Site-2-site PFsense 2.4.2-p1 only 'working' in 1 direction
-
Hi All,
I am utterly confused, and hope somebody can enlighten me.
Based my setup on https://www.nanoscopic.de/2017/07/simple-site-to-site-vpn-with-pfsense-and-openvpn/
(Their site A & B is reversed from what I have explained below)First off, a correct OpenVPN Peer2Peer setup should allow for full access to the LAN on the other side of the link, right?
No matter which direction you go Server -> client or Client -> Server.Situation
Site A has
static IP on WAN.
1 openVPN server Remote Access SSL working just fine (port 1194)
1 openVPN server Peer2Peer Shared key (port 1195) with 'issues'
Printers on LAN x.y.A.20 & x.y.A.21Site B has
DHCP reserved IP on WAN (for now)
1 openVPN server Remote Access SSL working just fine (port 1194)
1 openVPN CLIENT Peer2Peer Shared key (port 1195) might have 'issues'
Printer on LAN x.y.B.20
1 Windows PC on LAN x.y.B.201 to which I can remote in from home (from Site 'C' if you want)Both pfSense devices show the site-2-site as being UP on port 1195
I can connect from site C using the other VPN to both location on port 1194, no issues.Rdesktop into Windows PC on site B, and can access Site B firewall via LAN address.
From that same PC I cannot access Site A firewall on its regular LAN Ip, but can bring it up in a browser using the Tunnel IP that it got assigned.
Confirming that there is some communication going on.From Site B, I cannot ping pfSense or the printers on the LAN at SITE A
However from the webinterface from pfSense at site A I can ping the printer on Site B, hinting that 50% of the site-2-site is kind'a working?So from the VPN server side I seem to be able to get into the client LAN (Not needed at this point but OK)
Site A office is closed and I do not have access to a PC on the lan to fully test access to printers on site B, I assume it works.From the site B (client) side I CANNOT get into the serverside LAN, no pings from the site B pfSense, let alone from the PC.
Both sides have the s2sVPN assigned to an interface
and both sides have the usual IPV4* ALLOW ALL rule under this interface.Both sides allow traffic on IPv4 UDP ports 1194 & 1195 WAN address (firewall rules)
Couple things I noticed.
Nowhere in the pfSense server config screen I see Local Network (Tunnel and Remote are there)
Same in the client config on site B, but that is kind'a expected.On Site B (client) the following Outbound NAT was added:
x.y.A.0/24 x.y.B.0/24 (+ tunnel networks for both VPNs and local 127)
So both LANs are there.On Site A (server) however the Outbound NAT does not mention
x.y.B.0/24 the client network, only the local LAN is there + tunnel networks for both VPNs and local 127Adding this x.y.B.0/24 manually (2 rules) does not seem to solve the problem.
(Changing to Hybrid outbound NAT)Now is this whole situation caused by a bug ('missing local network?') or am I missing something?
All suggestions and help appreciated.
Regards
P