Can ping from one side but not the other

Either firewall rules on the OpenVPN tab (or assigned interface) on the side you can't ping

OR a firewall on the device you can't ping itself.

OR policy routing on the side that cannot ping the other forcing connections over a different path.

Thanks Jim, appreciate it.

I enabled it again and it continues to work which confuses me since one of the first things I tried was to disable NAT rules so I don't know why it didn't work then.

I appreciate your input but not sure if thats the real reason. I know it can be done on the IOS platform becuase at work we have cisco anyconnect and sonic wall VPNs that do it just fine. So maybe in the future it will be added. Other wise, I am happy with PFsense and the community!

Segmentation is not stupid, but do it the right way. ;-)

-Rico

Did you manage to resolve it? I've been having the identical issue with my pfSense install for a while as well. Currently running version 2.4.4-RELEASE-p2.

hi chris,
I am new to linux and pfsense so I fumbled around but then I found the status->systems.logs and noticed this
"Bad compression stub (swap) decompression header byte: 42 "
so I changed the compression on the openvpn client to match the openvpn server and shazaam, it worked.

now I have a new problem.
from the server/negate.sg110 web interface I can ping virtual computers behind the azure.pfsense
from the azure.pfsense.client web interface, I can ping physical computers behind my netgate sg1110.
however,
I cannot ping from a physical computer behind my netgate to a virtual computer behind the azure pfsense
I cannot ping from a virtual computer behind azure pfsense to a physical computer behind my netgate.sg1110

I thought that since I had added the correct "IPv4 Remote network" on the server and client, that I should be able to ping from computer to computer.

do I need a add a manual route somehow and if so, how might I do that?
or what do you suggest?

thanks very much,
david

@sam721 said in OpenVPN between pfSense and Ubiquiti EdgeRouter X:

the Ubiquiti? Are you familiar with firewall rules on the EdgeRouter? I don't know which rule is needed.

I'm not familiar with how to set firewall rules on an ubiquiti edge router.

The rule youre going to need though is to allow the pfsense lan subnet to talk to the ubiquiti subnet. I'd also ensure NAT is NOT enabled for either side, so you can see the subnet IP's. This isnt a need as much as its a nice to have in case you ever need to figure out which specific client on one of those is misbehaving.

Glad you have it working now.

-Rico

Yes this could be the problem.
Years ago we had some SHDSL line as spare with cisco router from the ISP. The cisco was totally managed by the ISP with no access for us. For any changes like port forwadings we need to open a ticket...

-Rico

Best practices here would recommend implementing as strict a rule as is necessary.

Perhaps a deny all to those vpn networks, and place rules above this for the protocols/services/destinations you need?

well i see that, but i set it up according to the settings. I will look into it sorry.

@johnpoz said in remote OpenVPN-client LAN not reachable:

@sgw said in remote OpenVPN-client LAN not reachable:

redirect-gateway def1

Why are you redirecting gateway? That is normally not done in a site to site setup.

A leftover from my desparate debugging. Thanks for spotting, disabled it now (was in the CSO).

On closer inspection, it appears that the problem is certain assets dropping any request coming from outside their assigned address range.

This appears to be a crude and problematic security "feature" and has been brought up with the manufacturer. If I can verify, I'll mark this is solved.

it may be necessary to configure as peer-peer and put each connecting client in the address range of the LAN, which, given we're using a class A as a classification system, there's plenty of class C ranges not internally assigned.

Will update with any progress.

UDP should be better yeah - unless you can not get to it, then is useless ;)

Takes nothing more than some simple setup to run both. And if you configure the client settings correctly - it will first try your UDP connection, and if can not connect it will then try TCP.

https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

-Rico

@emammadov thanks