Still no reliable peer-to-peer connection, but progress made

DominikHoffmann

I have to get back to my issue with establishing peer-to-peer connections between two pfSense boxes. I have finally solved the peer-to-peer authentication problem:

Solved: Peer-to-peer authentication fails—why?

However, while this takes care of most of the other issues I had posted about,

1. I still don’t have a way to reliably access the remote site;
2. can only access the remote pfSense box through its virtual address; any other resources on the remote network remain inaccessible;
3. the virtual address is reachable only intermittently; I have not been able to discern a pattern to when it is and when it isn’t; accessibly is not even ensured immediately after the establishment of the site-to-site connection.

My tunnel network is 192.168.7.0/24.

Do I have to set up specific firewall rules to make things work? Would not having them be the reason that the remote FW LANs from the image are not reachable?

DominikHoffmann

I should add that that my local pfSense box also is running a remote access OpenVPN server. I can access it without problems. There is no intermittency, at all.

Also, I have a static IP address. The other pfSense boxes that are configured as clients to the peer-to-peer server have CGNAT addresses.

viragomann

@DominikHoffmann
You need to configure Client Specific Overrides for each client you want to access the network behind.
Did you do this?

DominikHoffmann

@viragomann: Yes, I did.

In fact, I have one for each of the clients displayed in my screens shot, and I specify

1. that it is for my peer-to-peer server (in Server List),
2. the IPv4 Tunnel Network (192.168.7.6/24, 192.168.7.4/24, etc.), and
3. the IPv4 Remote Network/s (e.g., 192.168.45.0/24,192.168.46.0/24,192.168.47.0/24).

Am I missing something?

viragomann

@DominikHoffmann said in Still no reliable peer-to-peer connection, but progress made:

and I specify

that it is for my peer-to-peer server (in Server List),
the IPv4 Tunnel Network (192.168.7.6/24, 192.168.7.4/24, etc.), and
the IPv4 Remote Network/s (e.g., 192.168.45.0/24,192.168.46.0/24,192.168.47.0/24).

I don't understand.

You need to state the respective remote networks in the CSO.
And additionally all remote networks have to be stated in the server settings.

If you have done this properly, but don't succeed, ensure that the CSO is applied, when the client connects. To verify this, set the servers log verbosity level to 4, reconnect the client and check the log after.

DominikHoffmann

@viragomann said in Still no reliable peer-to-peer connection, but progress made:

And additionally all remote networks have to be stated in the server settings.

This was the crux of the matter!

Thank you very much!