my openvpn site to site i cant seem to ping or access other site doesnt stay stable

comet424

so i have my site to site pfsense to pfsense openvpn connected and i had followed some videos but i not sure if my PIA vpn is conflicting or not

so i can make a connection and the connection stays from site A to Site B

but when you ping a computer on the other network or the other pfsnese box it will work and if u stop and try again it cant ping it.. you stop and start say 10 times and it will ping 4 5 times out of 10 tries.. i find accessing server gui webpages dont always like to load..

si this NAT issue, compression issue under openvpn tunnel.. could be a gate way issue?
and what should a Nat for site to site look like

and i also was googling and seen about wireguard.. is wireguard better for site to site? as my ip is dynamic changes from the DSL modem reboots etc. and i read wireguard needs static ip..

but ya thats what i trying to figure out why my ip pinging and accessing messed.. its like when you have 2 computers on the network with the same IP address and you know it will work sometimes then not cuz there is 2 comps with the same ip.. and it doesnt know which way to go.. so its acting similar to that

i saw in another video they did a NAT setting as other videos ddont do NAT but i did this kinda works better... but the section translation i set to WAN Address in the video it shows network interface

and should it be WAN address? or network & alias?

and the network ip 172.168.0.0 thats the tunnel address

stephenw10

You shouldn't need NAT here, assuming the two networks on each side are using different subnets.

Seeing alternate connections working seems more like you could be policy routing via a load-balanced gateway.

What firewall rules do you have passing traffic on the local LAN interface?

comet424

@stephenw10
and can i delete any of the NATs probably dont do anything? do you see any that are not needed etc? like this 1::128 or whatever they are what is the 127 one do i need all those what does the 128 do to specific network?
trying to make it run as smooth as possible

i found if i didnt haven the openvpn it didnt wanna communicate across the networks and i found some articles have nat setting some dont.. so thats why i confused and whats the proper way
i was having openvpn nat for 192.168.1.0 instead of the 172.168.0.0 and that also caused glitching

so my network is 192.168.0.0 and 192.168.1.0 for both pfsense boxes

as for my firewall rules these are on the 1 server.. the other server is similar but ill have to get pics later if you need them

comet424

the site A main pfsense the LAN firewalls page is

stephenw10

You can certainly remove that OpenVPN oubound NAT rule. It's NATing to the WAN address on the OpenVPN interface which is always wrong!

The two localhost addresses (127/8 and 1/128) are not always needed. pfSense itself will usually use the WAN address directly.

It looks like you have switched OBN to manual mode? Better to use hybrid for most situations.

How exactly are you testing here? From what IP to what remote IP?

It could be the remote device blocking traffic itself. Some OSes (windows) will block traffic from a different subnet by default.

comet424

@stephenw10
ok i removed the openvpn interface to wan address NAT so what was that basiclly doing you mentioned it doesnt work.. and how come there is no openvpn interface in the NAT... so i removed it and seems to be working alot better.. reason i added it was like video from this guy
https://www.youtube.com/watch?v=SVUE6tcznM4
at 11min mark he does the NAT for openvpn is it something that was needed in the past? as it is a 4 year old video.. i have seen this in a couple videos

and reason i use Manual NAT is due to when i had NordVPN and when i switched to PIA VPN they both require manual mode....

what are the benefits of hybrid vs the Manual?

and what does that 127/8 and the 1::128 do like what happenes on the network? so should i just remove the wan too.. or leave it..

as for testing i was pinging from my Unraid Box on the network. a VM ubuntu desktop. VM windows Desktop and my main desktop and i was pinging like 192.168.1.1 and any ip on the 1.x network

and to use wireguard site to site you need static ips right ? cant use dynamic from the dsl modem i get

stephenw10

So you're pinging directly by IP address (not hostname) between hosts on either end of the tunnel? And those subnets are 192.168.1.0/24 and 192.168.0.0/24?

And that's working now?

I prefer to use hybrid mode for OBN because it keeps the automatic rules. If you add or change some internal subnet the rules will be updated to allow connectivity.

If you want to intentional prevent traffic going out of he WAN dircetly you can just add a 'do not NAT' rule.

comet424

@stephenw10 sorry delay ive had power out big storm saturday in canada and i just got my power back

what is OBN? and i can switch i found an issue that is not working for me. and will this fix it with the hybrid?

