Site to Site unable to connect remote LAN

itanis

Hi All,

I've just started using pfSense days ago and trying to configure a site to site connection using OpenVPN and shared key. After few days of configuration, most of the items had been successful. Sites connects, able to ping fine. However I am stucked at the next step. I am trying to get my local LAN from SiteA(server) to be able to connect to LAN at site B(client). From a PC in local LAN A, i able able to

1. ping site B pfsense
2. connect to site B pfsense web interface using LAN B address.

However, I am having issues connecting to to any other addresses in LAN B from the PC in my LAN A. No ping response as well. A few notes:

1. Site A pfSense is able to ping any PC in Site B LAN
2. Site B pfSense receive firewall logs when Site A PC is pinging any PC in Site B LAN.

I am thinking it maybe NAT issues, not sure if I make myself clear here.. any leads will be nice! thanks in advance!!

heper

you are either missing routes for both of your lans or the firewall is blocking.

try to post back a routing table + schematic of your network
also see in you firewall logs if anything is blocked that shouldnt be

itanis

Hi Heper,

Thanks for the response. My network construct as such:
Site A                  Site A pfSense    Site B pfSense      Site B
192.168.0.0/24 ->  192.168.0.254 -> 10.0.0.254        -> 10.0.0.0/16

Tunnel Network: 192.168.100.0/30

Routing table from Site A PC:
Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1  192.168.0.244      30
        10.0.0.0      255.255.0.0    192.168.0.254  192.168.0.244      1
        127.0.0.0        255.0.0.0        127.0.0.1      127.0.0.1      1
      192.168.0.0    255.255.255.0    192.168.0.244  192.168.0.244      30
    192.168.0.244  255.255.255.255        127.0.0.1      127.0.0.1      30
    192.168.0.255  255.255.255.255    192.168.0.244  192.168.0.244      30
    192.168.100.0  255.255.255.240    192.168.0.254  192.168.0.244      1
        224.0.0.0        240.0.0.0    192.168.0.244  192.168.0.244      30
  255.255.255.255  255.255.255.255    192.168.0.244  192.168.0.244      1

When I do a traceroute using Site A PC to 10.0.0.254:
Tracing route to 10.0.0.254 over a maximum of 30 hops

1    1 ms    <1 ms    <1 ms  192.168.0.254
  2    21 ms    37 ms    20 ms  10.0.0.254

Trace complete.

When I do a traceroute using Site A PC to an IP in Site B:
Tracing route to 10.0.0.12 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  192.168.0.254
  2    35 ms    21 ms    24 ms  192.168.100.2
  3    *        *        *    Request timed out.
  4    *        *        *    Request timed out.
  5    *        *        *    Request timed out.

I've checked the firewall of pfSense in SiteB, it allowed and logged the traceroute above from Site A PC to Site B PC, just the request timed out. Under the firewall log, the incoming ip is tagged as 192.168.0.11(my Site A PC)

If i use pfSense in SiteA to ping/trace to any PCs in Site B, it works just as fine.

saxonbeta

It is better if you paste the routing table of both pfsense boxes. In the other hand, did you write the correct values Of the Local network and remote network, under the tunnel settings in the server and client configuration?

itanis

yes the tunnel network are fine. also sincemy SiteA pfSense is able to ping everything in SiteB, I am sure the vpn is working fine. Just that the workstations in SiteA are unable to ping Site B workstations.

Here are the routing tables:
Routing table of Site A pfSense
default 192.168.0.1 UGS 0 77702 1500 le0
10.0.0.0/16 192.168.100.2 UGS 0 1856 1500 ovpns1
127.0.0.1 link#4 UH 0 250 16384 lo0
192.168.0.0/24 link#1 U 0 129154 1500 le0
192.168.0.254 link#1 UHS 0 9 16384 lo0
192.168.100.1 127.0.0.1 UH 0 0 16384 lo0
192.168.100.2 link#8 UH 0 31741 1500 ovpns1

