Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site VPN - can't ping from one side to the other

    OpenVPN
    2
    5
    5.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TC10284
      last edited by

      I have setup a site-to-site VPN using OpenVPN on two Pfsense 2.0.1 routers.
      I followed these guides:
      This one first:
      http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)
      Then this one to check myself:
      http://blog.stefcho.eu/?p=576

      Some information:
      "Server" network = 192.168.1.0/24
      "Client" network = 192.168.2.0/24

      I can ping from 192.168.2.0/24 to any device on 192.168.1.0/24.
      I cannot ping from 192.168.1.0/24 to any device 192.168.2.0/24.
      I want to be able to ping devices on either side of the VPN.

      I have even tried to add a push "route 192.168.2.0 255.255.255.0"; on the 192.168.1.0/24 VPN "server", but no luck still.

      What's going on?

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        i'm thinking your routes are fine. in my experience if you are able to ping in any direction –> routes are fine

        i'm thinking a firewall rule is blocking on the 192.168.1.0 side of the vpn

        enjoy

        1 Reply Last reply Reply Quote 0
        • T
          TC10284
          last edited by

          OpenVPN says the connection is up.
          Also, I can use nslookup, switch to a DNS server on 192.168.1.0/24 and lookup records on that LAN fine. I can also access the pfsense admin console on 192.168.1.1 from a client on 192.168.2.0/24.

          Here are my firewall rules from pfsense on 192.168.1.1:

          
- <filter>- <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>icmp</protocol> -<source> <any>- <destination><network>wanip</network></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.0.2</address></destination> - <associated-rule-id>nat_4f9186728b5b94.48582549</associated-rule-id></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.1.116</address>

 <port>57030</port></destination> - <associated-rule-id>nat_4f9186ada4a717.67221852</associated-rule-id> <disabled></disabled></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp</protocol> - <destination><address>192.168.1.116</address>

 <port>47624</port></destination> - <associated-rule-id>nat_4f9186db5f3e11.56896932</associated-rule-id> <disabled></disabled></any></rule> - <rule>-<source> <any><interface>wan</interface> <protocol>tcp/udp</protocol> - <destination><address>192.168.1.116</address>

 <port>-100</port></destination> - <associated-rule-id>nat_4f918715118c26.90301933</associated-rule-id> <disabled></disabled></any></rule> - <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>udp</protocol> -<source> <any>- <destination><any><port>1194</port></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><type>pass</type> - <interface>lan</interface> -<source> <network>lan</network>  - <destination><any></any></destination></rule> - <rule><id><type>pass</type> <interface>openvpn</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <any>- <destination><any></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>pass</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <network>opt1</network>  - <destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>block</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> -<source> <any>- <destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter>

          Here are the firewall rules on pfsense 192.168.2.1:

          
- <filter>- <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>icmp</protocol> -<source> <any>- <destination><network>wanip</network></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><id><type>pass</type> <interface>wan</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>udp</protocol> -<source> <any>- <destination><any><port>1194</port></any></destination> - <disabled></disabled></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> - <rule><type>pass</type> - <interface>lan</interface> -<source> <network>lan</network>  - <destination><any></any></destination></rule> - <rule><id><type>pass</type> <interface>openvpn</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os>-<source> <any>- <destination><any></any></destination> -</any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter>

          Do you need anything else to help me diagnose?

          1 Reply Last reply Reply Quote 0
          • H
            heper
            last edited by

            let me first say that i'm not really good at reading the xml as i generally use the webgui =)

            but since following rule is the only block rule i can find:

             <rule> <id><type>block</type> <interface>opt1</interface> <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype> <os><protocol>tcp</protocol> -<source> <any>- <destination><network>lan</network></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id> </rule>

            is opt1 an interface assigned to your openvpn ?
            If yes, then you might consider changing the block from opt1 -> lan and see if that helps in any way

            other then that, providing screenshots of routing table / firewall rules on useful tabs / drawing of network layout can all help to diagnose further

            1 Reply Last reply Reply Quote 0
            • T
              TC10284
              last edited by

              It's working fully now.

              For some odd reason, I am unable to ping devices behind a ZyXEL HD Powerline networking device from the 192.168.1.0/24 subnet, but I can ping everything else on 192.168.2.0/24 from 192.168.1.0/24. I can ping all devices behind the ZyXEL device on the same subnet just fine.

              I think I was trying to ping devices behind that ZyXEL and getting confused because it wouldn't ping.

              Thanks for your efforts!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.