How to use push “route 10.0.0.0 255.255.255.0” on pfSense












0














My OpenVPN server has a local IP address 10.21.1.4 (it's on the 10.21.1.0/24 subnet), and uses the 10.21.4.0/24 subnet for the tunnel. What route should I push to grant VPN clients access to the LAN (10.21.1.0/24)?



Should it be push "route 10.21.1.0 255.255.255.0" or push "route 10.21.4.0 255.255.255.0"?



UPDATE 1



Doing push "route 10.21.1.0 255.255.255.0" still doesn't allow my VPN clients to access the LAN. Momentarily, I added the following rules on the WAN and LAN interfaces:



Protocol: IPv4*
Source: *
Port: *
Destination: *
Port: *
Gateway: *









share|improve this question





























    0














    My OpenVPN server has a local IP address 10.21.1.4 (it's on the 10.21.1.0/24 subnet), and uses the 10.21.4.0/24 subnet for the tunnel. What route should I push to grant VPN clients access to the LAN (10.21.1.0/24)?



    Should it be push "route 10.21.1.0 255.255.255.0" or push "route 10.21.4.0 255.255.255.0"?



    UPDATE 1



    Doing push "route 10.21.1.0 255.255.255.0" still doesn't allow my VPN clients to access the LAN. Momentarily, I added the following rules on the WAN and LAN interfaces:



    Protocol: IPv4*
    Source: *
    Port: *
    Destination: *
    Port: *
    Gateway: *









    share|improve this question



























      0












      0








      0







      My OpenVPN server has a local IP address 10.21.1.4 (it's on the 10.21.1.0/24 subnet), and uses the 10.21.4.0/24 subnet for the tunnel. What route should I push to grant VPN clients access to the LAN (10.21.1.0/24)?



      Should it be push "route 10.21.1.0 255.255.255.0" or push "route 10.21.4.0 255.255.255.0"?



      UPDATE 1



      Doing push "route 10.21.1.0 255.255.255.0" still doesn't allow my VPN clients to access the LAN. Momentarily, I added the following rules on the WAN and LAN interfaces:



      Protocol: IPv4*
      Source: *
      Port: *
      Destination: *
      Port: *
      Gateway: *









      share|improve this question















      My OpenVPN server has a local IP address 10.21.1.4 (it's on the 10.21.1.0/24 subnet), and uses the 10.21.4.0/24 subnet for the tunnel. What route should I push to grant VPN clients access to the LAN (10.21.1.0/24)?



      Should it be push "route 10.21.1.0 255.255.255.0" or push "route 10.21.4.0 255.255.255.0"?



      UPDATE 1



      Doing push "route 10.21.1.0 255.255.255.0" still doesn't allow my VPN clients to access the LAN. Momentarily, I added the following rules on the WAN and LAN interfaces:



      Protocol: IPv4*
      Source: *
      Port: *
      Destination: *
      Port: *
      Gateway: *






      networking routing lan openvpn pfsense






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jun 12 '17 at 7:04

























      asked Jun 12 '17 at 5:43









      DAVID

      21110




      21110






















          1 Answer
          1






          active

          oldest

          votes


















          0














          You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.



          Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:



          Firewall->Rules->OPT1 create a new rule (at the top is fine).



          Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply



          That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)



          Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:



          Firewall->Rules->LAN create a new rule (at the top is fine).



          Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply



          note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.



          Now, back to the OpenVPN options:



          Say the server's lan interface is 10.20.30.40/24



          push "route 10.20.30.40 255.255.255.0"


          You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.



          Hope this helps.






          share|improve this answer























          • Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
            – DAVID
            Jun 12 '17 at 5:51






          • 1




            No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
            – quadruplebucky
            Jun 12 '17 at 5:54










          • I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
            – DAVID
            Jun 12 '17 at 6:00










          • It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
            – quadruplebucky
            Jun 12 '17 at 6:02












          • That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
            – DAVID
            Jun 12 '17 at 6:04











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1218330%2fhow-to-use-push-route-10-0-0-0-255-255-255-0-on-pfsense%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.



          Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:



          Firewall->Rules->OPT1 create a new rule (at the top is fine).



          Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply



          That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)



          Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:



          Firewall->Rules->LAN create a new rule (at the top is fine).



          Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply



          note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.



          Now, back to the OpenVPN options:



          Say the server's lan interface is 10.20.30.40/24



          push "route 10.20.30.40 255.255.255.0"


          You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.



          Hope this helps.






          share|improve this answer























          • Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
            – DAVID
            Jun 12 '17 at 5:51






          • 1




            No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
            – quadruplebucky
            Jun 12 '17 at 5:54










          • I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
            – DAVID
            Jun 12 '17 at 6:00










          • It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
            – quadruplebucky
            Jun 12 '17 at 6:02












          • That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
            – DAVID
            Jun 12 '17 at 6:04
















          0














          You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.



          Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:



          Firewall->Rules->OPT1 create a new rule (at the top is fine).



          Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply



          That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)



          Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:



          Firewall->Rules->LAN create a new rule (at the top is fine).



          Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply



          note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.



          Now, back to the OpenVPN options:



          Say the server's lan interface is 10.20.30.40/24



          push "route 10.20.30.40 255.255.255.0"


          You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.



          Hope this helps.






          share|improve this answer























          • Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
            – DAVID
            Jun 12 '17 at 5:51






          • 1




            No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
            – quadruplebucky
            Jun 12 '17 at 5:54










          • I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
            – DAVID
            Jun 12 '17 at 6:00










          • It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
            – quadruplebucky
            Jun 12 '17 at 6:02












          • That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
            – DAVID
            Jun 12 '17 at 6:04














          0












          0








          0






          You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.



          Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:



          Firewall->Rules->OPT1 create a new rule (at the top is fine).



          Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply



          That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)



          Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:



          Firewall->Rules->LAN create a new rule (at the top is fine).



          Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply



          note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.



          Now, back to the OpenVPN options:



          Say the server's lan interface is 10.20.30.40/24



          push "route 10.20.30.40 255.255.255.0"


          You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.



          Hope this helps.






          share|improve this answer














          You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.



          Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:



          Firewall->Rules->OPT1 create a new rule (at the top is fine).



          Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply



          That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)



          Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:



          Firewall->Rules->LAN create a new rule (at the top is fine).



          Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply



          note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.



          Now, back to the OpenVPN options:



          Say the server's lan interface is 10.20.30.40/24



          push "route 10.20.30.40 255.255.255.0"


          You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.



          Hope this helps.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jun 12 '17 at 7:03

























          answered Jun 12 '17 at 5:48









          quadruplebucky

          52327




          52327












          • Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
            – DAVID
            Jun 12 '17 at 5:51






          • 1




            No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
            – quadruplebucky
            Jun 12 '17 at 5:54










          • I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
            – DAVID
            Jun 12 '17 at 6:00










          • It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
            – quadruplebucky
            Jun 12 '17 at 6:02












          • That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
            – DAVID
            Jun 12 '17 at 6:04


















          • Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
            – DAVID
            Jun 12 '17 at 5:51






          • 1




            No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
            – quadruplebucky
            Jun 12 '17 at 5:54










          • I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
            – DAVID
            Jun 12 '17 at 6:00










          • It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
            – quadruplebucky
            Jun 12 '17 at 6:02












          • That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
            – DAVID
            Jun 12 '17 at 6:04
















          Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
          – DAVID
          Jun 12 '17 at 5:51




          Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
          – DAVID
          Jun 12 '17 at 5:51




          1




          1




          No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
          – quadruplebucky
          Jun 12 '17 at 5:54




          No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
          – quadruplebucky
          Jun 12 '17 at 5:54












          I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
          – DAVID
          Jun 12 '17 at 6:00




          I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
          – DAVID
          Jun 12 '17 at 6:00












          It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
          – quadruplebucky
          Jun 12 '17 at 6:02






          It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
          – quadruplebucky
          Jun 12 '17 at 6:02














          That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
          – DAVID
          Jun 12 '17 at 6:04




          That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
          – DAVID
          Jun 12 '17 at 6:04


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1218330%2fhow-to-use-push-route-10-0-0-0-255-255-255-0-on-pfsense%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?