Can ping server but not rest of network.
-
Is the OpenVPN server the default gateway for the network behind it?
-
Heum… Yes, pfSense is the default gateway on 192.168.1.0/24 sub-network !
-
And on the remote client, when the link is up, what does "netstat -rn" show?
-
That …
thibaut@PC-de-Thibaut:~$ netstat -rn Table de routage IP du noyau Destination Passerelle Genmask Indic MSS Fenêtre irtt Iface 192.168.2.1 192.168.2.5 255.255.255.255 UGH 0 0 0 tun0 192.168.2.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 172.16.119.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 192.168.1.0 192.168.2.5 255.255.255.0 UG 0 0 0 tun0 172.16.74.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 10.187.88.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 10.187.88.245 0.0.0.0 UG 0 0 0 eth0 -
Routing looks good. Does the OpenVPN server end have another network that's 192.168.1.x/24?
-
My pfSenseBox is in two network :
WAN : 10.187.88.0/22 (address 10.187.88.9)
LAN : 192.168.1.0/24 (address 10.187.88.254, it's the gateway of the 192.168.1.0/24 subnet)So i think that the OpenVPN server is on the 192.168.1.0/24 network …
-
I can't see an obvious problem. I'd check things like firewall settings (on both ends), drop a packet sniffer in to see if the packets are making it through pfSense (ISTR that tcpdump is installed by default on pfSense) and check to see if you can ping from the 192.168.1.0/24 network to the 192.168.2.0/24 network.
-
Arf ….
Ok thanks for your help ! A return to work on Monday, so see you soon !
-
Hello !
So, i can ping 192.168.2.0/24 address from 192.168.1.0/24 subnet. But from 10.187.88.0/22, i ping 192.168.1.254 but not the rest of the 192.168.1.0/24 subnet :(
-
I think a diagram is required to make that last post make sense. You're implying that you're trying to ping from outside the pfSense host, on the WAN, to the LAN.
-
PC1 192.168.2.6 (tun0) –-------------- 10.187.88.8 (WAN) pfSense 192.168.1.254 (LAN) ------------------ 192.168.1.245 (LAN) PC2
pfSense have also 192.168.2.5 for the VPN Server.
ping from PC2 to PC1 work !
ping from PC1 to PC2 doesn't work !and i want to access to LAN since WAN with VPN server
-
Right, then look at the firewall settings on PC2. You may find that it's blocking ping requests.
-
thanks for your help
But my firewall on PC2 is disable …
I can see the request from 192.168.2.6 to 192.168.1.245 with tcpdump of pfSense, but not the reply.
-
Then your problem is with the host 192.168.1.245. Check that it's default gateway is correct, check to see that it's receiving the packets, do all the basic troubleshooting steps on that host.
-
The problem doesn't become on that host because there is the same problem with an other PC with an other IP address…
thx for your help ...
-
Well, start there. If you're seeing packets enter the LAN but not return to pfSense then something you've posted here is obviously wrong. The three possibilities are:
- The hosts don't use the pfSense host as their default gateway
- The static routes on the LAN clients are wrong
- They run firewalls
Eliminate those one at a time, what's left is the only possibility.
-
- The static routes on the LAN clients
What's that ? ???
-
Static routes tell clients how to reach networks that are attached to something other than your default gateway.
-
I had this same problem, but when I added all my hosts that I wanted the VPN clients to be able to contact to the DNS Forwarder list, I was able to ping and connect to the LAN side from the VPN Client side, when i removed those entries..I also lost my connectivity to those LAN elements. Not sure why but it seem that the host you want to be able to access via the VPN have to be listed in the DNS Forwarder also. Bug? not sure, but adding them fixed my issue.
-
Hi and thanks for your help !
