New OpenVPN server, can connect but can't get to LAN subnet.
-
Okay so I factory reset my pfSense. I have nothing plugged into my network but one computer and my raspberry pi at 192.168.192.12.
My LAN network is 192.168.192.0/24I setup the VPN using these setups instructions.
I have no other VLans no other VPNs. I have two any to any rules on every interface. One for IPV4 and one for IPV6.
I'm still getting a default deny rule. I have no idea what is going on.
I know this is not the ideal setup. I just want to get everything out of the way that could be causing this problem. I have no idea how this can be blocked. I don't remember my other netgate being this big of a pain to setup. Is there something different with this new SG-2100?
-
@fatman032
Again, it look like that the raspberry is sending response not to pfSense, but to another device.So go to the Pi and check out his routing table to get any further, please.
-
@viragomann Sorry had a bad night just wanting to get this working.
Here is the routing table for the pi.
-
@fatman032
And what's the LAN IP of pfSense? Does it match? -
@viragomann Yes they Match. The LAN is 192.168.192.0/24
Here you go. It has new IP since it no longer has a reservation.
-
@fatman032 said in New OpenVPN server, can connect but can't get to LAN subnet.:
Yes they Match. The LAN is 192.168.192.0/24
That's not a proper Interface IP, that's a network address.
-
@viragomann Here you go.
-
@fatman032
All right. So I cannot tell you, why you run into these out-of-state blocks on LAN:
Since the source port is 80 and the flag is SA, these are definitely respond packets SYN packets. And presumably pfSense did never see the respective SYN packets.
Okay, do you connect your VPN clients from inside your LAN?
-
@viragomann no I have been using my cell as a hotspot.
-
@fatman032 said in New OpenVPN server, can connect but can't get to LAN subnet.:
no I have been using my cell as a hotspot.
Also cut all internal connections?
Need to see the clients routing table to get closer.
-
Also cut all internal connections?
Yes, I turn off the Wi-Fi.
Need to see the clients routing table to get closer.
-
@fatman032
Looks well.Ensure that also your cell phone has no internal connection at the time you test the VPN via the hotspot.
I'm sure, there must be something wrong in your setup. You have obviously an asymmetric routing issue on the VPN.
For further investigation I can only suggest to sniff the traffic on all involved interface while you try to access the LAN from the VPN client.
I guess, the SYN packets don't come in on the VPN interface. -
Well after hours of trying different things. I think I might have found the fix. I have no idea if this was the fix because of the number of things I was trying at the end but this makes since to me. I didn't have these boxes checked and when pfSense made the gateways it didn't check the boxes automatically.
