Openvpn, lan and wan trouble
-
Solved the problem with openvpn net not being able to connect out to the internet, i automatic nat , when changing to manual and adding all my subnets, the vpn networks outbound traffic to the web started working.
Still stuck on that darn openvpn net > lan , and a lan host can still ping the openvpn client, but not the other way around…
Ah! now i get the route correct.
13.37.1.0 13.37.2.5 255.255.255.0 UG 0 0 0 tun0
13.37.0.0 13.37.2.5 255.255.255.0 UG 0 0 0 tun0but i still cant access the hosts on 13.37.0.0 /24 net :-\
-
You're using public ip addresses that are registered to Xerox Corporation on your networks, any reason for that? I would change all those 13.x.x.x addresses to 10.x.x.x just to be sure there's no ill effects from using public ip addresses where private rfc1918 addresses would be more appropriate.
-
Well the reason is a bit nerdy, the two first octets read 13.37 = 1337 = leet ;)
I read somewhere that unchecking "Block private networks" on the wan interface could help, i tried it with little hope and sure enought it didnt do any good, this problem should be from the tun interface on the pfsense box and the lan interface, not involving wan at all.
I dont think that the address scheme has anything to do with the problem since i can reach 13.37.1.0 net but not 13.37.0.0 , even though i have routes and the nets are class C nets, ill try capturing some packets and look more closely at the logs.
If nothing else helps ill change the to a 10.x.x.x network..
-
Few things to check:
Can you reach the LAN gateway address from the client when the vpn connection is open?
When connecting to hosts on the LAN make sure they don't have firewall of their own that would block traffic from (their point of view) an unknown network.
Are the hosts on the LAN using pfSense as their default gateway or is there another gateway on the LAN net?
-
Yupp, i can ping 13.37.0.1 which is the gateway for the Lan.
The machine im testing against has the firewall turned off.
Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destinationThe hosts on the lan has the pfsene lan interface 13.37.0.1 as their gateway.
The pfsense box is the only routing machine on my network, combining lan,dmz,wan and openvpn net.
Here is the traceroute from the client to machines on dmz resp lan net.
Dmz machine 13.37.1.4
1: 13.37.2.6 (13.37.2.6) 0.092ms pmtu 1500
1: 13.37.2.1 (13.37.2.1) 47.907ms
2: 13.37.1.4 (13.37.1.4) 19.079ms reached
Resume: pmtu 1500 hops 2 back 2Lan machine 13.37.0.5
1: 13.37.2.6 (13.37.2.6) 0.069ms pmtu 1500
1: 13.37.2.1 (13.37.2.1) 18.711ms
2: no replySo it looks like the openvpn gateway adress is the last to respond in the Lan case, but cant forward the packet out on the lan interface.
Something gotta be different with the lan and dmz interfaces, since dmz got no problem at all with the openvpn net.
-
Did you make sure that the client you try to ping has no firewall active?
-
yupp, tried from two different hosts aswell. same prob
-
Can you do a tcp dump on the LAN interface?
-
http://pastebin.com/R93W8N0r
i filtered packets from 13.37.2.6 which is the openvpn client im currently running ssh to in order to make a connection from 13.37.2.6 to 13.37.0.5 via ssh.
sadly the only traffic showing up is my ssh session from my own host inside on the lan at 13.37.0.2 , nothing shows for the 13.37.2.6 vpn host trying to make the ssh connection to 13.37.0.5..its a one way street , since all connection from lan > openvpn is successfull but not the other way around, and i have no access-lists to fiddle with either :(
one thing that caught my attention is if the nat only works one way, lan traffic gets nated towards all other interfaces, but the tun0 inteface maybe dont have permission to starta a nat against the lan interface for some reason? , its pretty far fetched since ive read that no configuration of rules or nat should have to be done, and plus the nat towards dmz net works fron the tunnel.
-
After some reading i turned off captive portal… and now it works :)
Allthough captive portal is a nice feature im woundering if its supposed to behave this way or if its a bug?
Kinda want both openvpn > lan and captive portal to work.