I have a small network set up like this:
I have a Pfsense for connecting my servers to the WAN, they are using NAT from the LAN -> WAN.
I have an OpenVPN server using TAP to allow remote workers to be put on the same LAN network as the servers.
- They connect through the WAN IP to the OVPN interface.
- The LAN interface also servers as the gateway for the servers to get internet connection and has an IP of 10.25.255.254
- The OVPN Interface and the LAN interface are bridged in BR0
- Server A has an IP of 10.25.255.1 and is able to connect the internet
- Client A is connecting through the VPN and is assigned an IP address on its TAP interface of 10.25.24.1 (I reserved a /24 within the 10.25.0.0/16 for VPN clients)
- Firewall currently allows any-any connection OVPN towards LAN and vice versa
Currently when I connect, all routes seem fine on the client side:
Destination Gateway Genmask Flags Metric Ref Use Iface
300.300.300.300 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.25.0.0 10.25.255.254 255.255.0.0 UG 0 0 0 tap0
10.25.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tap0
0.0.0.0 300.300.300.300 0.0.0.0 UG 0 0 0 eth0
I can ping the LAN interface:
root@server:# ping 10.25.255.254
PING 10.25.255.254 (10.25.255.254) 56(84) bytes of data.
64 bytes from 10.25.255.254: icmp_req=1 ttl=64 time=7.65 ms
64 bytes from 10.25.255.254: icmp_req=2 ttl=64 time=7.49 ms
64 bytes from 10.25.255.254: icmp_req=3 ttl=64 time=7.69 ms
64 bytes from 10.25.255.254: icmp_req=4 ttl=64 time=7.31 ms
64 bytes from 10.25.255.254: icmp_req=5 ttl=64 time=7.52 ms
64 bytes from 10.25.255.254: icmp_req=6 ttl=64 time=7.42 ms
But I can't ping past the LAN interface:
root@server:# ping 10.25.255.1
PING 10.25.255.1 (10.25.255.1) 56(84) bytes of data.
From 10.25.255.254: icmp_seq=1 Redirect Host(New nexthop: 10.25.255.1)
From 10.25.255.254: icmp_seq=2 Redirect Host(New nexthop: 10.25.255.1)
I ran a tcpdump on my em1 interface (LAN interface which has the IP of 10.25.255.254)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
08:21:13.449222 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 10, length 64
08:21:13.458211 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:14.450541 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 11, length 64
08:21:14.458431 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:15.451794 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 12, length 64
08:21:15.458530 ARP, Request who-has 10.25.255.1 tell 10.25.24.1, length 28
08:21:16.453203 IP 10.25.24.1 > 10.25.255.1: ICMP echo request, id 23623, seq 13, length 64
So traffic is reaching the LAN interface, it's also passed to the host and the host replies. But the traffic is not put on the LAN interface.
The problem wasn't with openvpn or the pfsense appliance, rather with the VMWare vSwitch. if you are running pfsense in VMWare you should change the vSwitch "Promiscuous Mode" associated with your pfsense networks from reject to accept. If you do not do this then the only host the OpenVPN bridged client will see is the pfsense server itself.
There is also an implicit rule on the firewall which can't be seen on the UI. You need to scrutinize the PF log and manually disable the rule.
Thanks Lucas, you almost provided the solution for me. I already had Promiscuous Mode set on my vSwitch, but you inspired me to look at the other two VMWare ESXi 6.5 vSwitch Security settings. Allow forged transmits did the trick, and the pings started flowing the full circuit between remote client and lan nodes.
OMFG THANK YOU, I've been bashing my head against this one for hours trying to figure out why my bridged VPN could ping the gateway but not the hosts inside the LAN. Turns out, I too run Pfsense on an ESXi host with promiscuous mode and forged transmits disabled! Enabling both fixed the issue!