# Firewall is blocking local LAN traffic to OpenVPN gateway



## djcoder (Aug 9, 2015)

I want hosts on Home LAN to connect to hosts on Work LAN via VPN LAN but Work firewall is blocking traffic from Work LAN back to VPN LAN gateway.

I can actually see the traffic being blocked in the logs:

```
Action    Interface    Source           Destination                   Protocol
    Block     LAN          192.168.1.177    10.8.0.2, type echoreply/0    ICMP
```
Host OpenVPN server is running OpenVPN 2.3.6 on FreeBSD 9.3.
The firewall is m0n0wall.

In order to allow this traffic pass I added the following rules to Work firewall:

```
Proto   Source         Port    Destination    Port    Description
    ICMP    10.8.0.0/24    *       LAN net        *       Allow ICMP traffic from VPN
    ICMP    LAN net        *       10.8.0.0/24    *       Allow ICMP traffic to VPN
```
…this had no impact.

There clearly is some rule blocking this traffic but I am not great with networking and have not found a way to have the m0n0wall GUI show me which rule blocked the traffic.

Please note: 
    1. I made the rule ICMP specific for now and I update it to allow other types of traffic once I get it working correctly.
    2. I would have loved to ask this at the m0n0wall forum but it has been closed.( I will transition out of it as soon as I can but I need to get the VPN going first )

    -----------------------------------------------------------------------------------------------------
More info on my situation​
I can connect to OpenVPN server from Home computer and the OpenVPN daemon itself seems to be running well and configured correctly.
I say that because, once the OpenVPN tunnel is created, I can ping:
    all of Home LAN,
    all of VPN LAN,
    Work LAN interface of OpenVPN server,
    VPN LAN interface of OpenVPN server,
    router in Work LAN

OpenVPN has an FAQ question called OpenVPN can ping both peers, but I can't reach any of the other machines on the remote subnet

It suggest three possible problems:
    1. Work firewall is filtering the TUN interface,
    2. IP forwarding is not enabled on the OpenVPN server,
    3. Work LAN clients have no route back to the VPN LAN.

The OpenVPN server is set-up as a gateway:
`$ sysctl -a | grep net.inet.ip.forwarding
net.inet.ip.forwarding: 1`

The work router has a static route to point VPN LAN traffic back to VPN server:

```
Interface    Network        Gateway          Description   
    LAN          10.8.0.0/24    192.168.1.171    Route to allow VPN traffic to return to source
```

This leaves me with Work firewall as the last remaining possibility for problems, plus, like I said earlier, I can see the traffic blocked by the firewall in the logs.

    -----------------------------------------------------------------------------------------------------
Here are some network details​
I have three LANs:
    Home LAN( 192.168.2.0/24 ), 
    Work LAN( 192.168.1.0/24 ) and 
    VPN LAN( 10.8.0.0/24 ).

With the following hosts/IPs:
    Home router/192.168.2.1
    Home computer/192.168.2.4 and 10.8.0.2
    Work router/192.168.1.1
    OpenVPN server/192.168.1.171 and 10.8.0.1
    Work computer/192.168.1.177


----------



## SirDice (Aug 10, 2015)

djcoder said:


> The firewall is m0n0wall.


Thread pc-bsd-freenas-nas4free-and-all-other-freebsd-derivatives.7290


----------



## djcoder (Aug 10, 2015)

SirDice said:


> Thread pc-bsd-freenas-nas4free-and-all-other-freebsd-derivatives.7290


Please see #2 of under Please note


djcoder said:


> Please note:
> 1. I made the rule ICMP specific for now and I update it to allow other types of traffic once I get it working correctly.
> 2. I would have loved to ask this at the m0n0wall forum but it has been closed.( I will transition out of it as soon as I can but I need to get the VPN going first )


While the GUI is m0n0wall the underlying OS is FreeBSD and the main piece of software in question IPFW.

Thank you


----------



## SirDice (Aug 12, 2015)

> These derivative products are all customised in some way, which means, among other things, that their base system, ports/package management, source code, X system, kernel configuration, libraries, disk layout, installation procedure, disk systems, etc. etc. may be very different.


----------



## djcoder (Aug 12, 2015)

Please keep in mind, SirDice, all help is welcome.

I get it. Derivative systems may be different.
But they also MAY NOT be different.

If it makes life easier ignore the word m0n0wall.

This question is about a FreeBSD system with an IPFW firewall.


----------



## wblock@ (Aug 12, 2015)

But that is not how IFPW firewall rules are entered.  The ones shown are from a web GUI.  If you can find the actual rules in a configuration file (possibly /etc/rc.firewall, but maybe not), that would help.  It might not, since entering any suggested changes directly into that file might interfere with the web UI.

At this point, it's probably best to either switch to normal FreeBSD or to go with one of the living descendents of m0n0wall, https://opnsense.org/ or https://www.pfsense.org/.


----------



## xavi (Aug 13, 2015)

wblock@ said:


> At this point, it's probably best to either switch to normal FreeBSD or to go with one of the living descendents of m0n0wall, https://opnsense.org/ or https://www.pfsense.org/.



There's also http://www.smallwall.org/


----------