I represent my configuration, because i'm not able to solve the probleme :
VPN Server configuration file :
writepid /var/run/openvpn_server0.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto tcp-server cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure server 192.168.2.0 255.255.255.0 client-config-dir /var/etc/openvpn_csc push "route 192.168.1.0 255.255.255.0" lport 1194 push "dhcp-option DISABLE-NBT" ca /var/etc/openvpn_server0.ca cert /var/etc/openvpn_server0.cert key /var/etc/openvpn_server0.key dh /var/etc/openvpn_server0.dh persist-remote-ip floatClient configuration file :
client dev tun proto tcp resolv-retry infinite nobind persist-key persist-tun ca /home/thibaut/ca.crt cert /home/thibaut/client1.crt key /home/thibaut/client1.key verb 3Client netstat -rn when it's connect to vpn server :
Destination Passerelle Genmask Indic MSS Fenêtre irtt Iface 192.168.2.1 192.168.2.5 255.255.255.255 UGH 0 0 0 tun0 192.168.2.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 172.16.119.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 192.168.1.0 192.168.2.5 255.255.255.0 UG 0 0 0 tun0 172.16.74.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 10.187.88.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 10.187.88.245 0.0.0.0 UG 0 0 0 eth0Ping a PC with address 192.168.1.144 (report with tcpdump in pfSense) :
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on le0, link-type EN10MB (Ethernet), capture size 96 bytes 09:23:57.352592 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43 09:23:57.725277 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 7, length 64 09:23:58.723015 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 8, length 64 09:23:59.408489 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43 09:23:59.716733 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 9, length 64 09:24:00.716003 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 10, length 64 09:24:01.416434 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43 09:24:01.709148 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 11, length 64 ^C 8 packets captured 9 packets received by filter 0 packets dropped by kernelipconfig /all on my Windows PC which as 192.168.1.144 :
Carte Ethernet Connexion réseau sans fil: Suffixe DNS propre à la connexion : valadon.lan Description . . . . . . . . . . . : NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Adresse physique . . . . . . . . .: 00-1B-2F-42-AE-DB DHCP activé. . . . . . . . . . . : Oui Configuration automatique activée . . . . : Oui Adresse IP. . . . . . . . . . . . : 192.168.1.144 Masque de sous-réseau . . . . . . : 255.255.255.0 Passerelle par défaut . . . . . . : 192.168.1.254 Serveur DHCP. . . . . . . . . . . : 192.168.1.254 Serveurs DNS . . . . . . . . . . : 192.168.1.254 Serveur WINS principal. . . . . . : 10.187.88.4 Bail obtenu . . . . . . . . . . . : mardi 5 mai 2009 09:03:38 Bail expirant . . . . . . . . . . : mardi 5 mai 2009 11:03:38ifconfig on my linux client :
ath0 Link encap:Ethernet HWaddr 00:15:af:59:60:78 UP BROADCAST MULTICAST MTU:1500 Metric:1 Packets reçus:522 erreurs:0 :0 overruns:0 frame:0 TX packets:366 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 Octets reçus:191752 (187.2 KB) Octets transmis:52773 (51.5 KB) eth0 Link encap:Ethernet HWaddr 00:1e:8c:28:4d:9c inet adr:10.187.91.250 Bcast:10.187.91.255 Masque:255.255.252.0 adr inet6: fe80::21e:8cff:fe28:4d9c/64 Scope:Lien UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Packets reçus:47532 erreurs:0 :0 overruns:0 frame:0 TX packets:24031 errors:0 dropped:0 overruns:0 carrier:13 collisions:0 lg file transmission:1000 Octets reçus:20305549 (19.3 MB) Octets transmis:0 (0.0 B) Mémoire:feac0000-feb00000 lo Link encap:Boucle locale inet adr:127.0.0.1 Masque:255.0.0.0 adr inet6: ::1/128 Scope:Hôte UP LOOPBACK RUNNING MTU:16436 Metric:1 Packets reçus:3217 erreurs:0 :0 overruns:0 frame:0 TX packets:3217 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 Octets reçus:167880 (163.9 KB) Octets transmis:167880 (163.9 KB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet adr:192.168.2.6 P-t-P:192.168.2.5 Masque:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 Packets reçus:21 erreurs:0 :0 overruns:0 frame:0 TX packets:389 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:100 Octets reçus:1194 (1.1 KB) Octets transmis:32110 (31.3 KB) vmnet1 Link encap:Ethernet HWaddr 00:50:56:c0:00:01 inet adr:172.16.119.1 Bcast:172.16.119.255 Masque:255.255.255.0 adr inet6: fe80::250:56ff:fec0:1/64 Scope:Lien UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Packets reçus:0 erreurs:0 :0 overruns:0 frame:0 TX packets:39 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:1000 Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B) vmnet8 Link encap:Ethernet HWaddr 00:50:56:c0:00:08 inet adr:172.16.74.1 Bcast:172.16.74.255 Masque:255.255.255.0 adr inet6: fe80::250:56ff:fec0:8/64 Scope:Lien UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Packets reçus:0 erreurs:0 :0 overruns:0 frame:0 TX packets:39 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:1000 Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B) wifi0 Link encap:UNSPEC HWaddr 00-15-AF-59-60-78-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Packets reçus:57444 erreurs:0 :0 overruns:0 frame:3848 TX packets:2361 errors:20 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:280 Octets reçus:6565866 (6.2 MB) Octets transmis:152379 (148.8 KB)ifconfig on my pfSenseBox :
le0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:0c:29:c2:6b:1e inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::20c:29ff:fec2:6b1e%le0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect status: active le1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:0c:29:c2:6b:28 inet 10.187.88.9 netmask 0xfffffc00 broadcast 10.187.91.255 inet6 fe80::20c:29ff:fec2:6b28%le1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect status: active plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500 pflog0: flags=100 <promisc>metric 0 mtu 33204 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 enc0: flags=0<> metric 0 mtu 1536 pfsync0: flags=41 <up,running>metric 0 mtu 1460 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 tun0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 inet6 fe80::20c:29ff:fec2:6b1e%tun0 prefixlen 64 scopeid 0x8 inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffffff Opened by PID 2478</up,pointopoint,running,multicast></up,running></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast,needsgiant></vlan_mtu></up,broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast>So with this configuration, i'm not able to ping 192.168.1.144 since 192.168.2.6 …
