Site to Site unable to connect remote LAN

itanis

yes the tunnel network are fine. also sincemy SiteA pfSense is able to ping everything in SiteB, I am sure the vpn is working fine. Just that the workstations in SiteA are unable to ping Site B workstations.

Here are the routing tables:
Routing table of Site A pfSense
default 192.168.0.1 UGS 0 77702 1500 le0
10.0.0.0/16 192.168.100.2 UGS 0 1856 1500 ovpns1
127.0.0.1 link#4 UH 0 250 16384 lo0
192.168.0.0/24 link#1 U 0 129154 1500 le0
192.168.0.254 link#1 UHS 0 9 16384 lo0
192.168.100.1 127.0.0.1 UH 0 0 16384 lo0
192.168.100.2 link#8 UH 0 31741 1500 ovpns1

Routing table of Site B pfSense
Destination Gateway Flags Refs Use Mtu Netif Expire
default 10.0.0.13 UGS 0 76104 1500 em0
10.0.0.0/16 link#1 U 0 97658 1500 em0
10.0.0.254 link#1 UHS 0 0 16384 lo0
127.0.0.1 link#3 UH 0 147 16384 lo0
192.168.0.0/24 192.168.100.1 UGS 0 2443 1500 ovpnc1
192.168.100.1 link#7 UH 0 31244 1500 ovpnc1
192.168.100.2 link#7 UHS 0 0 16384 lo0

itanis

Hi,

I am able to resolve the problem. Just to list here so it may help out others meeting with same issues. As mentioned, pfSense's firewall in SiteB is capturing the local LAN PC address from SiteA when attempting to ping or connect. What I thought is it should be reflecting SiteA's pfSense tunnel network address.

What I did is to go to SiteA pfSense firewall, change to Manual NAT and add in a NAT rule for OpenVPN interface. Afterwhich, in SiteB pfSense firewall, it reflects SiteA's pfSense tunnel address when SiteA PC trying to connect. Upon doing this, the connection is established successfully.

heper

i'm not sure if i'm reading this correctly but …. am i correctly interpreting that your WAN connection on pfsense-A is also on the 192.168.0.0/24 subnet ?

if yes then you should investigate that... same subnet on LAN & WAN + vpn might be a problem

cmb

@itanis:

What I did is to go to SiteA pfSense firewall, change to Manual NAT and add in a NAT rule for OpenVPN interface. Afterwhich, in SiteB pfSense firewall, it reflects SiteA's pfSense tunnel address when SiteA PC trying to connect. Upon doing this, the connection is established successfully.

This means you have a routing problem. It's a work around, but generally you don't want to NAT in that scenario, and it will break some things (MS file sharing and related MS protocols generally the only thing, they can't be NATed).

saxonbeta

Indeed it is a routing problem. In pfsense A you have this:

default   192.168.0.1   UGS   0   77702   1500   le0

And in pfsense B:

default   10.0.0.13   UGS   0   76104   1500   em0

This means that your WAN connections are in the same subnets than both pfsense LANS. So you should change your choice of IP range for your both LANS.

itanis

actually my WAN interface is disabled. the default route is what I put in my LAN interface as the gateway. Both the pfSense are not the main gateway of the network. does this still applies? Not sure if it invites much issues if I put it in this way

cmb

@itanis:

actually my WAN interface is disabled. the default route is what I put in my LAN interface as the gateway. Both the pfSense are not the main gateway of the network.

There's your problem. You need a route back to the VPN in whatever is the default gateway, and depending on what is the default gateway, there may be other considerations like not trying to statefully filter the asymmetrically routed traffic, or not using devices like a Cisco PIX that can't route traffic back out the same interface it comes in on, amongst other possible routing or filtering difficulties inherent in such a setup.

itanis

Thanks cmb. Given my network setup:

LAN A – pfSense A -- Gateway(Router) ----<internet>---- Gateway(Firewall) ---- pfSense B -- LAN B

So I came with the thought, I do not need WAN IP in both pfSense. Thus I set default gateway in pfSense A/B with the internet gateway in order to get internet connection. For this, both pfSense A/B are only with LAN ip and without WAN ip.

Given this, I setup openvpn site to site with pfSense A and B. Which for sure default route(internet) will not be the VPN. Even though so far my NAT is giving 0 issues, I also want to take the chance to understand what is a more proper setup(which may benefits others as well), in this case is the routing issue so does that necessarily means if I set a default route or static route in pfSense B back to VPN gateway it will work?</internet>

cmb

You need a static route in your gateway on each side. On LAN A side, a route on gateway pointing LAN B subnet to pfSense A's IP. Same flipping the sides on the other end.

itanis

This make alot of sense. The key is the default gateway here I guess instead of pfSense in this setup. I'll give it a shot, its very beneficial. Thanks again.

cmb

Yeah the default gateway has to know how to reach that remote network.