How to use push “route 10.0.0.0 255.255.255.0” on pfSense
My OpenVPN server has a local IP address 10.21.1.4 (it's on the 10.21.1.0/24 subnet), and uses the 10.21.4.0/24 subnet for the tunnel. What route should I push to grant VPN clients access to the LAN (10.21.1.0/24)?
Should it be push "route 10.21.1.0 255.255.255.0" or push "route 10.21.4.0 255.255.255.0"?
UPDATE 1
Doing push "route 10.21.1.0 255.255.255.0" still doesn't allow my VPN clients to access the LAN. Momentarily, I added the following rules on the WAN and LAN interfaces:
Protocol: IPv4*
Source: *
Port: *
Destination: *
Port: *
Gateway: *
networking routing lan openvpn pfsense
asked Jun 12 '17 at 5:43
DAVID
21110
add a comment |
My OpenVPN server has a local IP address 10.21.1.4 (it's on the 10.21.1.0/24 subnet), and uses the 10.21.4.0/24 subnet for the tunnel. What route should I push to grant VPN clients access to the LAN (10.21.1.0/24)?
Should it be push "route 10.21.1.0 255.255.255.0" or push "route 10.21.4.0 255.255.255.0"?
UPDATE 1
Doing push "route 10.21.1.0 255.255.255.0" still doesn't allow my VPN clients to access the LAN. Momentarily, I added the following rules on the WAN and LAN interfaces:
Protocol: IPv4*
Source: *
Port: *
Destination: *
Port: *
Gateway: *
networking routing lan openvpn pfsense
asked Jun 12 '17 at 5:43
DAVID
21110
add a comment |
My OpenVPN server has a local IP address 10.21.1.4 (it's on the 10.21.1.0/24 subnet), and uses the 10.21.4.0/24 subnet for the tunnel. What route should I push to grant VPN clients access to the LAN (10.21.1.0/24)?
Should it be push "route 10.21.1.0 255.255.255.0" or push "route 10.21.4.0 255.255.255.0"?
UPDATE 1
Doing push "route 10.21.1.0 255.255.255.0" still doesn't allow my VPN clients to access the LAN. Momentarily, I added the following rules on the WAN and LAN interfaces:
Protocol: IPv4*
Source: *
Port: *
Destination: *
Port: *
Gateway: *
networking routing lan openvpn pfsense
asked Jun 12 '17 at 5:43
DAVID
21110
My OpenVPN server has a local IP address 10.21.1.4 (it's on the 10.21.1.0/24 subnet), and uses the 10.21.4.0/24 subnet for the tunnel. What route should I push to grant VPN clients access to the LAN (10.21.1.0/24)?
Should it be push "route 10.21.1.0 255.255.255.0" or push "route 10.21.4.0 255.255.255.0"?
UPDATE 1
Doing push "route 10.21.1.0 255.255.255.0" still doesn't allow my VPN clients to access the LAN. Momentarily, I added the following rules on the WAN and LAN interfaces:
Protocol: IPv4*
Source: *
Port: *
Destination: *
Port: *
Gateway: *
networking routing lan openvpn pfsense
networking routing lan openvpn pfsense
asked Jun 12 '17 at 5:43
DAVID
21110
asked Jun 12 '17 at 5:43
DAVID
21110
edited Jun 12 '17 at 7:04
asked Jun 12 '17 at 5:43
DAVID
21110
asked Jun 12 '17 at 5:43
DAVID
21110
asked Jun 12 '17 at 5:43
DAVID
21110
21110
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.
Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:
Firewall->Rules->OPT1 create a new rule (at the top is fine).
Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply
That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)
Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:
Firewall->Rules->LAN create a new rule (at the top is fine).
Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply
note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.
Now, back to the OpenVPN options:
Say the server's lan interface is 10.20.30.40/24
push "route 10.20.30.40 255.255.255.0"
You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.
Hope this helps.
answered Jun 12 '17 at 5:48
quadruplebucky
52327
Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
– DAVID
Jun 12 '17 at 5:51
1
No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
– quadruplebucky
Jun 12 '17 at 5:54
I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
– DAVID
Jun 12 '17 at 6:00
It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
– quadruplebucky
Jun 12 '17 at 6:02
That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
– DAVID
Jun 12 '17 at 6:04
|
show 3 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1218330%2fhow-to-use-push-route-10-0-0-0-255-255-255-0-on-pfsense%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.
Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:
Firewall->Rules->OPT1 create a new rule (at the top is fine).
Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply
That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)
Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:
Firewall->Rules->LAN create a new rule (at the top is fine).
Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply
note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.
Now, back to the OpenVPN options:
Say the server's lan interface is 10.20.30.40/24
push "route 10.20.30.40 255.255.255.0"
You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.
Hope this helps.
answered Jun 12 '17 at 5:48
quadruplebucky
52327
Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
– DAVID
Jun 12 '17 at 5:51
1
No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
– quadruplebucky
Jun 12 '17 at 5:54
I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
– DAVID
Jun 12 '17 at 6:00
It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
– quadruplebucky
Jun 12 '17 at 6:02
That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
– DAVID
Jun 12 '17 at 6:04
|
show 3 more comments
You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.
Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:
Firewall->Rules->OPT1 create a new rule (at the top is fine).
Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply
That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)
Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:
Firewall->Rules->LAN create a new rule (at the top is fine).
Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply
note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.
Now, back to the OpenVPN options:
Say the server's lan interface is 10.20.30.40/24
push "route 10.20.30.40 255.255.255.0"
You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.
Hope this helps.
answered Jun 12 '17 at 5:48
quadruplebucky
52327
Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
– DAVID
Jun 12 '17 at 5:51
1
No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
– quadruplebucky
Jun 12 '17 at 5:54
I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
– DAVID
Jun 12 '17 at 6:00
It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
– quadruplebucky
Jun 12 '17 at 6:02
That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
– DAVID
Jun 12 '17 at 6:04
|
show 3 more comments
You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.
Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:
Firewall->Rules->OPT1 create a new rule (at the top is fine).
Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply
That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)
Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:
Firewall->Rules->LAN create a new rule (at the top is fine).
Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply
note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.
Now, back to the OpenVPN options:
Say the server's lan interface is 10.20.30.40/24
push "route 10.20.30.40 255.255.255.0"
You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.
Hope this helps.
answered Jun 12 '17 at 5:48
quadruplebucky
52327
You don't need to push the tunnel route, the client and server will both know about that (they figure that out in the setup). The server will push things that aren't part of the tunnel -- it's other interfaces.
Also, pfSense will need explicit pass rules on the LAN and VPN interfaces for the VPN traffic. So, assign you VPN server to an interface, it makes things easier, On pfSense, lets use the (assign) option under the interfaces menu to assign it to OPT1. Then:
Firewall->Rules->OPT1 create a new rule (at the top is fine).
Action pass, Interface OPT1, IPv4, protocol any, source OPT1 net, destination any, description "let opt1 talk to anybody", save and apply
That rule says that all traffic that comes in from vpn clients is allowed to leave the firewall (to any destination)
Now we have to create a rule that says LAN clients are allowed to talk to VPN clients:
Firewall->Rules->LAN create a new rule (at the top is fine).
Action pass, Interface LAN, IPv4, protocol any, source LAN net, destination OPT1, description "let LAN talk to opt1", save and apply
note that we probably don't need this since the lan is very likely already allowed to talk to everybody but we're trying to make this easy right now.
Now, back to the OpenVPN options:
Say the server's lan interface is 10.20.30.40/24
push "route 10.20.30.40 255.255.255.0"
You may want enable netbios if you use Samba/Microsoft. You probably want to add an in-office DNS.
Hope this helps.
answered Jun 12 '17 at 5:48
quadruplebucky
52327
edited Jun 12 '17 at 7:03
answered Jun 12 '17 at 5:48
quadruplebucky
52327
answered Jun 12 '17 at 5:48
quadruplebucky
52327
answered Jun 12 '17 at 5:48
quadruplebucky
52327
52327
Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
– DAVID
Jun 12 '17 at 5:51
1
No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
– quadruplebucky
Jun 12 '17 at 5:54
I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
– DAVID
Jun 12 '17 at 6:00
It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
– quadruplebucky
Jun 12 '17 at 6:02
That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
– DAVID
Jun 12 '17 at 6:04
|
show 3 more comments
Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
– DAVID
Jun 12 '17 at 5:51
1
No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
– quadruplebucky
Jun 12 '17 at 5:54
I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
– DAVID
Jun 12 '17 at 6:00
It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
– quadruplebucky
Jun 12 '17 at 6:02
That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
– DAVID
Jun 12 '17 at 6:04
Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
– DAVID
Jun 12 '17 at 5:51
Hi @quadruplebucky, thank you for your answer. The problem here is that if I use an OpenVPN Client I get an IP from the tunnel subnet (in this case, 10.21.4.2), either on a cellphone or a Windows client. I understand I should have an IP from the LAN network (something in 10.21.1.0/24)
– DAVID
Jun 12 '17 at 5:51
1
1
No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
– quadruplebucky
Jun 12 '17 at 5:54
No, that's if you're using a TAP device (bridged). You're using a TUN device. It's actually advantageous in many ways (broadcast domain...etc) but that's another matter)
– quadruplebucky
Jun 12 '17 at 5:54
I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
– DAVID
Jun 12 '17 at 6:00
I'm sorry, I don't understand. Given that I'm using a TUN device, you're saying that I don't need to push any route?
– DAVID
Jun 12 '17 at 6:00
It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
– quadruplebucky
Jun 12 '17 at 6:02
It won't hurt anything to push the server's lan subnet if you want to grant clients access to that - a common smalll office type setup. But I don't really know what you're trying to do, just guessing. To make it clearer, say I want to get access to my desktop computer from home, from my laptop, and I don't know anything about anything, you could set me up with an openvpn client and remote desktop and I could probably work from home without much hassle.
– quadruplebucky
Jun 12 '17 at 6:02
That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
– DAVID
Jun 12 '17 at 6:04
That's exactly what I wan to do. In the LAN there are many services, such as HTTP, SMTP, etc., and I want VPN clients who are on the Internet to have access to them, as if they were there in the LAN :)
– DAVID
Jun 12 '17 at 6:04
|
show 3 more comments
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1218330%2fhow-to-use-push-route-10-0-0-0-255-255-255-0-on-pfsense%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
