Can ping server but not rest of network.
-
PC1 192.168.2.6 (tun0) –-------------- 10.187.88.8 (WAN) pfSense 192.168.1.254 (LAN) ------------------ 192.168.1.245 (LAN) PC2
pfSense have also 192.168.2.5 for the VPN Server.
ping from PC2 to PC1 work !
ping from PC1 to PC2 doesn't work !and i want to access to LAN since WAN with VPN server
-
Right, then look at the firewall settings on PC2. You may find that it's blocking ping requests.
-
thanks for your help
But my firewall on PC2 is disable …
I can see the request from 192.168.2.6 to 192.168.1.245 with tcpdump of pfSense, but not the reply.
-
Then your problem is with the host 192.168.1.245. Check that it's default gateway is correct, check to see that it's receiving the packets, do all the basic troubleshooting steps on that host.
-
The problem doesn't become on that host because there is the same problem with an other PC with an other IP address…
thx for your help ...
-
Well, start there. If you're seeing packets enter the LAN but not return to pfSense then something you've posted here is obviously wrong. The three possibilities are:
- The hosts don't use the pfSense host as their default gateway
- The static routes on the LAN clients are wrong
- They run firewalls
Eliminate those one at a time, what's left is the only possibility.
-
- The static routes on the LAN clients
What's that ? ???
-
Static routes tell clients how to reach networks that are attached to something other than your default gateway.
-
I had this same problem, but when I added all my hosts that I wanted the VPN clients to be able to contact to the DNS Forwarder list, I was able to ping and connect to the LAN side from the VPN Client side, when i removed those entries..I also lost my connectivity to those LAN elements. Not sure why but it seem that the host you want to be able to access via the VPN have to be listed in the DNS Forwarder also. Bug? not sure, but adding them fixed my issue.
-
Hi and thanks for your help !
I represent my configuration, because i'm not able to solve the probleme :
VPN Server configuration file :
writepid /var/run/openvpn_server0.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto tcp-server cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure server 192.168.2.0 255.255.255.0 client-config-dir /var/etc/openvpn_csc push "route 192.168.1.0 255.255.255.0" lport 1194 push "dhcp-option DISABLE-NBT" ca /var/etc/openvpn_server0.ca cert /var/etc/openvpn_server0.cert key /var/etc/openvpn_server0.key dh /var/etc/openvpn_server0.dh persist-remote-ip floatClient configuration file :
client dev tun proto tcp resolv-retry infinite nobind persist-key persist-tun ca /home/thibaut/ca.crt cert /home/thibaut/client1.crt key /home/thibaut/client1.key verb 3Client netstat -rn when it's connect to vpn server :
Destination Passerelle Genmask Indic MSS Fenêtre irtt Iface 192.168.2.1 192.168.2.5 255.255.255.255 UGH 0 0 0 tun0 192.168.2.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 172.16.119.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 192.168.1.0 192.168.2.5 255.255.255.0 UG 0 0 0 tun0 172.16.74.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 10.187.88.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 10.187.88.245 0.0.0.0 UG 0 0 0 eth0Ping a PC with address 192.168.1.144 (report with tcpdump in pfSense) :
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on le0, link-type EN10MB (Ethernet), capture size 96 bytes 09:23:57.352592 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43 09:23:57.725277 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 7, length 64 09:23:58.723015 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 8, length 64 09:23:59.408489 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43 09:23:59.716733 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 9, length 64 09:24:00.716003 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 10, length 64 09:24:01.416434 STP 802.1d, Config, Flags [none], bridge-id 8000.00:1b:2f:25:3f:70.8002, length 43 09:24:01.709148 IP 192.168.2.6 > 192.168.1.144: ICMP echo request, id 46635, seq 11, length 64 ^C 8 packets captured 9 packets received by filter 0 packets dropped by kernelipconfig /all on my Windows PC which as 192.168.1.144 :
Carte Ethernet Connexion réseau sans fil: Suffixe DNS propre à la connexion : valadon.lan Description . . . . . . . . . . . : NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Adresse physique . . . . . . . . .: 00-1B-2F-42-AE-DB DHCP activé. . . . . . . . . . . : Oui Configuration automatique activée . . . . : Oui Adresse IP. . . . . . . . . . . . : 192.168.1.144 Masque de sous-réseau . . . . . . : 255.255.255.0 Passerelle par défaut . . . . . . : 192.168.1.254 Serveur DHCP. . . . . . . . . . . : 192.168.1.254 Serveurs DNS . . . . . . . . . . : 192.168.1.254 Serveur WINS principal. . . . . . : 10.187.88.4 Bail obtenu . . . . . . . . . . . : mardi 5 mai 2009 09:03:38 Bail expirant . . . . . . . . . . : mardi 5 mai 2009 11:03:38ifconfig on my linux client :
