Can't Ping VPN Clients from local network

dbendlin

Hello Guys,

I have a problem pinging my vpn clients (roadwarriors), from inside my LAN, the funny thing is that roadwarrior can ping any host inside my LAN.

This is my configuration

PfSense:
LAN: 10.10.11.254 (10.10.11.0/24)
WAN: public ip 1
WAN2: public ip 2
TUN0: 10.10.20.1 (10.10.20.0/24)
WAN and WAN2 are setup in load balance mode, so if WAN gets down all trafic is routed troght WAN2

1.- I had to make 2 rules to allow any host on the internet to reach UDP 1194 on pfSense (One rule for WAN interface and the other for WAN2 interface)
2.- I configured my OpenVPN client to connect first to WAN IP and if client fails after 60 sec then it tries WAN2 IP (This works just great)
3.- I created a rule for my LAN interfase telling pfSense to route any traffic intended for 10.10.20.0/24 throught default interface (Here I can ping my VPN clients), but as soon as I disconnect WAN interface (Wich is my default gateway) connection cannot be established.

TUN0 interface can't be selected in the GUI, only WAN, WAN2 and my load balancer (configuring the rule agains the load balancer doesn't work, I've allready try this).

How can I manually create a rule telling pfSense to route any traffic intended for network 10.10.20.0/24 througth TUN0 interface?
Do you think is possible to add this feature to future releases of pfSense? (OpenVPN tun devices should apear in the rules edition forms, to be able to create the rules trought the GUI not manually)

Thanks in advance!

Kind Regards,

Diego Bendlin

dbendlin

Maybe, if loadbalancer would route throught the tun interface that could solve the problem, but I guess thats an enhancement to be done, that would also apply to the firewall > rules menu (Load balancer should apear beside WAN, LAN and WAN 2), so if you create a rule for a load balancer it should, behind the scenes try the interfases of wich its made of.

But thats just an Idea…

Bredys

And what about firewalls on clients PCs ?
IF roadwarriors use a firewalls (winxp fw etc) you cannot ping them from lan, because client firewall block this packets. For roadwarriors users, your ping is from other network subnet.

dbendlin

Guys,

I forgot to tell you about that, my clients (a Windows Box and a Debian Box), dond have firewall active, as a matter of facts as I explained above, Is that VPN works fine when WAN Interface is up, but when it goes offline than it doesn't work.

Remember I have 2 WAN interfaces, and my vpn clients are foult tolerant, if WAN1 gets offline then cliens get disconected but after a minute or so they reatempt connection first to WAN witch is still ofline and after they fail they try WAN2 and succesfully reconnect to the pfSense box.

The problem if that Im not able to add a rule  via the GUI telling pfSense to route all trafic destinated to my VPN client trought the TUN interfase, only WAN1 and WAN2 will appear in the GUI.

Is it posible to manually add a rule to the pfSense box? By manually I mean connecting via ssh and editing some file, is this posible? what would be the files that need to be changed?

Thanks in advance!

Diego Bendlin

GruensFroeschli

I'm not entirely sure that this is the solution to your problem but i think it might be.
Have a rule above all other rules with as destination your VPN subnet and as gatewy *
If you have something else as gateway the traffic will always go out on the specified interface which is something you dont want.

dbendlin

I guess that would do the trick, but this isn't posiible to specify throught the GUI, as the rule editor only allos to chose:
1.- default (witch is WAN1)
2.- WAN2
3.- Load Balancer

It would be great if it would work with the load balancer somehow, but it doesn't do the trick, I've already tried :(

As I said, It would be great if you guys could enhance this for future releases, but as a shortcut I would like to solve this by hand, can you please give me a hand on how to achieve this?

Thanks a lot for your help and support,

Regards,

Diego Bendlin

GruensFroeschli

actually the "default" –> < * >  is not WAN
It is "the routing table".
so if your client connects over the second WAN the routing table changes accordingly.

Edit: I just noticed an error in the above statment. The routing table shouldnt change since the destined interface for the LAN subnet is still the TUN interface.
But the gateway should still be * and not a manuall specified WAN.

dbendlin

Ok,

I will give it a try on monday, and check if the routing table changes after I fail WAN1 and my clients reconnect through WAN2.

I'll post my findings here,

Thanks a lot!

Regards,

Diego Bendlin