Basic config OPNSense and OpenVPN problems

[GeoffSIT]

Hi OpnSense community,

I'm currently making the switch from PfSense to Opnsense, but I'm struggling with some basic functions and settings. I currently have two interfaces, WAN and LAN.
WAN: Static IP on 192.168.2.250
LAN: Running a DHCP server with 10.0.0.1/24 (10.0.0.10-99)

The firewall also has a OpenVPN server running, setup using this guide. (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html). I setup the IP-range of the OpenVPN server to 10.10.0.0/24 and setup "IPv4 Local Network" to 10.0.0.0/24 so the VPN could access the LAN.

The problem I have is that a VPN-user could connect to the server, but not access (ping or access a webserver) on a LAN device. Even when I add the rule given in the tutorial. Besides that, also when I add a custom rule for ping or access the web-config from the WAN, no connection is allowed from WAN. The log says it's blocked using "default deny rule"? I can't find those, even when clicking on the link as shown in the log. Adding a rule to overrule it, does not work.

Throwing some things that I already have tried:
-   Disable IPv6 server side and client side (as far as I know).
-   Disable the checkboxes of "Block private networks" and "Block begun networks" on the WAN interface.
-   Add a rule to allow anything on any interface using a floating rule.
-   Some stupid things that don't make any sense.
My situation looks simply, easy to setup. But this problem is giving me headache. Someone got any ideas?

Thanks in advance!

[meschmesch]

Hi, did you add a gateway? You need a gateway for the OpenVPN interface, IP address dynamic, no gateway monitoring, IPv4.

[GeoffSIT]

did you add a gateway? You need a gateway for the OpenVPN interface, IP address dynamic, no gateway monitoring, IPv4.

Hi meschmesch, thanks for thinking along. At System - Gateways – Single; I see the (auto)generated gateway on 10.10.0.2. You mean that one? Cause it is configured like that.

[meschmesch]

Yes, this was the one I meant. What about NAT? I don't know what is being configured automatically. But I have Firewall-Nat-Outbound manually set (Interface WAN, Source OpnVPNInterface net, Source *, Destination *, Destination Port *, NAT-Address=WAN address, Nat Port *, Static Port no).

Also make sure that your ISP firewall is permitting the packets on port 1194 (tcp/udp)? to pass to your Opnsense.

[GeoffSIT]

Problem fixed. It was a combination of the NAT and the gateway. I guess there was something wrong with the autogenerated ones. Deleting them and add them manually fixed it.. Thanks for hanging along meschmesch!.

Also, a thing to mention; my debug method was using ping between different endpoints. Accessing a webserver on some random ports succeeds using some logical firewall rules. I don't get the ping between endpoints working. That's a thing that is annoying me also, cause that's my way of debugging a system.

Anyone got an idea? "All" ports are accessible for a vpn user to an LAN-endpoint, but you can't ping to them..