Hi OpnSense community,
I'm currently making the switch from PfSense to Opnsense, but I'm struggling with some basic functions and settings. I currently have two interfaces, WAN and LAN.
WAN: Static IP on 192.168.2.250
LAN: Running a DHCP server with 10.0.0.1/24 (10.0.0.10-99)
The firewall also has a OpenVPN server running, setup using this guide. (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html). I setup the IP-range of the OpenVPN server to 10.10.0.0/24 and setup "IPv4 Local Network" to 10.0.0.0/24 so the VPN could access the LAN.
The problem I have is that a VPN-user could connect to the server, but not access (ping or access a webserver) on a LAN device. Even when I add the rule given in the tutorial. Besides that, also when I add a custom rule for ping or access the web-config from the WAN, no connection is allowed from WAN. The log says it's blocked using "default deny rule"? I can't find those, even when clicking on the link as shown in the log. Adding a rule to overrule it, does not work.
Throwing some things that I already have tried:
- Disable IPv6 server side and client side (as far as I know).
- Disable the checkboxes of "Block private networks" and "Block begun networks" on the WAN interface.
- Add a rule to allow anything on any interface using a floating rule.
- Some stupid things that don't make any sense.
My situation looks simply, easy to setup. But this problem is giving me headache. Someone got any ideas?
Thanks in advance!
Hi, did you add a gateway? You need a gateway for the OpenVPN interface, IP address dynamic, no gateway monitoring, IPv4.
Quote from: meschmesch on August 30, 2021, 02:32:32 PM
did you add a gateway? You need a gateway for the OpenVPN interface, IP address dynamic, no gateway monitoring, IPv4.
Hi meschmesch, thanks for thinking along. At System - Gateways – Single; I see the (auto)generated gateway on 10.10.0.2. You mean that one? Cause it is configured like that.
Yes, this was the one I meant. What about NAT? I don't know what is being configured automatically. But I have Firewall-Nat-Outbound manually set (Interface WAN, Source OpnVPNInterface net, Source *, Destination *, Destination Port *, NAT-Address=WAN address, Nat Port *, Static Port no).
Also make sure that your ISP firewall is permitting the packets on port 1194 (tcp/udp)? to pass to your Opnsense.
Problem fixed. It was a combination of the NAT and the gateway. I guess there was something wrong with the autogenerated ones. Deleting them and add them manually fixed it.. Thanks for hanging along meschmesch!.
Also, a thing to mention; my debug method was using ping between different endpoints. Accessing a webserver on some random ports succeeds using some logical firewall rules. I don't get the ping between endpoints working. That's a thing that is annoying me also, cause that's my way of debugging a system.
Anyone got an idea? "All" ports are accessible for a vpn user to an LAN-endpoint, but you can't ping to them..