
I created an OpenVPN instance (server) which serves on the WAN interface.
As long as the clients are coming out of the WAN net ( everything is working as expected.

The problem arises, if a client coming from the net tries to connect (gateway, routes, ... are set correctly):
In this case, the OpenVPN server sees the incoming packets, but the firwall drops all outgoing packets in direction of the net.
The only solution I found is to deactivate the firewall (not really a solution) or creating a floating rule with the following parameters:
Pass, quick, direction:any, IPV4, UDP, Source: network, Destination: firewall(self) on the OpenVPN port.

I even tried to build two separate rules (one for in, one for out) with the same parameters but did not succeed...

Any ideas?

Best regards

Huh??  In what scenario would you have 192.168.0/24 client??  Do you have downstream router connect to your 192.168.22 network?  So 192.168.22 is just a transit network?

Your running openvpn server on your wan that is also rfc1918 - so pfsense is downstream of some other network, why would you be running vpn connections inside your own network?

Jürgen Garbe:
The pfSense instance with OpenVPN is our remote assistance 'meeting point' where support personal and customers are connecting.
The firewall of this pfSense instance regulates, who is allowed to 'talk' to whom.
Customers, but even support people are connecting from outside using some NAT on an draytec router over our 'Extranet' network
This is working flawless.

Sometimes we are giving support with people from inside our organisation, so we are connecting out of our organisations 'Intranet' LAN (which is to the pfSense WAN port using our standard gateway (another pfSense instance). This does not work without the mentioned extra rule...

So you these are roadwarrior connections from a specific client, or this is a site to 2 site connection?

What is your tunnel network being used for your openvpn connection?

A drawing would be very helpful!  So your pfsense is inside a nat somewhere.  So this pfsense wan is just a transit to your edge router, or are there devices on this pfsense 192.168.100 network?

So you are wanting multiple clients on a road warrior connection to talk to each other?  Or you have your support people coming in via this connection to go out a site to site connection to support people else where in your network?

Keep in mind if you want to initiate a connection to a road warrior connection you would use the tunnel IP it gets, and its host firewall would have to allow the connection.  Also if your remote connection has an overlapping network you could have problems connecting and you would need a source nat.

Again - drawing is worth 10,000 words!!!

Jürgen Garbe:
Thank you for your commitment! :)

Please find appended a simple drawing which might explain the situation:
There are customer machines outside in the internet which might need remote assistance.
In this case the customer starts a remote assistance session (he opens a OpenVPN tunnel to our OpenVPN server Firewall-2 - the pfSense instance).
On the other side, some engineer from inside our organisation (Intranet LAN) or even outside in the internet also opens a OpenVPN connection to 'Firewall-2'.
Because the engineers are knowing the address of the clients machines in the OpenVPN net (e.g. they can start their VNC viewer, enter the machines address (-> and can assist the customer.
'Firewall-2' controls, who is allowed to 'talk' with whom.
BUT: as mentioned before, this does not work without this addidtional floating rule...

PS: I forgot to mention: the network is only to access the pfSenses WebGUI (and therefor not in the drawing)!


[0] Message Index

[#] Next page

Go to full version