I’ve setup a VPN server for site to site and road warrior access.
The OpenVPN server in pfSense runs on a Google cloud server. Site 1&2 each have a GL-MT300N-V2(v3.105) and connect as clients. Road warriors connect to the server from anywhere.
All that seems working. The server pushes routes and has a client-config-dir with iroutes for the sites, and everyone can ping everyone - using VPN adapter addresses, but NOT using LAN side addresses.
I have made this work previously. I have commented the default rules in /etc/vpn.user and removed the ‘lan2wan_forwarding disable’ line in /etc/init.d/startvpn.
In a prior firmware I recall altering the firewall zone settings in LuCI but my changes so far have not been successful.
Ultimately I want to be able to connect from the road and ping clients behind the mango’s at either site using their LAN address.
Server: 10.10.212.1/24
Site1: VPN: 10.10.212.2/24 LAN: 192.168.10.1/24
Site2: VPN: 10.10.212.3/24 LAN: 192.168.20.1/24
RoadGuy: VPN: 10.10.212.4/24 LAN: whatever (not routed)
The RoadGuy can ping 10.10.212.1,2,3 but can’t ping 192.168.10.1 or 192.168.20.1
But both sites show the subnets in their table:
Destination Gateway Genmask Flags Metric Ref Use Iface
default (gateway) 0.0.0.0 UG 20 0 0 apcli0
(WAN Subnet) * 255.255.255.0 U 20 0 0 apcli0
(VPN Server) * 255.255.255.0 U 0 0 0 tun0
(CloudServer) (gateway) 255.255.255.255 UGH 0 0 0 apcli0
192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.20.0 (VPN Server) 255.255.255.0 UG 0 0 0 tun0
The problem, as best I can tell, is in my firewall settings on the GL-MT300N-V2s. Traffic is not flowing between the LAN and VPN adapters.
What changes to the default LuCI firewall settings are required to allow this behaviour? Suggestions and advice appreciated (my heads getting sore banging it : ).