[1.2RC3] Site-to-site ping problem

stormscratcher

Hi !

I've got a ping problem with my VPN

LAN 1 (Server) : (with PfSense OpenVPN server 1.2RC3)
Protocol TCP
Server port :1193
Interface IP 192.168.1.0/24
Remote network 192.168.10.0/24

LAN 2 (Client) : (PC on the LAN with OpenVPN client)
Protocol TCP
Port :1193
Interface IP 192.168.0.0/24

In LAN1 et LAN2, the firewalls have been configured correctly

LAN2 can ping all machines in LAN1
But LAN1 can't ping nothing in LAN2

I try traceroute in LAN1 to LAN2, it seem to be a firewall problem.
I check all routes and it's seem to be good

PfSense OpenVPN server config file : (/var/etc/openvpn_server0.conf)


writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 192.168.10.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
lport 1193
route 192.168.0.0 255.255.255.0
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
route 192.168.0.0 255.255.255.0 192.168.10.1

Route table of PfSense OpenVPN server :

Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
default 	 <wan_subnet>UGS 	0 	1675434 	1500 	vr0 	 
 <wan_subnet>link#2 	UC 	0 	0 	1500 	vr0 	 
 <wan_gateway><mac_address>UHLW 	2 	4005 	1500 	vr0 	1200
 <wan_ipaddress>127.0.0.1 	UGHS 	0 	0 	16384 	lo0 	 
127.0.0.1 	127.0.0.1 	UH 	1 	0 	16384 	lo0 	 
192.168.0 	192.168.10.2 	UGS 	0 	4070 	1500 	tun0 	 
192.168.1 	link#1 	UC 	0 	0 	1500 	rl0 	 
192.168.10 	192.168.10.2 	UGS 	0 	840 	1500 	tun0 	 
192.168.10.2 	192.168.10.1 	UH 	2 	3 	1500 	tun0</wan_ipaddress></mac_address></wan_gateway></wan_subnet></wan_subnet>

My client configuration :


#
# Sample OpenVPN configuration file for
# home using SSL/TLS mode and RSA certificates/keys.
#
# '#' or ';' may be used to delimit comments.

client

# Use a dynamic tun device.
# For Linux 2.2 or non-Linux OSes,
# you may want to use an explicit
# unit number such as "tun1".
# OpenVPN also supports virtual
# ethernet "tap" devices.
dev tun

proto tcp-client

# Our OpenVPN peer is the office gateway.
remote x.x.x.x 1193

# 10.1.0.2 is our local VPN endpoint (home).
# 10.1.0.1 is our remote VPN endpoint (office).
; ifconfig 192.168.10.2 192.168.10.1

# Our up script will establish routes
# once the VPN is alive.
; up ./home.up

# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-client

# Certificate Authority file
ca /etc/openvpn/keys/ca.crt

# Our certificate/public key
cert /etc/openvpn/keys/xxxx.crt

# Our private key
key /etc/openvpn/keys/xxxx.key

# OpenVPN 2.0 uses UDP port 1194 by default
# (official port assignment by iana.org 11/04).
# OpenVPN 1.x uses UDP port 5000 by default.
# Each OpenVPN tunnel must use
# a different port number.
# lport or rport can be used
# to denote different ports
# for local and remote.
; port 1193

# Downgrade UID and GID to
# "nobody" after initialization
# for extra security.
; user nobody
; group nogroup

# If you built OpenVPN with
# LZO compression, uncomment
# out the following line.
comp-lzo

# Send a UDP ping to remote once
# every 15 seconds to keep
# stateful firewall connection
# alive.  Uncomment this
# out if you are using a stateful
# firewall.
; ping 15

# Uncomment this section for a more reliable detection when a system
# loses its connection.  For example, dial-ups or laptops that
# travel to other locations.
; ping 15
; ping-restart 45
; ping-timer-rem
persist-tun
persist-key

pull

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3

ns-cert-type server
resolv-retry infinite
nobind
keepalive 10 60
ping-timer-rem

Route table on OpenVPN PC client :

Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
192.168.10.1    192.168.10.5    255.255.255.255 UGH   0      0        0 tun0
192.168.10.5    *               255.255.255.255 UH    0      0        0 tun0
localnet        *               255.255.255.0   U     0      0        0 eth0
default         xxxxx           0.0.0.0         UG    0      0        0 eth0

Thank for help

GruensFroeschli

could it be that your client is firewalled?

stormscratcher

@GruensFroeschli:

could it be that your client is firewalled?

The firewall (iptables) on client is disabled.

I think it use WAN interface instead of TUN0 interface.
How to test this ?

traceroute 192.168.0.1
traceroute to 192.168.0.1 (192.168.0.1), 64 hops max, 40 byte packets
 1  * * *
 2  * * *

GruensFroeschli

I dont think so. because then the answer to your ping from the client wouldn never come back.
When you use the ping tool of pfSense itself. is that able to ping your client?
If not i think the problem is really somewhere with the client.

btw: could you make a diagram of your network? i kind of dont get if you just want to connect a client via OpenVPN to your LAN or want to connect two different LAN's via VPN.

stormscratcher

@GruensFroeschli:

I dont think so. because then the answer to your ping from the client wouldn never come back.
When you use the ping tool of pfSense itself. is that able to ping your client?
If not i think the problem is really somewhere with the client.

btw: could you make a diagram of your network? i kind of dont get if you just want to connect a client via OpenVPN to your LAN or want to connect two different LAN's via VPN.

Ping not responding on Pfsense server.

I want to connect 2 LAN via VPN : PC client on LAN2 connect to Pfsense OpenVPN server through WAN

Thanks for your help

GruensFroeschli

Just to understand you right:
You want to have a client within LAN2 to connect to the pfSense of LAN1
and then be able to connect from every client within LAN1-subnet to every client withing LAN2-subnet?

You have route entries in your server config that point traffic for 192.168.0.x to the pfSense from LAN1. This route entry should point the traffic to the client and not the pfSense itself (192.168.10.5 (this is the client)).

But clients in your LAN2 have the pfSense of LAN2 as gateway. you need to add a static route to your pfSense of LAN2 that points the subnet of your LAN1 to you client that initiates the VPN connection.

But why do you have a separate machine to run the tunnel from?
You can have the pfSense of your LAN2 as openVPN client. Then you dont need any static routes since the clients in LAN2 have their pfSense as gateway.

nastraga

I had a very similar problem.

This turned out to be a policy routing issue. To enable LAN1 to ping/pass traffic to LAN2 from LAN1, I would try adding a firewall rule to LAN1 interface on the pfsense server allowing access to the remote LAN2 subnet through the DEFAULT gateway.

ie. something similar to:

Action: Pass
Interface: LAN (LAN1)
Source: LAN subnet,
Destination: 192.168.0.0/24
Gateway: default
Good Luck

stormscratcher

Thanks for try to solve my problem ;)

My new network diagram is :

LAN1 (192.168.1.0/24)
|
|
Pfsense (LAN IP : 192.168.1.1)
server
|
| WAN
|
DD-WRT VPN Router (LAN IP : 192.168.0.1)
|
|
LAN2 (192.168.0.0/24)

And now I can ping networks from LAN1 and LAN2

Now I would like PC on LAN1 use the Internet connection of LAN2 to access some public IP addresses.
What can I configure Pfsense to do this ?

GruensFroeschli

http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657

or do you want just "some" addresses and not all?

stormscratcher

@GruensFroeschli:

http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657

or do you want just "some" addresses and not all?

Thanks but I just want some addresses and not all traffic to vpn tunnel ;)