Can ping server but not rest of network.
-
Hello (and sorry for my bad english, im french…)
I have the same problem ... See my OpenVPN server configuration :
I'm on local network 10.187.91.0/22 and i create this VPN on this network. I have a local network 192.168.1.0/24, and I want to access to it with a VPN.
With this configuration, I can ping my VPN Server with the address 192.168.1.254, but not the rest of this local network (192.168.1.245 for exemple…)
This is my rules of my firewall :
WAN : UDP * * * 1194 (OpenVPN) *
LAN : * LAN net * * * *So, it's a problem ...
-
Is the OpenVPN server the default gateway for the network behind it?
-
Heum… Yes, pfSense is the default gateway on 192.168.1.0/24 sub-network !
-
And on the remote client, when the link is up, what does "netstat -rn" show?
-
That …
thibaut@PC-de-Thibaut:~$ netstat -rn Table de routage IP du noyau Destination Passerelle Genmask Indic MSS Fenêtre irtt Iface 192.168.2.1 192.168.2.5 255.255.255.255 UGH 0 0 0 tun0 192.168.2.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 172.16.119.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 192.168.1.0 192.168.2.5 255.255.255.0 UG 0 0 0 tun0 172.16.74.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 10.187.88.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 10.187.88.245 0.0.0.0 UG 0 0 0 eth0
-
Routing looks good. Does the OpenVPN server end have another network that's 192.168.1.x/24?
-
My pfSenseBox is in two network :
WAN : 10.187.88.0/22 (address 10.187.88.9)
LAN : 192.168.1.0/24 (address 10.187.88.254, it's the gateway of the 192.168.1.0/24 subnet)So i think that the OpenVPN server is on the 192.168.1.0/24 network …
-
I can't see an obvious problem. I'd check things like firewall settings (on both ends), drop a packet sniffer in to see if the packets are making it through pfSense (ISTR that tcpdump is installed by default on pfSense) and check to see if you can ping from the 192.168.1.0/24 network to the 192.168.2.0/24 network.
-
Arf ….
Ok thanks for your help ! A return to work on Monday, so see you soon !
-
Hello !
So, i can ping 192.168.2.0/24 address from 192.168.1.0/24 subnet. But from 10.187.88.0/22, i ping 192.168.1.254 but not the rest of the 192.168.1.0/24 subnet :(
-
I think a diagram is required to make that last post make sense. You're implying that you're trying to ping from outside the pfSense host, on the WAN, to the LAN.
-
PC1 192.168.2.6 (tun0) –-------------- 10.187.88.8 (WAN) pfSense 192.168.1.254 (LAN) ------------------ 192.168.1.245 (LAN) PC2
pfSense have also 192.168.2.5 for the VPN Server.
ping from PC2 to PC1 work !
ping from PC1 to PC2 doesn't work !and i want to access to LAN since WAN with VPN server
-
Right, then look at the firewall settings on PC2. You may find that it's blocking ping requests.
-
thanks for your help
But my firewall on PC2 is disable …
I can see the request from 192.168.2.6 to 192.168.1.245 with tcpdump of pfSense, but not the reply.
-
Then your problem is with the host 192.168.1.245. Check that it's default gateway is correct, check to see that it's receiving the packets, do all the basic troubleshooting steps on that host.
-
The problem doesn't become on that host because there is the same problem with an other PC with an other IP address…
thx for your help ...
-
Well, start there. If you're seeing packets enter the LAN but not return to pfSense then something you've posted here is obviously wrong. The three possibilities are:
- The hosts don't use the pfSense host as their default gateway
- The static routes on the LAN clients are wrong
- They run firewalls
Eliminate those one at a time, what's left is the only possibility.
-
- The static routes on the LAN clients
What's that ? ???
-
Static routes tell clients how to reach networks that are attached to something other than your default gateway.
-
I had this same problem, but when I added all my hosts that I wanted the VPN clients to be able to contact to the DNS Forwarder list, I was able to ping and connect to the LAN side from the VPN Client side, when i removed those entries..I also lost my connectivity to those LAN elements. Not sure why but it seem that the host you want to be able to access via the VPN have to be listed in the DNS Forwarder also. Bug? not sure, but adding them fixed my issue.