so on my unraid box i have a 10Gig nick and broken into some bridges

br0 = LAN 192.168.0.0
br0.10 = Vlan Cameras 192.168.10.0
br0.20 = Vlan IOT 192.168.20.0

now i cant seem to ping the 192.168.1.0 network
i noticed the issue as i cant access the remote Home Assistant from my main home assistant

on my home assistant i have
enp1s0 192.168.0.12 gateway 192.168.0.1 dns 192.168.0.1
enp2s0 192.168.20.12 gateway 192.168.20.1 dns 192.168.20.1
enp3s0 192.168.10.12 gateway 192.168.10.1 dns 192.168.10.1

now i try to ping 192.168.1.12 remote HA or 192.168.1.1 other pfsense
and it cant
even though in the rules i say IOT can have access to 192.168.1.12 same for camera

i tried
ping -I enp1s0 192.168.1.1
ping -I enp1s0 192.168.1.12
those work

but if i try
ping -I enp2s0 192.168.1.1
ping -I enp2s0 192.168.1.1
ping -I enp3s0 192.168.1.1
ping -I enp3s0 192.168.1.1
it doesnt work

when i try the pinging in unraid terminal with the
ping -I br0.10 192.168.1.1 or 192.168.10.1 it doesnt wanna work is there a rule or is that NAT outboard that is blocking it?

reason i noticed Home assistant uses 1 ethernet bridge as the main one and i noticed sometimes it changes but id trying to ping from any of those bridges to go out the OPENVPN connection or the network
is something conflicting ? i know when i just have 1 LAN network not issues but when i switched to having vlans to break up my network some i come across it..

maybe complicated? maybe i just doing something wrong.. and if you need any pics let me know as i wanna be able to ping the 192.168.1.12 from the termainal and it should go out any of the vlan lan ports or be able to pick it off

here is the IOT and Camera Rules as the LAN one pings ... maybe its outside of the scope or maybe i need a better video to watch to setup?
and sorry if i confusing my dislyexia gets best of me sounds fine to me but i may not explain it right

stephenw10

@comet424 said in my openvpn site to site i cant seem to ping or access other site doesnt stay stable:

what is OBN?

OutBound Nat.

@comet424 said in my openvpn site to site i cant seem to ping or access other site doesnt stay stable:

when i try the pinging in unraid terminal with the
ping -I br0.10 192.168.1.1 or 192.168.10.1 it doesnt wanna work

192.168.10.1 is in he br0.10 subnet so that would go directly if it's actually using the correct source IP. In which case pfSense never sees it and it must be something in the virtual infrastructure or the taret host blocking it.

When you have multi-homed hosts like that it's common to see asymmetric routing issues. Check the firewall logs for blocked traffic.

comet424

@stephenw10
so i did screen capture the camera logs.. where you see its pinging from 192.168.10.12 which is the home assistant ip for Cameras.. and trying to reach 192.168.1.12

so
192.168.0.1 LAN pfsense ip
192.168.10.1 pfsense Camera VLAN
192.168.20.1 pfsense IOT VLAN

unraid
192.168.0.3 BR0 LAN network
192.168.10.3 BR0.10 Camera VLAN
192.168.20.3 BR0.20 IOT Vlan

home assistant
192.168.0.12 LAN network
192.168.10.12 Camera VLAN
192.168.20.12 IOT Vlan

now i found it would work if it static ip them
but set it like this
192.168.0.12 Gateway 192.168.0.1 DNS 192.168.0.1
192.168.10.12 Gateway 192.168.0.1 DNS 192.168.0.1
192.168.20.12 Gateway 192.168.0.1 DNS 192.168.0.1

that made it work but it doesnt work if you specify it in the DHCP Server for doing the dhcp part it doesnt like you setting the gateway 192.168.0.1 for the camera or IOT says its out of the range

but it made HA at least work..
so how do you fix it to work properly

and the

192.168.0.1 LAN pfsense ip
192.168.10.1 pfsense Camera VLAN
192.168.20.1 pfsense IOT VLAN

they are all from the single pfsense box so its not seperate machines just the one

comet424

oh and i also have a
192.168.30.x vlan i made a management port from ym onboard network cards

i found i had to disable the gateway on the desktop and servers.. i found that it wasnt using the 10gig network card 192.168.0.1 but was going through the 192.168.30.x and id have no internet
even though i blocked it in the rules and left it 192.168.30.1 as a gateway it always tried to go through it and not the 10gig so i ended up removing the gateway in windows adapter for the onboard.. that was frustrating to figure out

stephenw10

@comet424 said in my openvpn site to site i cant seem to ping or access other site doesnt stay stable:

now i found it would work if it static ip them
but set it like this
192.168.0.12 Gateway 192.168.0.1 DNS 192.168.0.1
192.168.10.12 Gateway 192.168.0.1 DNS 192.168.0.1
192.168.20.12 Gateway 192.168.0.1 DNS 192.168.0.1

Mmm, see that's the problem with multi-homed hosts. When you do that it sends all traffic via the LAN gateway on the LAN subnet so bypasses the other firewall rules entirely.

So I assume the 192.168.1.0/24 subnet is at the other end of the tunnel?

There are no hits in the firewall logs for 192.168.1.12. So if you're trying to ping that it's probably passing. You have specific rules to allow that and one of them has bytes recorded on it.

Check the states for that IP when you're pinging.