ath0 Link encap:Ethernet HWaddr 00:15:af:59:60:78 UP BROADCAST MULTICAST MTU:1500 Metric:1 Packets reçus:522 erreurs:0 :0 overruns:0 frame:0 TX packets:366 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 Octets reçus:191752 (187.2 KB) Octets transmis:52773 (51.5 KB) eth0 Link encap:Ethernet HWaddr 00:1e:8c:28:4d:9c inet adr:10.187.91.250 Bcast:10.187.91.255 Masque:255.255.252.0 adr inet6: fe80::21e:8cff:fe28:4d9c/64 Scope:Lien UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Packets reçus:47532 erreurs:0 :0 overruns:0 frame:0 TX packets:24031 errors:0 dropped:0 overruns:0 carrier:13 collisions:0 lg file transmission:1000 Octets reçus:20305549 (19.3 MB) Octets transmis:0 (0.0 B) Mémoire:feac0000-feb00000 lo Link encap:Boucle locale inet adr:127.0.0.1 Masque:255.0.0.0 adr inet6: ::1/128 Scope:Hôte UP LOOPBACK RUNNING MTU:16436 Metric:1 Packets reçus:3217 erreurs:0 :0 overruns:0 frame:0 TX packets:3217 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 Octets reçus:167880 (163.9 KB) Octets transmis:167880 (163.9 KB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet adr:192.168.2.6 P-t-P:192.168.2.5 Masque:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 Packets reçus:21 erreurs:0 :0 overruns:0 frame:0 TX packets:389 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:100 Octets reçus:1194 (1.1 KB) Octets transmis:32110 (31.3 KB) vmnet1 Link encap:Ethernet HWaddr 00:50:56:c0:00:01 inet adr:172.16.119.1 Bcast:172.16.119.255 Masque:255.255.255.0 adr inet6: fe80::250:56ff:fec0:1/64 Scope:Lien UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Packets reçus:0 erreurs:0 :0 overruns:0 frame:0 TX packets:39 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:1000 Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B) vmnet8 Link encap:Ethernet HWaddr 00:50:56:c0:00:08 inet adr:172.16.74.1 Bcast:172.16.74.255 Masque:255.255.255.0 adr inet6: fe80::250:56ff:fec0:8/64 Scope:Lien UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Packets reçus:0 erreurs:0 :0 overruns:0 frame:0 TX packets:39 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:1000 Octets reçus:0 (0.0 B) Octets transmis:0 (0.0 B) wifi0 Link encap:UNSPEC HWaddr 00-15-AF-59-60-78-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Packets reçus:57444 erreurs:0 :0 overruns:0 frame:3848 TX packets:2361 errors:20 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:280 Octets reçus:6565866 (6.2 MB) Octets transmis:152379 (148.8 KB)ifconfig on my pfSenseBox :
le0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:0c:29:c2:6b:1e inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::20c:29ff:fec2:6b1e%le0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect status: active le1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:0c:29:c2:6b:28 inet 10.187.88.9 netmask 0xfffffc00 broadcast 10.187.91.255 inet6 fe80::20c:29ff:fec2:6b28%le1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect status: active plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500 pflog0: flags=100 <promisc>metric 0 mtu 33204 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 enc0: flags=0<> metric 0 mtu 1536 pfsync0: flags=41 <up,running>metric 0 mtu 1460 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 tun0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 inet6 fe80::20c:29ff:fec2:6b1e%tun0 prefixlen 64 scopeid 0x8 inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffffff Opened by PID 2478</up,pointopoint,running,multicast></up,running></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast,needsgiant></vlan_mtu></up,broadcast,running,simplex,multicast></vlan_mtu></up,broadcast,running,simplex,multicast>So with this configuration, i'm not able to ping 192.168.1.144 since 192.168.2.6 …
-
On the Windows PC, what does netstat -rn show?
I'll say it again - if you're not seeing packets back into the pfSense host from the Windows host then the problem is not with OpenVPN, or the remote client. The problem is entirely in your local network and almost certainly on the Windows host.
-
result of the netstat -rn on Windows PC :
Table de routage =========================================================================== Liste d'Interfaces 0x1 ........................... MS TCP Loopback interface 0x2 ...00 15 c5 a5 3e 96 ...... Broadcom 440x 10/100 Integrated Controller - Min iport d'ordonnancement de paquets 0x20004 ...00 1b 2f 42 ae db ...... NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adap ter - Miniport d'ordonnancement de paquets =========================================================================== =========================================================================== Itinéraires actifs : Destination réseau Masque réseau Adr. passerelle Adr. interface Métrique 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.144 25 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.144 192.168.1.144 25 192.168.1.144 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.1.255 255.255.255.255 192.168.1.144 192.168.1.144 25 224.0.0.0 240.0.0.0 192.168.1.144 192.168.1.144 25 255.255.255.255 255.255.255.255 192.168.1.144 2 1 255.255.255.255 255.255.255.255 192.168.1.144 192.168.1.144 1 Passerelle par défaut : 192.168.1.254 =========================================================================== Itinéraires persistants : Aucun -
So, you have the correct default gateway.
This means that the probability is that you still have the firewall running. Trying pinging the Windows host from the pfSense host.
-
When i ping the Windows Host with pfSense, it replies … :(
-
Then it's time to install Wireshark on the Windows host and do a packet capture there.
-
YES it works !
I find my mistake : the captive portal was enable in LAN, so the host (which were not authenticate) can't reply to my client…
Very thanks for your help and for your patience !
-
Happy to help somebody who's willing to listen ;)
