Can't access LAN from WAN
-
Check you netmask on your interfaces … If they are wrong you wont be able to access machine located in that interface
-Ashley
-
OK, my 192.168.1.0 LAN netmask is 255.255.255.0, but how come the OpenVPN server gives a 192.168.192.6/255.255.255.252 adress/netmask to my client? I set up the address pool as 192.168.192.0/24 in the OpenVPN settings.
-
I have openvpn running on release 1.0 with no issues.
Maybe try retyping the pool address and saving.
Or
Deleting the openvpn server and creating it again. -
OK I use 1.0 too. I noticed that I can't delete the default VPN tunnel, and when I edit it, enter details and save it creates a second VPN tunnel while leaving the default one (with empty fields, empty certificates, etc). Don't know if it's an issue, I remember having this same "bug" in RC2-3
I changed the pool to another network then used 192.168.192.0/24 again but it didn't solve the problem.
I deleted my VPN tunnel then recreated it. When I reconnected my client the logs showed that it was still getting the old VPN tunnel details (push, etc). I then rebooted pfsense and my new VPN tunnel didn't appear. I recreated the tunnel and rebooted pfsense again, and then the tunnel appeared. This is probably normal behavior though, maybe mentionning it here will help another newbie ;)
I got the same result though, I can ping 192.168.192.1 and 192.168.1.253 (LAN interface) but no other IP.
I see in the logs a route is added (route ADD 192.168.1.0 MASK 255.255.255.0 192.168.192.5) but I can't ping the 192.168.192.5 IP which, I take it, is a kind of virtual gateway attributed by pfsense (it also acts as DHCP server)?
SFM > did you have to add any firewall rule that I didn't add (cf my original post) or anything else on pfsense?
-
Peterclo,
Did you get a chance to look at this …
http://www.uplinksecurity.de/data/pfsense-ovpn.pdfIt is very well written.
I only have one rules in my firewall to opne 1194 to vpn clients.
WAN RULE
UDP * * * 1194 * OPEN VPN -
Absolutely, that's the tutorial I followed to set up my VPN, it's indeed very nice.
Thank you for your answer regarding the firewall rules, I was wondering if I had forgotten something there.
Do your clients also get a 255.255.255.252 netmask?
-
Peterclo,
Ok I just went and tryed my openVPN and I am having the same issues you are.
I upgraded yesterday and I guess hadn't tryed it since then.
It worked without any issues with RC3 and now that I am at 1.0 it does not work.
I get connected but can't get anywhere, I also get the 255.255.255.252 mask.
Either something needs to be changed when going from RC3 to 1.0 or there is an issue with 1.0.
SFM
-
You can't imagine how relieved I am. Well, no, not really, I'd prefer it if it worked :p I hope the issue can be resolved now that we're both having problems here.
-
My firewall logs show TUN0 being blocked.
Oct 18 10:26:35 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:35 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:29 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:29 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:26 TUN0 10.0.0.134:2650 10.0.0.10:139 TCP
Oct 18 10:26:26 TUN0 10.0.0.134:2649 10.0.0.10:445 TCP
Oct 18 10:26:14 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:26:08 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:26:05 TUN0 10.0.0.134:2648 10.0.0.10:80 TCP
Oct 18 10:25:53 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:53 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP
Oct 18 10:25:47 TUN0 10.0.0.134 10.0.0.10 ICMP
Oct 18 10:25:47 TUN0 10.0.0.134:1030 10.0.0.10:53 TCP
Oct 18 10:25:47 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:47 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP
Oct 18 10:25:46 TUN0 10.0.0.134:1030 10.0.0.10:53 TCP
Oct 18 10:25:44 TUN0 10.0.0.134:2645 10.0.0.10:139 TCP
Oct 18 10:25:44 TUN0 10.0.0.134:2644 10.0.0.10:445 TCP -
Ah I get things like this :
Oct 18 17:59:24 NG0 84.97.e.f:24846 86.71.g.h:52272 UDP
Oct 18 17:59:22 NG0 84.97.e.f:24846 86.71.g.h:52272 UDP
Oct 18 17:57:16 NG0 86.71.a.b:3571 86.71.a.c:135 TCP
Oct 18 17:57:16 NG0 86.71.a.b:3563 86.71.a.c:445 TCP -
cheers,
first off, i have 1.0 running for road warriors & site-to-site and both tunnels
work as supposed, so i don't think it's a pfsense problem.Question, the LAN servers you want to ping, do they have the
pfsense as gateway? If you are testing and a second gateway
is available this could be the problem (i encountered that, because
i forgot to change the gateway of one of my LAN boxes).On one of your LAN servers and road warrior please show me "netstat -r".
Also, please install a "any, any, any, …" testing-rule for both WAN and LAN
to ensure it is not the firewall.Reboot the box once after that and try again.
Do your clients also get a 255.255.255.252 netmask?
yep, that's ok.
-
Hey dairaen!
He he, that was it, and as I thought it was just me being stupid: the computer I was trying to ping was using our current router as a gateway and not my precious new pfsense box :) No wonder the poor packets didn't know how to find things :)
Thanks a lot for your help and the great tutorial you wrote! Maybe you could add a "Beware of your gateway" line in the section where you're supposed to test your new VPN tunnel?
I hope SFM has the same happy ending :)
-
Dairaen,
thanks for helping me figure this out.I was using the pfsense as gateway on lan server to answer that question.
What I was doing in previous versions is pushing the local network with Wins and Dns servers.
This worked without any issues.When I upgraded to 1.0 this no longer worked…......
After putting the local network in the proper location in the vpn server config and deleting it as a push everything works.
It also worked if I added (push "redirect-gateway def1") and left my config as it was. Only proplem with this is I do not want clients using it as there default gateway.
-
Maybe you could add a "Beware of your gateway" line in the section where you're supposed to test your new VPN tunnel?
done ;)