Routing table of Site B pfSense
Destination Gateway Flags Refs Use Mtu Netif Expire
default 10.0.0.13 UGS 0 76104 1500 em0
10.0.0.0/16 link#1 U 0 97658 1500 em0
10.0.0.254 link#1 UHS 0 0 16384 lo0
127.0.0.1 link#3 UH 0 147 16384 lo0
192.168.0.0/24 192.168.100.1 UGS 0 2443 1500 ovpnc1
192.168.100.1 link#7 UH 0 31244 1500 ovpnc1
192.168.100.2 link#7 UHS 0 0 16384 lo0

itanis

Hi,

I am able to resolve the problem. Just to list here so it may help out others meeting with same issues. As mentioned, pfSense's firewall in SiteB is capturing the local LAN PC address from SiteA when attempting to ping or connect. What I thought is it should be reflecting SiteA's pfSense tunnel network address.

What I did is to go to SiteA pfSense firewall, change to Manual NAT and add in a NAT rule for OpenVPN interface. Afterwhich, in SiteB pfSense firewall, it reflects SiteA's pfSense tunnel address when SiteA PC trying to connect. Upon doing this, the connection is established successfully.

heper

i'm not sure if i'm reading this correctly but …. am i correctly interpreting that your WAN connection on pfsense-A is also on the 192.168.0.0/24 subnet ?

if yes then you should investigate that... same subnet on LAN & WAN + vpn might be a problem

cmb

@itanis:

What I did is to go to SiteA pfSense firewall, change to Manual NAT and add in a NAT rule for OpenVPN interface. Afterwhich, in SiteB pfSense firewall, it reflects SiteA's pfSense tunnel address when SiteA PC trying to connect. Upon doing this, the connection is established successfully.

This means you have a routing problem. It's a work around, but generally you don't want to NAT in that scenario, and it will break some things (MS file sharing and related MS protocols generally the only thing, they can't be NATed).

saxonbeta

Indeed it is a routing problem. In pfsense A you have this:

default   192.168.0.1   UGS   0   77702   1500   le0

And in pfsense B:

default   10.0.0.13   UGS   0   76104   1500   em0

This means that your WAN connections are in the same subnets than both pfsense LANS. So you should change your choice of IP range for your both LANS.

itanis

actually my WAN interface is disabled. the default route is what I put in my LAN interface as the gateway. Both the pfSense are not the main gateway of the network. does this still applies? Not sure if it invites much issues if I put it in this way

cmb

@itanis:

actually my WAN interface is disabled. the default route is what I put in my LAN interface as the gateway. Both the pfSense are not the main gateway of the network.

There's your problem. You need a route back to the VPN in whatever is the default gateway, and depending on what is the default gateway, there may be other considerations like not trying to statefully filter the asymmetrically routed traffic, or not using devices like a Cisco PIX that can't route traffic back out the same interface it comes in on, amongst other possible routing or filtering difficulties inherent in such a setup.

itanis

Thanks cmb. Given my network setup:

LAN A – pfSense A -- Gateway(Router) ----<internet>---- Gateway(Firewall) ---- pfSense B -- LAN B

So I came with the thought, I do not need WAN IP in both pfSense. Thus I set default gateway in pfSense A/B with the internet gateway in order to get internet connection. For this, both pfSense A/B are only with LAN ip and without WAN ip.

Given this, I setup openvpn site to site with pfSense A and B. Which for sure default route(internet) will not be the VPN. Even though so far my NAT is giving 0 issues, I also want to take the chance to understand what is a more proper setup(which may benefits others as well), in this case is the routing issue so does that necessarily means if I set a default route or static route in pfSense B back to VPN gateway it will work?</internet>

cmb

You need a static route in your gateway on each side. On LAN A side, a route on gateway pointing LAN B subnet to pfSense A's IP. Same flipping the sides on the other end.

itanis

This make alot of sense. The key is the default gateway here I guess instead of pfSense in this setup. I'll give it a shot, its very beneficial. Thanks again.

cmb

Yeah the default gateway has to know how to reach that remote network.