• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Site to site problem

Scheduled Pinned Locked Moved OpenVPN
5 Posts 3 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jmarc
    last edited by Jul 12, 2016, 12:36 PM

    Hello,

    I've setup a site to site openvpn.

    PfSense 2.3.1

    Main office has a static IP
    Main office ip range 192.168.175.0/24
    Remote office has a static ip
    Remote office ip range 192.168.185.0/24

    Setup the server on the main office with the following settings
    prot: UDP
    port: 1195
    Shared key
    IPv4 tunnel Network: 192.168.177.0/24
    IPv4 Remote Network: 192.168.185.0/24

    Setup client on remote site with the following settings
    prot: UDP
    Server host : static ip from main office
    port: 1195
    Shared key
    IPv4 tunnel network: 192.168.177.0/24
    IPv4 Remote Network: 192.168.175.0/24

    Remote site can connect to ressources on Main office (ping, smb, ftp…)
    Main office cannot ping or connect to remote office's network

    Opened port 1195 in the openvpn rules on both sides

    What am i missing here?

    Thanks

    1 Reply Last reply Reply Quote 0
    • P
      praecorloth
      last edited by Jul 15, 2016, 2:53 AM

      A route (or lack thereof) on the remote office side? Is pfSense the default gateway for machines in the remote office? If not, does the actual default gateway have a route pointing traffic for 192.168.175.0/24 over to your pfSense box? Make sure to check the resources in the remote office. Sometimes people get creative with "security" and don't assign a default gateway to servers/devices that shouldn't be accessing the Internet.

      I would also do a packet capture on the remote office pfSense to verify that the packets from the main office are indeed getting that far. Then a packet capture on a resource as you attempt to access it from the main office.

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Jul 15, 2016, 7:00 AM

        You don't open the OpenVPN port on the OpenVPN rules. You pass the traffic you want to allow from the Remote Networks coming in through the tunnel.

        You need to pass the UDP/1195 on the Server's WAN so the client can connect to the server to establish the tunnel. This has obviously been done or the tunnel would not be coming up.

        You might want to start with rules like this on both sides.

        If you do that and still can't contact hosts on one side, it is probably the local firewall on the target host (ie Windows Firewall).

        ![Screen Shot 2016-07-15 at 12.02.23 AM.png](/public/imported_attachments/1/Screen Shot 2016-07-15 at 12.02.23 AM.png)
        ![Screen Shot 2016-07-15 at 12.02.23 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-07-15 at 12.02.23 AM.png_thumb)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jmarc
          last edited by Sep 23, 2016, 2:34 PM

          Now i'm getting a bit further.

          Remote office can access head office's ressources except for the freepbx IAX2 trunk

          Head office can access some ressources. Here's what's still not working or working.

          Head office can connect to remote office's pfsense gui 192.168.185.1
          Head office can't connect to remote office's freepbx (185.8) or openMediaVault (185.49)
          Remote office can connect to head office's freepbx and pfsense gui.

          I can see in the fw logs that my pc 192.168.175.50:52764 pass Freepbx webgui 192.168.185.80:80

          Thanks

          ![Remote Lan rules.png](/public/imported_attachments/1/Remote Lan rules.png)
          ![Remote Lan rules.png_thumb](/public/imported_attachments/1/Remote Lan rules.png_thumb)
          ![Remote openvpn rules.png](/public/imported_attachments/1/Remote openvpn rules.png)
          ![Remote openvpn rules.png_thumb](/public/imported_attachments/1/Remote openvpn rules.png_thumb)

          1 Reply Last reply Reply Quote 0
          • J
            jmarc
            last edited by Sep 23, 2016, 6:33 PM Sep 23, 2016, 3:42 PM

            I've ran Wireshark on my system and the "expert" information shows reassembly error protocol tcp

            Attached some screenshots

            Also, packet capture between the two freepbx shows bad checksum only from remote site to head office.

            192.168.185.8.4569 > 192.168.175.21.4569: [bad udp cksum 0xe996 -> 0xb1ab!] UDP, length 14

            192.168.175.21.4569 > 192.168.185.8.4569: [udp sum ok] UDP, length 14

            ![Wireshark capture.png](/public/imported_attachments/1/Wireshark capture.png)
            ![Wireshark capture.png_thumb](/public/imported_attachments/1/Wireshark capture.png_thumb)
            Expert.png
            Expert.png_thumb

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              [[user:consent.lead]]
              [[user:consent.not_received]]